From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 434C6C2D0E4 for ; Tue, 17 Nov 2020 17:48:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E509421734 for ; Tue, 17 Nov 2020 17:48:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728042AbgKQRs1 (ORCPT ); Tue, 17 Nov 2020 12:48:27 -0500 Received: from albireo.enyo.de ([37.24.231.21]:47592 "EHLO albireo.enyo.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730171AbgKQRs0 (ORCPT ); Tue, 17 Nov 2020 12:48:26 -0500 Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1kf55X-0005cw-8T; Tue, 17 Nov 2020 17:48:19 +0000 Received: from fw by deneb.enyo.de with local (Exim 4.92) (envelope-from ) id 1kf55U-0000Uk-2v; Tue, 17 Nov 2020 18:48:16 +0100 From: Florian Weimer To: Peter Collingbourne Cc: Catalin Marinas , Evgenii Stepanov , Kostya Serebryany , Vincenzo Frascino , Dave Martin , Linux ARM , Kevin Brodsky , Andrey Konovalov , Will Deacon , linux-api@vger.kernel.org, libc-alpha@sourceware.org Subject: Re: [PATCH v2] arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS) References: <20201014055106.25164-1-pcc@google.com> Date: Tue, 17 Nov 2020 18:48:16 +0100 In-Reply-To: <20201014055106.25164-1-pcc@google.com> (Peter Collingbourne's message of "Tue, 13 Oct 2020 22:51:06 -0700") Message-ID: <87blfv6fj3.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-api@vger.kernel.org * Peter Collingbourne: > This prctl allows the user program to control which PAC keys are enabled > in a particular task. The main reason why this is useful is to enable a > userspace ABI that uses PAC to sign and authenticate function pointers > and other pointers exposed outside of the function, while still allowing > binaries conforming to the ABI to interoperate with legacy binaries that > do not sign or authenticate pointers. > > The idea is that a dynamic loader or early startup code would issue > this prctl very early after establishing that a process may load legacy > binaries, but before executing any PAC instructions. I thought that the silicon did not support this? What exactly does this switch on and off? The signing itself (so that the bits are zero again), or just the verification? I do not know how easy it will be to adjust the glibc dynamic linker to this because I expect it to use PAC instructions itself. (It is an interesting target, I suppose, so this makes sense to me.) The loader code used for initial process setup and later dlopen is the same. Worst case, we could compile the loader twice. There is also an issue with LD_AUDIT, where we run user-supplied code (which might be PAC-compatible) before loading code that is not. I guess we could disable PAC by default in LD_AUDIT mode (which is unusual, no relation to the kernel audit subsystem). From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54F2BC2D0E4 for ; Tue, 17 Nov 2020 17:49:31 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E5C3E21734 for ; Tue, 17 Nov 2020 17:49:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="ndCXb3Ra" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E5C3E21734 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=deneb.enyo.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-ID:In-Reply-To:Date:References: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=68pa/yVI/Pu/+qR7AGplLhLLk+r4XEirdxLa7/Z3sIs=; b=ndCXb3RaiHi0YsV2wO2JSf963 OLV/39gejZj2pNYY2gg4d7f7szg6Ph5SpywhMAOP8K02CDf92U+W/C+LNzaPIgQ9OtSTXk/eQFwT8 5uAUN40//xCnKsnWMOvDFk18M5Qh+1i9AqXtRDAHPyumLlL0GjJGQ/QrzbawcEVMgANQUnLbgTSDr q3n8E63pgj8Pp2iYhApt3vqpvOQd5HvJd17PyRjZdxc0DmVut1innmR1PLyK4UcdwhkIiZ3nBnCw5 rqOr1ZGEcuafpW4sSbBO5nOmCBI/x76x4e6vtaOUsWadDmuIILrpZJS+iCw5VcHeZsi7IP1i2Fu2y vHrm3Gbng==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kf55d-0006zK-Oy; Tue, 17 Nov 2020 17:48:25 +0000 Received: from albireo.enyo.de ([37.24.231.21]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kf55a-0006yd-T2 for linux-arm-kernel@lists.infradead.org; Tue, 17 Nov 2020 17:48:23 +0000 Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1kf55X-0005cw-8T; Tue, 17 Nov 2020 17:48:19 +0000 Received: from fw by deneb.enyo.de with local (Exim 4.92) (envelope-from ) id 1kf55U-0000Uk-2v; Tue, 17 Nov 2020 18:48:16 +0100 From: Florian Weimer To: Peter Collingbourne Subject: Re: [PATCH v2] arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS) References: <20201014055106.25164-1-pcc@google.com> Date: Tue, 17 Nov 2020 18:48:16 +0100 In-Reply-To: <20201014055106.25164-1-pcc@google.com> (Peter Collingbourne's message of "Tue, 13 Oct 2020 22:51:06 -0700") Message-ID: <87blfv6fj3.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201117_124822_966518_81464E5F X-CRM114-Status: GOOD ( 15.91 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: libc-alpha@sourceware.org, Catalin Marinas , Kevin Brodsky , linux-api@vger.kernel.org, Kostya Serebryany , Evgenii Stepanov , Andrey Konovalov , Vincenzo Frascino , Will Deacon , Dave Martin , Linux ARM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org * Peter Collingbourne: > This prctl allows the user program to control which PAC keys are enabled > in a particular task. The main reason why this is useful is to enable a > userspace ABI that uses PAC to sign and authenticate function pointers > and other pointers exposed outside of the function, while still allowing > binaries conforming to the ABI to interoperate with legacy binaries that > do not sign or authenticate pointers. > > The idea is that a dynamic loader or early startup code would issue > this prctl very early after establishing that a process may load legacy > binaries, but before executing any PAC instructions. I thought that the silicon did not support this? What exactly does this switch on and off? The signing itself (so that the bits are zero again), or just the verification? I do not know how easy it will be to adjust the glibc dynamic linker to this because I expect it to use PAC instructions itself. (It is an interesting target, I suppose, so this makes sense to me.) The loader code used for initial process setup and later dlopen is the same. Worst case, we could compile the loader twice. There is also an issue with LD_AUDIT, where we run user-supplied code (which might be PAC-compatible) before loading code that is not. I guess we could disable PAC by default in LD_AUDIT mode (which is unusual, no relation to the kernel audit subsystem). _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel