From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 172ABC433DF for ; Sat, 1 Aug 2020 01:15:03 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C55B32087C for ; Sat, 1 Aug 2020 01:15:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="B11lsJrH"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="nWRuP15P" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C55B32087C Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Ei5g8zdo6GT1xnRbnQq1HvoW1JytwVPaE55oH0Od3H0=; b=B11lsJrHWaFWmrGQVGCCbYBTY T4cbi/ifWZsgIfOQWfyl9fKDg5KFk+5U0l0g7err1JPxk8ZzGimva3VFR82DQYc+uFzTPK/7EZU5h nlTrvfoUU81zThv7v20xMny0hgxHeT8xU+6wjKOCSEkzSSlESCu36GwjslD/loYSHAE/ZGjucsfqP 5TzfHbvVg2909nkATjp6ctKYKg3bucDr1kmNv3v5a/Nd/PNp/f+cyAWIqO2DM5aYwxdz0IfCCZZ38 MspTSTTMOJvw9nUIEXvnthegeQ2oAeXJefeLA2PbhswmIG+LKfe3YTXibj5YHCYhS8hvexUJiw15t h5fmo5Qsg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1k1g5c-0005MT-Cw; Sat, 01 Aug 2020 01:13:32 +0000 Received: from mail-vk1-xa43.google.com ([2607:f8b0:4864:20::a43]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1k1g5Z-0005LJ-5U for linux-arm-kernel@lists.infradead.org; Sat, 01 Aug 2020 01:13:30 +0000 Received: by mail-vk1-xa43.google.com with SMTP id b6so5827556vkb.6 for ; Fri, 31 Jul 2020 18:13:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1atZE34RD/GjizvNfwB1wZwKk1+IOqZ9VVtEVldwcNQ=; b=nWRuP15PbTL0ZbVV3+CPf6+bySEkJvu+PhIehPiMJMs0JIaOcZHHDc7wRFH/aczj/b mRuTbx56Hpbeblt2jz0RmlAZwA2Bo8Rll6ZtTXs8esxOoT6Kgon9Qmdyt/uWYp1cm2e5 4T2AHsiSrHgin+hHhRLF8+XDoE5u3fkoz4gpZ/FzstKl9LbyQ3JceJ/F/kXZRFrkZFpW +XuYs3oA9G3fkEh4GQac+JemBlBT8X/qmdT+fMUQn3VGyNXVdgHHVBFq/68ZqcQFpXfq Prt63K6M3uF022dCUGAsfFrCgyYmNB1/+qdAYKPdEhmUrGY+g9d2z2Wg3k1HSfBXl1/+ S3Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1atZE34RD/GjizvNfwB1wZwKk1+IOqZ9VVtEVldwcNQ=; b=bJ3iZCAtVVbfXC5lOCALfCjvpZzmB/qg3TIqQ7jyp0Zpv9JYZfKAQ7OYuAEt7F3lj2 DYWo/jbHXSJKyaZ/7wKN0ys9vu4G49RTEz/fBYGsIAE0S3arKiSJ+INqVeJVw9Evdh3a ecCW7kCHbwRfTApEOKK+XfMUn1O4SD1cjwAcvrIgDD2jghIgGyC4iUVANPR4I9EKMt5L AG8rvCk+vcOP+ZAZclNz6dsQwvUkZTiUzY7Y7AJYJOe5w8sgR4Tn9un3dQ6qu7L+nKra IlB9CpzN3kwoxF13XQgx5K+kjIkIlHR0k1711FNh9kDdv+uUHpYWbhjEVv87YNuZjARM 7aYg== X-Gm-Message-State: AOAM530tZCjcBdHmEFFHCkg8BrwvF0IQ8/QNEuM1PdMzLNBMp8mJ+Ns6 SiOVIs1VKI8dGsqlpYBF0RFJ1YD3Z9BzyesOS9H68A== X-Google-Smtp-Source: ABdhPJx9ZMu65sOkWNRkehNK8dPoBfAZzpDw+Z7L7l9Wnp5F4Sn512PdgIskqjvLH583ufETLnN0eXiMtyNS2ERWlWs= X-Received: by 2002:ac5:ccdb:: with SMTP id j27mr4776549vkn.43.1596244405315; Fri, 31 Jul 2020 18:13:25 -0700 (PDT) MIME-Version: 1.0 References: <20200801011152.39838-1-pcc@google.com> In-Reply-To: <20200801011152.39838-1-pcc@google.com> From: Peter Collingbourne Date: Fri, 31 Jul 2020 18:13:14 -0700 Message-ID: Subject: Re: [PATCH] arm64: add prctl(PR_PAC_SET_ENABLED_KEYS) To: Catalin Marinas , Evgenii Stepanov , Kostya Serebryany , Vincenzo Frascino , Dave Martin X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200731_211329_251255_2F8FE5C3 X-CRM114-Status: GOOD ( 33.31 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Andrey Konovalov , Kevin Brodsky , Will Deacon , Linux ARM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Jul 31, 2020 at 6:11 PM Peter Collingbourne wrote: > > This prctl allows the user program to control which PAC keys are enabled > in a particular task. The main reason why this is useful is to enable a > userspace ABI that uses PAC to sign and authenticate function pointers > and other pointers exposed outside of the function, while still allowing > binaries conforming to the ABI to interoperate with legacy binaries that > do not sign or authenticate pointers. > > The idea is that a dynamic loader or early startup code would issue > this prctl very early after establishing that a process may load legacy > binaries, but before executing any PAC instructions. Signed-off-by: Peter Collingbourne Sorry, will fix in v2. Peter > --- > .../arm64/pointer-authentication.rst | 27 +++++++++++++++ > arch/arm64/include/asm/asm_pointer_auth.h | 19 +++++++++++ > arch/arm64/include/asm/pointer_auth.h | 10 ++++-- > arch/arm64/include/asm/processor.h | 5 +++ > arch/arm64/kernel/asm-offsets.c | 1 + > arch/arm64/kernel/pointer_auth.c | 34 +++++++++++++++++++ > include/uapi/linux/prctl.h | 3 ++ > kernel/sys.c | 8 +++++ > 8 files changed, 105 insertions(+), 2 deletions(-) > > diff --git a/Documentation/arm64/pointer-authentication.rst b/Documentation/arm64/pointer-authentication.rst > index 30b2ab06526b..1f7e064deeb3 100644 > --- a/Documentation/arm64/pointer-authentication.rst > +++ b/Documentation/arm64/pointer-authentication.rst > @@ -107,3 +107,30 @@ filter out the Pointer Authentication system key registers from > KVM_GET/SET_REG_* ioctls and mask those features from cpufeature ID > register. Any attempt to use the Pointer Authentication instructions will > result in an UNDEFINED exception being injected into the guest. > + > + > +Enabling and disabling keys > +--------------------------- > + > +The prctl PR_PAC_SET_ENABLED_KEYS allows the user program to control which > +PAC keys are enabled in a particular task. It takes two arguments, the > +first being a bitmask of PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY > +and PR_PAC_APDBKEY specifying which keys shall be affected by this prctl, > +and the second being a bitmask of the same bits specifying whether the key > +should be enabled or disabled. For example:: > + > + prctl(PR_PAC_SET_ENABLED_KEYS, > + PR_PAC_APIAKEY | PR_PAC_APIBKEY | PR_PAC_APDAKEY | PR_PAC_APDBKEY, > + PR_PAC_APIBKEY, 0, 0); > + > +disables all keys except the IB key. > + > +The main reason why this is useful is to enable a userspace ABI that uses PAC > +instructions to sign and authenticate function pointers and other pointers > +exposed outside of the function, while still allowing binaries conforming to > +the ABI to interoperate with legacy binaries that do not sign or authenticate > +pointers. > + > +The idea is that a dynamic loader or early startup code would issue this > +prctl very early after establishing that a process may load legacy binaries, > +but before executing any PAC instructions. > diff --git a/arch/arm64/include/asm/asm_pointer_auth.h b/arch/arm64/include/asm/asm_pointer_auth.h > index 52dead2a8640..d121fa5fed5f 100644 > --- a/arch/arm64/include/asm/asm_pointer_auth.h > +++ b/arch/arm64/include/asm/asm_pointer_auth.h > @@ -31,6 +31,14 @@ alternative_else_nop_endif > ldp \tmp2, \tmp3, [\tmp1, #PTRAUTH_USER_KEY_APDB] > msr_s SYS_APDBKEYLO_EL1, \tmp2 > msr_s SYS_APDBKEYHI_EL1, \tmp3 > + > + ldr \tmp2, [\tsk, #THREAD_SCTLR_ENXX_MASK] > + cbz \tmp2, .Laddr_auth_skip_\@ > + > + mrs_s \tmp3, SYS_SCTLR_EL1 > + bic \tmp3, \tmp3, \tmp2 > + msr_s SYS_SCTLR_EL1, \tmp3 > + > .Laddr_auth_skip_\@: > alternative_if ARM64_HAS_GENERIC_AUTH > ldp \tmp2, \tmp3, [\tmp1, #PTRAUTH_USER_KEY_APGA] > @@ -45,6 +53,17 @@ alternative_else_nop_endif > ldp \tmp2, \tmp3, [\tmp1, #PTRAUTH_KERNEL_KEY_APIA] > msr_s SYS_APIAKEYLO_EL1, \tmp2 > msr_s SYS_APIAKEYHI_EL1, \tmp3 > + > + ldr \tmp2, [\tsk, #THREAD_SCTLR_ENXX_MASK] > + cbz \tmp2, .Lset_sctlr_skip_\@ > + > + mrs_s \tmp1, SYS_SCTLR_EL1 > + mov \tmp2, #(SCTLR_ELx_ENIA | SCTLR_ELx_ENIB | SCTLR_ELx_ENDA) > + movk \tmp2, #SCTLR_ELx_ENDB > + orr \tmp1, \tmp1, \tmp2 > + msr_s SYS_SCTLR_EL1, \tmp1 > + > +.Lset_sctlr_skip_\@: > .endm > > .macro ptrauth_keys_install_kernel_nosync tsk, tmp1, tmp2, tmp3 > diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h > index c6b4f0603024..d4c375454a36 100644 > --- a/arch/arm64/include/asm/pointer_auth.h > +++ b/arch/arm64/include/asm/pointer_auth.h > @@ -70,14 +70,19 @@ static __always_inline void ptrauth_keys_switch_kernel(struct ptrauth_keys_kerne > } > > extern int ptrauth_prctl_reset_keys(struct task_struct *tsk, unsigned long arg); > +extern int ptrauth_prctl_set_enabled_keys(struct task_struct *tsk, > + unsigned long keys, > + unsigned long enabled); > > static inline unsigned long ptrauth_strip_insn_pac(unsigned long ptr) > { > return ptrauth_clear_pac(ptr); > } > > -#define ptrauth_thread_init_user(tsk) \ > - ptrauth_keys_init_user(&(tsk)->thread.keys_user) > +#define ptrauth_thread_init_user(tsk) do { \ > + ptrauth_keys_init_user(&(tsk)->thread.keys_user); \ > + (tsk)->thread.sctlr_enxx_mask = 0; \ > + } while (0) > #define ptrauth_thread_init_kernel(tsk) \ > ptrauth_keys_init_kernel(&(tsk)->thread.keys_kernel) > #define ptrauth_thread_switch_kernel(tsk) \ > @@ -85,6 +90,7 @@ static inline unsigned long ptrauth_strip_insn_pac(unsigned long ptr) > > #else /* CONFIG_ARM64_PTR_AUTH */ > #define ptrauth_prctl_reset_keys(tsk, arg) (-EINVAL) > +#define ptrauth_prctl_set_enabled_keys(tsk, keys, enabled) (-EINVAL) > #define ptrauth_strip_insn_pac(lr) (lr) > #define ptrauth_thread_init_user(tsk) > #define ptrauth_thread_init_kernel(tsk) > diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h > index 240fe5e5b720..6974d227b01f 100644 > --- a/arch/arm64/include/asm/processor.h > +++ b/arch/arm64/include/asm/processor.h > @@ -150,6 +150,7 @@ struct thread_struct { > #ifdef CONFIG_ARM64_PTR_AUTH > struct ptrauth_keys_user keys_user; > struct ptrauth_keys_kernel keys_kernel; > + u64 sctlr_enxx_mask; > #endif > }; > > @@ -313,6 +314,10 @@ extern void __init minsigstksz_setup(void); > /* PR_PAC_RESET_KEYS prctl */ > #define PAC_RESET_KEYS(tsk, arg) ptrauth_prctl_reset_keys(tsk, arg) > > +/* PR_PAC_SET_ENABLED_KEYS prctl */ > +#define PAC_SET_ENABLED_KEYS(tsk, keys, enabled) \ > + ptrauth_prctl_set_enabled_keys(tsk, keys, enabled) > + > #ifdef CONFIG_ARM64_TAGGED_ADDR_ABI > /* PR_{SET,GET}_TAGGED_ADDR_CTRL prctl */ > long set_tagged_addr_ctrl(unsigned long arg); > diff --git a/arch/arm64/kernel/asm-offsets.c b/arch/arm64/kernel/asm-offsets.c > index 0577e2142284..dac80e16fe35 100644 > --- a/arch/arm64/kernel/asm-offsets.c > +++ b/arch/arm64/kernel/asm-offsets.c > @@ -47,6 +47,7 @@ int main(void) > #ifdef CONFIG_ARM64_PTR_AUTH > DEFINE(THREAD_KEYS_USER, offsetof(struct task_struct, thread.keys_user)); > DEFINE(THREAD_KEYS_KERNEL, offsetof(struct task_struct, thread.keys_kernel)); > + DEFINE(THREAD_SCTLR_ENXX_MASK,offsetof(struct task_struct, thread.sctlr_enxx_mask)); > #endif > BLANK(); > DEFINE(S_X0, offsetof(struct pt_regs, regs[0])); > diff --git a/arch/arm64/kernel/pointer_auth.c b/arch/arm64/kernel/pointer_auth.c > index 1e77736a4f66..8c385b7f324a 100644 > --- a/arch/arm64/kernel/pointer_auth.c > +++ b/arch/arm64/kernel/pointer_auth.c > @@ -42,3 +42,37 @@ int ptrauth_prctl_reset_keys(struct task_struct *tsk, unsigned long arg) > > return 0; > } > + > +static u64 arg_to_enxx_mask(unsigned long arg) > +{ > + u64 sctlr_enxx_mask = 0; > + if (arg & PR_PAC_APIAKEY) > + sctlr_enxx_mask |= SCTLR_ELx_ENIA; > + if (arg & PR_PAC_APIBKEY) > + sctlr_enxx_mask |= SCTLR_ELx_ENIB; > + if (arg & PR_PAC_APDAKEY) > + sctlr_enxx_mask |= SCTLR_ELx_ENDA; > + if (arg & PR_PAC_APDBKEY) > + sctlr_enxx_mask |= SCTLR_ELx_ENDB; > + return sctlr_enxx_mask; > +} > + > +int ptrauth_prctl_set_enabled_keys(struct task_struct *tsk, unsigned long keys, > + unsigned long enabled) > +{ > + u64 sctlr_enxx_mask = tsk->thread.sctlr_enxx_mask; > + unsigned long addr_key_mask = PR_PAC_APIAKEY | PR_PAC_APIBKEY | > + PR_PAC_APDAKEY | PR_PAC_APDBKEY; > + > + if (!system_supports_address_auth()) > + return -EINVAL; > + > + if ((keys & ~addr_key_mask) || (enabled & ~keys)) > + return -EINVAL; > + > + sctlr_enxx_mask |= arg_to_enxx_mask(keys); > + sctlr_enxx_mask &= ~arg_to_enxx_mask(enabled); > + > + tsk->thread.sctlr_enxx_mask = sctlr_enxx_mask; > + return 0; > +} > diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h > index 07b4f8131e36..18e1ae4a37a2 100644 > --- a/include/uapi/linux/prctl.h > +++ b/include/uapi/linux/prctl.h > @@ -238,4 +238,7 @@ struct prctl_mm_map { > #define PR_SET_IO_FLUSHER 57 > #define PR_GET_IO_FLUSHER 58 > > +/* Set enabled arm64 pointer authentication keys */ > +#define PR_PAC_SET_ENABLED_KEYS 59 > + > #endif /* _LINUX_PRCTL_H */ > diff --git a/kernel/sys.c b/kernel/sys.c > index 00a96746e28a..623df216183b 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -119,6 +119,9 @@ > #ifndef PAC_RESET_KEYS > # define PAC_RESET_KEYS(a, b) (-EINVAL) > #endif > +#ifndef PAC_SET_ENABLED_KEYS > +# define PAC_SET_ENABLED_KEYS(a, b, c) (-EINVAL) > +#endif > #ifndef SET_TAGGED_ADDR_CTRL > # define SET_TAGGED_ADDR_CTRL(a) (-EINVAL) > #endif > @@ -2494,6 +2497,11 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, > return -EINVAL; > error = PAC_RESET_KEYS(me, arg2); > break; > + case PR_PAC_SET_ENABLED_KEYS: > + if (arg4 || arg5) > + return -EINVAL; > + error = PAC_SET_ENABLED_KEYS(me, arg2, arg3); > + break; > case PR_SET_TAGGED_ADDR_CTRL: > if (arg3 || arg4 || arg5) > return -EINVAL; > -- > 2.28.0.163.g6104cc2f0b6-goog > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel