From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46A98C433DF for ; Wed, 19 Aug 2020 21:27:32 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id DA87E2067C for ; Wed, 19 Aug 2020 21:27:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="qRBjb4ER"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="u+QzGlib" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DA87E2067C Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=AeAXGvcBegbUG01XUG/JqYuzEeu2HtIKqghG31pxMEU=; b=qRBjb4ERFAnKk6nX+xJ6zIaI8 68G4bA63t0iPQQFejTxSwuGEbFpRbYq6ER2EzdOSzKxWbumH0jAyrLIp9GjzW6jRMidQmH9eOGVAT fpj5qn4R001OBFJCJ+6+/jYY2sVpeN2Q3TIdtZlfkKXSIhOlzOOzyryvFTPtyvnYAIfvFivyVzRTe S/62f7i1LU8xQx2ronzhYYhBCW3jCgQYrbQ5A8U2j23EUcz2n3jDPyWWrA8Poi/Jzj2y+YtjWJFvl BrA032EK3r3+7ZhqtQyIdv/3YZDL2ujz/YQozRZbs7tU1HGu/cS6cHaAupwPsk68/flsQjr1u31Fn n7s9pvgAw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1k8Vb0-0001ja-JV; Wed, 19 Aug 2020 21:26:10 +0000 Received: from mail-il1-x143.google.com ([2607:f8b0:4864:20::143]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1k8Vav-0001gx-6d for linux-arm-kernel@lists.infradead.org; Wed, 19 Aug 2020 21:26:08 +0000 Received: by mail-il1-x143.google.com with SMTP id c6so21921722ilo.13 for ; Wed, 19 Aug 2020 14:26:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zajZyj9qidZBJ7IlumQxRJAx+WQ9XZTmzM6cDID6xfo=; b=u+QzGlibZSSRxm1z1ZKr1iUE04ucMeeiEOz1uURpYrgv7H9GGOzd919XQgrfAXbBzx 0/baqMMPoUvf3XRiO3x+vbVzPi5SV8oBZWelAwdxCJdsbY1yJOUKawFWQHWXgz7+leg4 dYqjjDNlzziXNjij3e/8mm3m2ahP15r3IyhbzOuUHcC5QajT1CBScsx0TlfI58Y/dde7 fLgxsQ8d8o4y1Rft9obdqGp2wWVHO90jMRYY++vIvcJS0/Z+4WgWUQ3PXuMtE7LIpQPo pJAhSY/qAr57ZGlTxz5QWqfDBYkYdwjkaYsHa6WCkjN16U04rgZDiO/Ij1eu/ln9ZeLM +oMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zajZyj9qidZBJ7IlumQxRJAx+WQ9XZTmzM6cDID6xfo=; b=Pff2tkb0c1Cdai9JRj3D0On+jiBX5lIBkouUSDADYSbgcwCNRb4XvcEKkdR5xXla91 QO6dzcru3wlgld69XRowusc2Y7KVQ1mVtlaeCUjHTECPzQu+NLSecAVYWqw0IhGSQFhA ySVPwU0qUs/FCqgn8QdzK5V0g98+2BOrfcwEH5YJtll815xjTXH7WGkdXT8Y1yo6fgrA R4ZRIEcUAMnQBG+D0dyeKjBayQVnuebJDKoQSMZKWDXwSHjaSvRhpbQ3AkeiPQUGXYUj Lgj2i7SGGlHPn+6+hLJAmIEzIv9KlgSegHBoJh/ExfPTBtKn7A6uiYedzT4+PyjM71wy JOyw== X-Gm-Message-State: AOAM5325d01m/vVl+Cikjtn8zJiezZgWhUhLgAu6gw8iRAQXqWDXhqv5 N2Mhv7nWS+YE+R6HLsJiqpALfietJqhg4fUIEU2a1w== X-Google-Smtp-Source: ABdhPJwvxg1t2TOME8j/+T9rQyRhMEjauk4LeU/MO1irq6QN2I+b1SYNFEXk9mgCAU7/B+AKj5HXB4tgeNFv/qLoJkU= X-Received: by 2002:a05:6e02:ef2:: with SMTP id j18mr36247ilk.2.1597872361483; Wed, 19 Aug 2020 14:26:01 -0700 (PDT) MIME-Version: 1.0 References: <20200801011152.39838-1-pcc@google.com> <20200819101809.GD6642@arm.com> In-Reply-To: <20200819101809.GD6642@arm.com> From: Peter Collingbourne Date: Wed, 19 Aug 2020 14:25:45 -0700 Message-ID: Subject: Re: [PATCH] arm64: add prctl(PR_PAC_SET_ENABLED_KEYS) To: Dave Martin X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200819_172605_363032_2E7FEFAE X-CRM114-Status: GOOD ( 52.92 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andrey Konovalov , Kevin Brodsky , Kostya Serebryany , Linux ARM , Catalin Marinas , Vincenzo Frascino , Will Deacon , Evgenii Stepanov Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, Aug 19, 2020 at 3:18 AM Dave Martin wrote: > > On Fri, Jul 31, 2020 at 06:11:52PM -0700, Peter Collingbourne wrote: > > This prctl allows the user program to control which PAC keys are enabled > > in a particular task. The main reason why this is useful is to enable a > > userspace ABI that uses PAC to sign and authenticate function pointers > > and other pointers exposed outside of the function, while still allowing > > binaries conforming to the ABI to interoperate with legacy binaries that > > do not sign or authenticate pointers. > > > > The idea is that a dynamic loader or early startup code would issue > > this prctl very early after establishing that a process may load legacy > > binaries, but before executing any PAC instructions. > > Apologies for the slow response on this, I'd had it on my list for a > while... > > > --- > > .../arm64/pointer-authentication.rst | 27 +++++++++++++++ > > arch/arm64/include/asm/asm_pointer_auth.h | 19 +++++++++++ > > arch/arm64/include/asm/pointer_auth.h | 10 ++++-- > > arch/arm64/include/asm/processor.h | 5 +++ > > arch/arm64/kernel/asm-offsets.c | 1 + > > arch/arm64/kernel/pointer_auth.c | 34 +++++++++++++++++++ > > include/uapi/linux/prctl.h | 3 ++ > > kernel/sys.c | 8 +++++ > > 8 files changed, 105 insertions(+), 2 deletions(-) > > > > diff --git a/Documentation/arm64/pointer-authentication.rst b/Documentation/arm64/pointer-authentication.rst > > index 30b2ab06526b..1f7e064deeb3 100644 > > --- a/Documentation/arm64/pointer-authentication.rst > > +++ b/Documentation/arm64/pointer-authentication.rst > > @@ -107,3 +107,30 @@ filter out the Pointer Authentication system key registers from > > KVM_GET/SET_REG_* ioctls and mask those features from cpufeature ID > > register. Any attempt to use the Pointer Authentication instructions will > > result in an UNDEFINED exception being injected into the guest. > > + > > + > > +Enabling and disabling keys > > +--------------------------- > > + > > +The prctl PR_PAC_SET_ENABLED_KEYS allows the user program to control which > > +PAC keys are enabled in a particular task. It takes two arguments, the > > +first being a bitmask of PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY > > +and PR_PAC_APDBKEY specifying which keys shall be affected by this prctl, > > +and the second being a bitmask of the same bits specifying whether the key > > +should be enabled or disabled. For example:: > > + > > + prctl(PR_PAC_SET_ENABLED_KEYS, > > + PR_PAC_APIAKEY | PR_PAC_APIBKEY | PR_PAC_APDAKEY | PR_PAC_APDBKEY, > > + PR_PAC_APIBKEY, 0, 0); > > + > > +disables all keys except the IB key. > > + > > +The main reason why this is useful is to enable a userspace ABI that uses PAC > > +instructions to sign and authenticate function pointers and other pointers > > +exposed outside of the function, while still allowing binaries conforming to > > +the ABI to interoperate with legacy binaries that do not sign or authenticate > > +pointers. > > What actually breaks without this? > > Since the keys are all enabled by default, the only purpose of this > prctl seems to be to disable keys. I'm not sure what this is giving us. Yes, the purpose is to disable keys. Let's consider the function pointer signing userspace ABI use case. An example is Apple's arm64e ABI, and I have a prototype branch of LLVM [0] that implements a similar ABI in Linux userspace, based on Apple's implementation of their ABI. Here's an example of a function that returns a function pointer, and a function that calls a function pointer of the same type: static void f(void) {} void *return_fp(void) { return f; } void call_fp(void (*p)(void)) { p(); } If I compile this with my prototype compiler I get: $ clang --target=aarch64-android -fptrauth-calls fptr.c -S -o - -O3 -march=armv8.3a [...] return_fp: // @return_fp // %bb.0: // %entry adrp x16, f add x16, x16, :lo12:f mov x17, #16277 pacia x16, x17 mov x0, x16 ret [...] call_fp: // @call_fp // %bb.0: // %entry mov w1, #16277 braa x0, x1 [...] In this code snippet the function pointer is signed with the IA key and discriminator 16277 before being returned. When the function is called, the pointer is first authenticated with the same key and discriminator. Now imagine that this code lives in a shared library used both by programs that use the function pointer signing ABI and by legacy binaries (i.e. programs that use the existing ABI), and we have a legacy binary that calls return_fp. If the legacy binary then calls the function pointer returned by return_fp, that code will not authenticate the pointer before calling it, it will just use a br or blr instruction to call it directly, which will lead to a crash if the signature bits are set in the function pointer. In order to prevent the crash, we need a way to cause the pacia instruction in return_fp to become a no-op when running inside the process hosting the legacy binary, so that the signature bits will remain clear and the br or blr instruction in the legacy binary will successfully call the function f. That can be done by disabling the IA key, which is exactly what this prctl() lets us do. > > > + > > +The idea is that a dynamic loader or early startup code would issue this > > +prctl very early after establishing that a process may load legacy binaries, > > +but before executing any PAC instructions. > > diff --git a/arch/arm64/include/asm/asm_pointer_auth.h b/arch/arm64/include/asm/asm_pointer_auth.h > > index 52dead2a8640..d121fa5fed5f 100644 > > --- a/arch/arm64/include/asm/asm_pointer_auth.h > > +++ b/arch/arm64/include/asm/asm_pointer_auth.h > > @@ -31,6 +31,14 @@ alternative_else_nop_endif > > ldp \tmp2, \tmp3, [\tmp1, #PTRAUTH_USER_KEY_APDB] > > msr_s SYS_APDBKEYLO_EL1, \tmp2 > > msr_s SYS_APDBKEYHI_EL1, \tmp3 > > + > > + ldr \tmp2, [\tsk, #THREAD_SCTLR_ENXX_MASK] > > + cbz \tmp2, .Laddr_auth_skip_\@ > > I wonder whether it would make sense to simple store the thread's base > SCTLR value (containing the ENxx bits), rather than storing the ENxx > bits separately. There may be reasons outside this snippet why this > isn't such a good idea though -- I haven't gone digging so far. As far as I know (as I learned [1] from the MTE patch series), it can be expensive to access SCTLR_EL1, therefore I arrange to only access SCTLR_EL1 in the hopefully-uncommon case where a process has disabled keys. Detecting the "process has disabled keys" case is quite simple if we only store the disabled keys mask here, not so much if we store the full value of SCTLR_EL1. > > + > > + mrs_s \tmp3, SYS_SCTLR_EL1 > > + bic \tmp3, \tmp3, \tmp2 > > + msr_s SYS_SCTLR_EL1, \tmp3 > > + > > .Laddr_auth_skip_\@: > > alternative_if ARM64_HAS_GENERIC_AUTH > > ldp \tmp2, \tmp3, [\tmp1, #PTRAUTH_USER_KEY_APGA] > > @@ -45,6 +53,17 @@ alternative_else_nop_endif > > ldp \tmp2, \tmp3, [\tmp1, #PTRAUTH_KERNEL_KEY_APIA] > > msr_s SYS_APIAKEYLO_EL1, \tmp2 > > msr_s SYS_APIAKEYHI_EL1, \tmp3 > > + > > + ldr \tmp2, [\tsk, #THREAD_SCTLR_ENXX_MASK] > > + cbz \tmp2, .Lset_sctlr_skip_\@ > > + > > + mrs_s \tmp1, SYS_SCTLR_EL1 > > + mov \tmp2, #(SCTLR_ELx_ENIA | SCTLR_ELx_ENIB | SCTLR_ELx_ENDA) > > (Nit: harmless but unnecessary (). # is not an operator as such, just > random syntax. Whatever follows is greedily parsed as an immediate > expression.) Okay. While looking around in the kernel I noticed that there is a mov_q macro that can be used to avoid manually splitting the constant into 16-bit chunks, and apparently it doesn't require a #. I'll use it in v2. > > + movk \tmp2, #SCTLR_ELx_ENDB > > Why do we check THREAD_SCTLR_ENXX_MASK, and then proceed to set all the > ENxx bits unconditionally? I may be missing something here. This code is to support the case where we are returning to the kernel from a userspace task with keys disabled. The kernel needs at least the IA key enabled in order for its own use of reverse-edge PAC to work correctly. When returning from a userspace task with no keys disabled, the keys enabled bits already have the correct values, so there is nothing to be done (and as mentioned above, I avoid touching SCTLR_EL1 unless necessary because it is apparently expensive to do so). But in a process with keys disabled, we will need to re-enable at least IA. We may be able to get away with just enabling IA here, but that would break the invariant that all keys are enabled inside the kernel, which is relied on by the code that decides whether to access SCTLR_EL1 in order to disable keys when entering a userspace task. > > + orr \tmp1, \tmp1, \tmp2 > > + msr_s SYS_SCTLR_EL1, \tmp1 > > + > > +.Lset_sctlr_skip_\@: > > .endm > > > > .macro ptrauth_keys_install_kernel_nosync tsk, tmp1, tmp2, tmp3 > > diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h > > index c6b4f0603024..d4c375454a36 100644 > > --- a/arch/arm64/include/asm/pointer_auth.h > > +++ b/arch/arm64/include/asm/pointer_auth.h > > @@ -70,14 +70,19 @@ static __always_inline void ptrauth_keys_switch_kernel(struct ptrauth_keys_kerne > > } > > > > extern int ptrauth_prctl_reset_keys(struct task_struct *tsk, unsigned long arg); > > +extern int ptrauth_prctl_set_enabled_keys(struct task_struct *tsk, > > + unsigned long keys, > > + unsigned long enabled); > > > > static inline unsigned long ptrauth_strip_insn_pac(unsigned long ptr) > > { > > return ptrauth_clear_pac(ptr); > > } > > > > -#define ptrauth_thread_init_user(tsk) \ > > - ptrauth_keys_init_user(&(tsk)->thread.keys_user) > > +#define ptrauth_thread_init_user(tsk) do { \ > > + ptrauth_keys_init_user(&(tsk)->thread.keys_user); \ > > + (tsk)->thread.sctlr_enxx_mask = 0; \ > > + } while (0) > > #define ptrauth_thread_init_kernel(tsk) \ > > ptrauth_keys_init_kernel(&(tsk)->thread.keys_kernel) > > #define ptrauth_thread_switch_kernel(tsk) \ > > @@ -85,6 +90,7 @@ static inline unsigned long ptrauth_strip_insn_pac(unsigned long ptr) > > > > #else /* CONFIG_ARM64_PTR_AUTH */ > > #define ptrauth_prctl_reset_keys(tsk, arg) (-EINVAL) > > +#define ptrauth_prctl_set_enabled_keys(tsk, keys, enabled) (-EINVAL) > > #define ptrauth_strip_insn_pac(lr) (lr) > > #define ptrauth_thread_init_user(tsk) > > #define ptrauth_thread_init_kernel(tsk) > > diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h > > index 240fe5e5b720..6974d227b01f 100644 > > --- a/arch/arm64/include/asm/processor.h > > +++ b/arch/arm64/include/asm/processor.h > > @@ -150,6 +150,7 @@ struct thread_struct { > > #ifdef CONFIG_ARM64_PTR_AUTH > > struct ptrauth_keys_user keys_user; > > struct ptrauth_keys_kernel keys_kernel; > > + u64 sctlr_enxx_mask; > > #endif > > }; > > > > @@ -313,6 +314,10 @@ extern void __init minsigstksz_setup(void); > > /* PR_PAC_RESET_KEYS prctl */ > > #define PAC_RESET_KEYS(tsk, arg) ptrauth_prctl_reset_keys(tsk, arg) > > > > +/* PR_PAC_SET_ENABLED_KEYS prctl */ > > +#define PAC_SET_ENABLED_KEYS(tsk, keys, enabled) \ > > + ptrauth_prctl_set_enabled_keys(tsk, keys, enabled) > > + > > #ifdef CONFIG_ARM64_TAGGED_ADDR_ABI > > /* PR_{SET,GET}_TAGGED_ADDR_CTRL prctl */ > > long set_tagged_addr_ctrl(unsigned long arg); > > diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c > > index 0577e2142284..dac80e16fe35 100644 > > --- a/arch/arm64/kernel/asm-offsets.c > > +++ b/arch/arm64/kernel/asm-offsets.c > > @@ -47,6 +47,7 @@ int main(void) > > #ifdef CONFIG_ARM64_PTR_AUTH > > DEFINE(THREAD_KEYS_USER, offsetof(struct task_struct, thread.keys_user)); > > DEFINE(THREAD_KEYS_KERNEL, offsetof(struct task_struct, thread.keys_kernel)); > > + DEFINE(THREAD_SCTLR_ENXX_MASK,offsetof(struct task_struct, thread.sctlr_enxx_mask)); > > #endif > > BLANK(); > > DEFINE(S_X0, offsetof(struct pt_regs, regs[0])); > > diff --git a/arch/arm64/kernel/pointer_auth.c b/arch/arm64/kernel/pointer_auth.c > > index 1e77736a4f66..8c385b7f324a 100644 > > --- a/arch/arm64/kernel/pointer_auth.c > > +++ b/arch/arm64/kernel/pointer_auth.c > > @@ -42,3 +42,37 @@ int ptrauth_prctl_reset_keys(struct task_struct *tsk, unsigned long arg) > > > > return 0; > > } > > + > > +static u64 arg_to_enxx_mask(unsigned long arg) > > +{ > > + u64 sctlr_enxx_mask = 0; > > + if (arg & PR_PAC_APIAKEY) > > + sctlr_enxx_mask |= SCTLR_ELx_ENIA; > > + if (arg & PR_PAC_APIBKEY) > > + sctlr_enxx_mask |= SCTLR_ELx_ENIB; > > + if (arg & PR_PAC_APDAKEY) > > + sctlr_enxx_mask |= SCTLR_ELx_ENDA; > > + if (arg & PR_PAC_APDBKEY) > > + sctlr_enxx_mask |= SCTLR_ELx_ENDB; > > + return sctlr_enxx_mask; > > +} > > + > > +int ptrauth_prctl_set_enabled_keys(struct task_struct *tsk, unsigned long keys, > > + unsigned long enabled) > > +{ > > + u64 sctlr_enxx_mask = tsk->thread.sctlr_enxx_mask; > > + unsigned long addr_key_mask = PR_PAC_APIAKEY | PR_PAC_APIBKEY | > > + PR_PAC_APDAKEY | PR_PAC_APDBKEY; > > + > > + if (!system_supports_address_auth()) > > + return -EINVAL; > > + > > + if ((keys & ~addr_key_mask) || (enabled & ~keys)) > > + return -EINVAL; > > Should we take the types of authentication supported? > > I don't recall whether we expose ptrauth to userspace if only > instruction authentication or only data authentication is supported. If > so, should we reject attempts to configure unsupported keys here? > > We should probably try to do a consistent thing both here and in > PR_PAC_RESET_KEYS if so. As far as I know, there is nothing in the architecture that would allow it to only advertise support for I keys or only advertise support for D keys. The fields AA64ISAR1_EL1.AP[AI] apply to all four keys: DA, DB, IA and IB. Maybe you are thinking of the GA key versus the other keys (which is advertised separately via AA64ISAR1_EL1.GP[AI])? The architecture appears to provide no way to disable the GA key, so I did not include support for it here. > > + > > + sctlr_enxx_mask |= arg_to_enxx_mask(keys); > > + sctlr_enxx_mask &= ~arg_to_enxx_mask(enabled); > > + > > + tsk->thread.sctlr_enxx_mask = sctlr_enxx_mask; > > + return 0; > > Do we need a way to query the enabled keys? > > We could either have a _GET_ prctl (the common approach), or have this > prctl return the mask of enabled keys (avoids the extra prctl, but > weirder). > > As above, we might > > Things like CRIU may need a GET in order to save/restore this setting > properly. Maybe it makes sense for there to be a GET prctl() to support CRIU. But it would need to be defined carefully because CRIU would presumably need to know what value to pass as the "keys" argument when it calls SET to restore the state. It can't just hardcode a value because that may harm extensibility if new keys are added. If we require the kernel to start processes with all keys enabled (including any keys that we may introduce in the future), then it seems like if CRIU knows which keys were disabled, then it can restore the state by issuing a syscall like this: prctl(PR_PAC_SET_ENABLED_KEYS, disabled_keys_mask, 0) which would imply that instead of providing PR_PAC_GET_ENABLED_KEYS we instead provide PR_PAC_GET_DISABLED_KEYS, which CRIU would call when saving the state to prepare the disabled_keys_mask argument passed here. Then for consistency we can make the SET prctl() be PR_PAC_SET_DISABLED_KEYS, and CRIU can then do: prctl(PR_PAC_SET_DISABLED_KEYS, disabled_keys_mask, disabled_keys_mask) Does that make sense? Peter [0] https://github.com/pcc/llvm-project/tree/apple-pac [1] https://github.com/pcc/linux/commit/b9fff3622f84eb4d939afcd77ea3c36f4e7f9bb0#diff-418b65fb9fc512fbbfae1a66a37bdaf0R92 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel