From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E40FAC2D0E4 for ; Tue, 24 Nov 2020 19:19:55 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 60702206B5 for ; Tue, 24 Nov 2020 19:19:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="A+s5Htfm"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=google.com header.i=@google.com header.b="ndHjZYZp" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 60702206B5 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=KnL6gf4aveARQS10f6xEdlNeowkcyoHuIev/CLTTXKY=; b=A+s5Htfmux5rWymeCERknOygd DdDtrjqGG0K20tYiciSIzsryGjSUr9NTqlo4JV9lRyvwH+AYekDaA3QwpKyTR57FmnsUEqgzgVcLN BZ4OUr0UGOvls+Kk1Anltd0ah1+/KmnIycTuJawcF08YIiTDJZuoDB6UpFU7JeONAliJK8b9sTqR/ 7oPsjRqBoGmVdhTBn50Trjh345uQKMPe38LnuHsrELy4ZNOt8KmXtR5zshRYPi3cabswhNFZd7bZT Scod2IM5mFawxnSXeyEhVrxIr3l1M217VKwYX8x6UXJ+qSAwA6ayrpIyGC+BaHEvEhP+Qa+5UHeR9 ZwwCB5ubA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1khdpc-0005xu-GC; Tue, 24 Nov 2020 19:18:28 +0000 Received: from mail-io1-xd43.google.com ([2607:f8b0:4864:20::d43]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1khdpZ-0005xJ-L5 for linux-arm-kernel@lists.infradead.org; Tue, 24 Nov 2020 19:18:26 +0000 Received: by mail-io1-xd43.google.com with SMTP id m13so23070770ioq.9 for ; Tue, 24 Nov 2020 11:18:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=idnE1XctnHORDhoVgx9a3wcMOuTd731MfJaNiFOgDGc=; b=ndHjZYZpz2yu7J6YDta1R5hJ5LCSMOcnfs+RGsdu3nu2FChgZUUi/Kh4I87wMJGYQs pu7NlEPA+AdrsVOI2AdFuoh2ndhqVkNuJev2dguIyKOr4bFrCr3wRilu0s6/IaKgOl6A r0nQhUB8JcPJu+eGTY3GSXSQ2NTYtyvzQiRrD7Y7r7GBV8GGdUeOW/2DAc7LcHuBz8Pw i+7mJX0NofR3VxmJ29astiujoKdk121hWlNlZxF8Pquii8CTjWT6aah3TqlbQIvbrPYT ANI2A7Y/IXVPtqZWLzaRPrqIt2R6SsttAROm9s6pkUhBoQeaSnbiiGy3aFI+RvXjXMzO SDpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=idnE1XctnHORDhoVgx9a3wcMOuTd731MfJaNiFOgDGc=; b=ZPdJnbatfFqOjrXS5csxjnq8n9/GbXQuC8S2n9o78FOiBh31CNHXjNd3iGKAm7Fd97 s9wLFZpoWNJxaGU7ytpvRi+ANJJuWabftdLgYjWn4c6Oj4Jn7rb9kW08tWP46RkXu/vS SaYfYAhhQxOwl/R5d1TV0k9HQ/iLE2+Ei7rTNZdAtpRBS5qNa8qh3JLqY3H2XmwNcMND 2y5m0l6zeUErSaaqE5sBlcRgDiFrzRzROH1j3d0hiydlOPfQjQlEMIl1LMX82esrv2p6 dS388bKZ5r/NOIL9RER6/rkpS8pQIqJv+aqABbiw/7FscLxpqONpeRO6XUH8Pa9cZZot hdrQ== X-Gm-Message-State: AOAM532b7mC6CVCQrZBCj0Rln1pB/TM92LG41Ch6Vzg1sibdauEDxptz SqlmsRHDHxGwytMU3EuYa3QMmt+4Cfnm0HwgiWzl4A== X-Google-Smtp-Source: ABdhPJw6kPUI6xlqBM7Q5gnoG0UQ6OveDVdIORc+4W3t6zjSJ1J4E0O4gHw7a/b/iZXE95B2zvxa5dT05ILVdizAbTo= X-Received: by 2002:a02:ccbc:: with SMTP id t28mr43442jap.97.1606245501446; Tue, 24 Nov 2020 11:18:21 -0800 (PST) MIME-Version: 1.0 References: <20f64e26fc8a1309caa446fffcb1b4e2fe9e229f.1605952129.git.pcc@google.com> <64c0fa360333fd5275582d25019614156a8302bc.1605952129.git.pcc@google.com> <20201124184742.GC42276@C02TF0J2HF1T.local> In-Reply-To: <20201124184742.GC42276@C02TF0J2HF1T.local> From: Peter Collingbourne Date: Tue, 24 Nov 2020 11:18:10 -0800 Message-ID: Subject: Re: [PATCH 2/2] arm64: allow TCR_EL1.TBID0 to be configured To: Catalin Marinas X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201124_141825_748182_BADBAD49 X-CRM114-Status: GOOD ( 29.75 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Szabolcs Nagy , Andrey Konovalov , Kostya Serebryany , Evgenii Stepanov , Linux API , Vincenzo Frascino , Will Deacon , Dave Martin , Linux ARM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Nov 24, 2020 at 10:47 AM Catalin Marinas wrote: > > On Sat, Nov 21, 2020 at 01:59:03AM -0800, Peter Collingbourne wrote: > > Introduce a Kconfig option that controls whether TCR_EL1.TBID0 is > > set at boot time. > > > > Setting TCR_EL1.TBID0 increases the number of signature bits used by > > the pointer authentication instructions for instruction addresses by 8, > > which improves the security of pointer authentication, but it also has > > the consequence of changing the operation of the branch instructions > > so that they no longer ignore the top byte of the target address but > > instead fault if they are non-zero. Since this is a change to the > > userspace ABI the option defaults to off. > > > > Signed-off-by: Peter Collingbourne > > Link: https://linux-review.googlesource.com/id/Ife724ad708142bc475f42e8c1d9609124994bbbd > > --- > > This is more of an RFC. An open question is how to expose this. > > Having it be a build-time flag is probably the simplest option > > but I guess it could also be a boot flag. Since it involves an > > ABI change we may also want a prctl() so that userspace can > > figure out which mode it is in. > > > > I think we should try to avoid it being a per-task property > > so that we don't need to swap yet another system register on > > task switch. > > Having it changed per task at run-time is problematic as this bit may be > cached in the TLB, so it would require a synchronisation across all CPUs > followed by TLBI. It's not even clear to me from the ARM ARM whether > this bit is tagged by ASID, which, if not, would make a per-process > setting impossible. > > So this leaves us with a cmdline option. If we are confident that no > software makes use of tagged instruction pointers, we could have it > default on. I would be concerned about turning it on by default because tagged instruction pointers may end up being used unintentionally as a result of emergent behavior. For example, when booting Android under FVP with this enabled I discovered that SwiftShader would crash when entering JITed code because the code was being stored at a tagged address (tagged because it had been allocated using Scudo's MTE allocator). Arguably software shouldn't be storing executable code in memory owned by the allocator as this would require changing the permissions of memory that it doesn't own, but from the kernel's perspective it is valid. Peter > Adding Szabolcs on the gcc/glibc side. > > -- > Catalin _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel