linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
* [PATCH RFC v2 00/21] kasan: hardware tag-based mode for production use on arm64
@ 2020-10-22 13:18 Andrey Konovalov
  2020-10-22 13:18 ` [PATCH RFC v2 01/21] kasan: simplify quarantine_put call site Andrey Konovalov
                   ` (21 more replies)
  0 siblings, 22 replies; 71+ messages in thread
From: Andrey Konovalov @ 2020-10-22 13:18 UTC (permalink / raw)
  To: Catalin Marinas, Will Deacon, Vincenzo Frascino, Dmitry Vyukov,
	Alexander Potapenko, Marco Elver
  Cc: Evgenii Stepanov, Kostya Serebryany, Peter Collingbourne,
	Serban Constantinescu, Andrey Ryabinin, Elena Petrova,
	Branislav Rankov, Kevin Brodsky, Andrew Morton, kasan-dev,
	linux-arm-kernel, linux-mm, linux-kernel, Andrey Konovalov

This patchset is not complete (hence sending as RFC), but I would like to
start the discussion now and hear people's opinions regarding the
questions mentioned below.

=== Overview

This patchset adopts the existing hardware tag-based KASAN mode [1] for
use in production as a memory corruption mitigation. Hardware tag-based
KASAN relies on arm64 Memory Tagging Extension (MTE) [2] to perform memory
and pointer tagging. Please see [3] and [4] for detailed analysis of how
MTE helps to fight memory safety problems.

The current plan is reuse CONFIG_KASAN_HW_TAGS for production, but add a
boot time switch, that allows to choose between a debugging mode, that
includes all KASAN features as they are, and a production mode, that only
includes the essentials like tag checking.

It is essential that switching between these modes doesn't require
rebuilding the kernel with different configs, as this is required by the
Android GKI initiative [5].

The patch titled "kasan: add and integrate kasan boot parameters" of this
series adds a few new boot parameters:

kasan.mode allows choosing one of main three modes:

- kasan.mode=off - no checks at all
- kasan.mode=prod - only essential production features
- kasan.mode=full - all features

Those mode configs provide default values for three more internal configs
listed below. However it's also possible to override the default values
by providing:

- kasan.stack=off/on - enable stacks collection
                       (default: on for mode=full, otherwise off)
- kasan.trap=async/sync - use async or sync MTE mode
                          (default: sync for mode=full, otherwise async)
- kasan.fault=report/panic - only report MTE fault or also panic
                             (default: report)

=== Benchmarks

For now I've only performed a few simple benchmarks such as measuring
kernel boot time and slab memory usage after boot. The benchmarks were
performed in QEMU and the results below exclude the slowdown caused by
QEMU memory tagging emulation (as it's different from the slowdown that
will be introduced by hardware and therefore irrelevant).

KASAN_HW_TAGS=y + kasan.mode=off introduces no performance or memory
impact compared to KASAN_HW_TAGS=n.

kasan.mode=prod (without executing the tagging instructions) introduces
7% of both performace and memory impact compared to kasan.mode=off.
Note, that 4% of performance and all 7% of memory impact are caused by the
fact that enabling KASAN essentially results in CONFIG_SLAB_MERGE_DEFAULT
being disabled.

Recommended Android config has CONFIG_SLAB_MERGE_DEFAULT disabled (I assume
for security reasons), but Pixel 4 has it enabled. It's arguable, whether
"disabling" CONFIG_SLAB_MERGE_DEFAULT introduces any security benefit on
top of MTE. Without MTE it makes exploiting some heap corruption harder.
With MTE it will only make it harder provided that the attacker is able to
predict allocation tags.

kasan.mode=full has 40% performance and 30% memory impact over
kasan.mode=prod. Both come from alloc/free stack collection.

=== Questions

Any concerns about the boot parameters?

Should we try to deal with CONFIG_SLAB_MERGE_DEFAULT-like behavor mentioned
above?

=== Notes

This patchset is available here:

https://github.com/xairy/linux/tree/up-prod-mte-rfc2

and on Gerrit here:

https://linux-review.googlesource.com/c/linux/kernel/git/torvalds/linux/+/3707

This patchset is based on v5 of "kasan: add hardware tag-based mode for
arm64" patchset [1] (along with some fixes).

For testing in QEMU hardware tag-based KASAN requires:

1. QEMU built from master [6] (use "-machine virt,mte=on -cpu max" arguments
   to run).
2. GCC version 10.

[1] https://lore.kernel.org/linux-arm-kernel/cover.1602535397.git.andreyknvl@google.com/
[2] https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety
[3] https://arxiv.org/pdf/1802.09517.pdf
[4] https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf
[5] https://source.android.com/devices/architecture/kernel/generic-kernel-image
[6] https://github.com/qemu/qemu

=== History

Changes RFCv1->RFCv2:
- Rework boot parameters.
- Drop __init from empty kasan_init_tags() definition.
- Add cpu_supports_mte() helper that can be used during early boot and use
  it in kasan_init_tags()
- Lots of new KASAN optimization commits.

Andrey Konovalov (21):
  kasan: simplify quarantine_put call site
  kasan: rename get_alloc/free_info
  kasan: introduce set_alloc_info
  kasan: unpoison stack only with CONFIG_KASAN_STACK
  kasan: allow VMAP_STACK for HW_TAGS mode
  kasan: mark kasan_init_tags as __init
  kasan, arm64: move initialization message
  kasan: remove __kasan_unpoison_stack
  kasan: inline kasan_reset_tag for tag-based modes
  kasan: inline random_tag for HW_TAGS
  kasan: inline kasan_poison_memory and check_invalid_free
  kasan: inline and rename kasan_unpoison_memory
  arm64: kasan: Add cpu_supports_tags helper
  kasan: add and integrate kasan boot parameters
  kasan: check kasan_enabled in annotations
  kasan: optimize poisoning in kmalloc and krealloc
  kasan: simplify kasan_poison_kfree
  kasan: rename kasan_poison_kfree
  kasan: don't round_up too much
  kasan: simplify assign_tag and set_tag calls
  kasan: clarify comment in __kasan_kfree_large

 arch/Kconfig                       |   2 +-
 arch/arm64/include/asm/memory.h    |   1 +
 arch/arm64/include/asm/mte-kasan.h |   6 +
 arch/arm64/kernel/mte.c            |  20 +++
 arch/arm64/kernel/sleep.S          |   2 +-
 arch/arm64/mm/kasan_init.c         |   3 +
 arch/x86/kernel/acpi/wakeup_64.S   |   2 +-
 include/linux/kasan.h              | 225 ++++++++++++++++++-------
 include/linux/mm.h                 |  27 ++-
 kernel/fork.c                      |   2 +-
 mm/kasan/common.c                  | 256 ++++++++++++++++-------------
 mm/kasan/generic.c                 |  19 ++-
 mm/kasan/hw_tags.c                 | 182 +++++++++++++++++---
 mm/kasan/kasan.h                   | 102 ++++++++----
 mm/kasan/quarantine.c              |   5 +-
 mm/kasan/report.c                  |  26 ++-
 mm/kasan/report_sw_tags.c          |   2 +-
 mm/kasan/shadow.c                  |   1 +
 mm/kasan/sw_tags.c                 |  20 ++-
 mm/mempool.c                       |   2 +-
 mm/slab_common.c                   |   2 +-
 mm/slub.c                          |   3 +-
 22 files changed, 641 insertions(+), 269 deletions(-)

-- 
2.29.0.rc1.297.gfa9743e501-goog



^ permalink raw reply	[flat|nested] 71+ messages in thread

end of thread, other threads:[~2020-11-16 14:47 UTC | newest]

Thread overview: 71+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-22 13:18 [PATCH RFC v2 00/21] kasan: hardware tag-based mode for production use on arm64 Andrey Konovalov
2020-10-22 13:18 ` [PATCH RFC v2 01/21] kasan: simplify quarantine_put call site Andrey Konovalov
2020-10-27 12:40   ` Dmitry Vyukov
2020-10-22 13:18 ` [PATCH RFC v2 02/21] kasan: rename get_alloc/free_info Andrey Konovalov
2020-10-27 12:40   ` Dmitry Vyukov
2020-10-22 13:18 ` [PATCH RFC v2 03/21] kasan: introduce set_alloc_info Andrey Konovalov
2020-10-27 12:41   ` Dmitry Vyukov
2020-10-22 13:18 ` [PATCH RFC v2 04/21] kasan: unpoison stack only with CONFIG_KASAN_STACK Andrey Konovalov
2020-10-27 12:44   ` Dmitry Vyukov
2020-10-27 12:45     ` Dmitry Vyukov
2020-10-29 19:57     ` Andrey Konovalov
2020-11-16 10:59       ` Dmitry Vyukov
2020-11-16 11:50         ` Marco Elver
2020-11-16 12:16           ` Catalin Marinas
2020-11-16 12:19             ` Dmitry Vyukov
2020-11-16 12:45               ` Vincenzo Frascino
2020-11-16 13:50                 ` Andrey Konovalov
2020-11-16 14:50                   ` Vincenzo Frascino
2020-10-22 13:18 ` [PATCH RFC v2 05/21] kasan: allow VMAP_STACK for HW_TAGS mode Andrey Konovalov
2020-10-27 12:49   ` Dmitry Vyukov
2020-10-29 20:00     ` Andrey Konovalov
2020-10-22 13:18 ` [PATCH RFC v2 06/21] kasan: mark kasan_init_tags as __init Andrey Konovalov
2020-10-28 10:08   ` Dmitry Vyukov
2020-10-29 20:08     ` Andrey Konovalov
2020-10-22 13:18 ` [PATCH RFC v2 07/21] kasan, arm64: move initialization message Andrey Konovalov
2020-10-28 10:55   ` Dmitry Vyukov
2020-10-29 20:14     ` Andrey Konovalov
2020-11-03 15:33       ` Andrey Konovalov
2020-10-22 13:19 ` [PATCH RFC v2 08/21] kasan: remove __kasan_unpoison_stack Andrey Konovalov
2020-10-28 10:57   ` Dmitry Vyukov
2020-10-22 13:19 ` [PATCH RFC v2 09/21] kasan: inline kasan_reset_tag for tag-based modes Andrey Konovalov
2020-10-28 11:05   ` Dmitry Vyukov
2020-10-30 16:19     ` Andrey Konovalov
2020-10-22 13:19 ` [PATCH RFC v2 10/21] kasan: inline random_tag for HW_TAGS Andrey Konovalov
2020-10-28 11:08   ` Dmitry Vyukov
2020-10-30 15:48     ` Andrey Konovalov
2020-10-30 16:07       ` Andrey Konovalov
2020-10-22 13:19 ` [PATCH RFC v2 11/21] kasan: inline kasan_poison_memory and check_invalid_free Andrey Konovalov
2020-10-28 11:29   ` Dmitry Vyukov
2020-10-22 13:19 ` [PATCH RFC v2 12/21] kasan: inline and rename kasan_unpoison_memory Andrey Konovalov
2020-10-28 11:36   ` Dmitry Vyukov
2020-10-30 16:34     ` Andrey Konovalov
2020-10-30 17:46       ` Dmitry Vyukov
2020-10-22 13:19 ` [PATCH RFC v2 13/21] arm64: kasan: Add cpu_supports_tags helper Andrey Konovalov
2020-10-28 11:38   ` Dmitry Vyukov
2020-10-22 13:19 ` [PATCH RFC v2 14/21] kasan: add and integrate kasan boot parameters Andrey Konovalov
2020-10-22 18:50   ` Marco Elver
2020-10-22 20:28     ` Andrey Konovalov
2020-10-28 12:27   ` Dmitry Vyukov
2020-10-30 19:30     ` Andrey Konovalov
2020-10-30 14:45   ` Marco Elver
2020-10-30 19:30     ` Andrey Konovalov
2020-10-22 13:19 ` [PATCH RFC v2 15/21] kasan: check kasan_enabled in annotations Andrey Konovalov
2020-10-28 16:47   ` Dmitry Vyukov
2020-10-30 19:47     ` Andrey Konovalov
2020-10-22 13:19 ` [PATCH RFC v2 16/21] kasan: optimize poisoning in kmalloc and krealloc Andrey Konovalov
2020-10-28 16:55   ` Dmitry Vyukov
2020-11-02 15:17     ` Andrey Konovalov
2020-10-22 13:19 ` [PATCH RFC v2 17/21] kasan: simplify kasan_poison_kfree Andrey Konovalov
2020-10-28 16:57   ` Dmitry Vyukov
2020-10-22 13:19 ` [PATCH RFC v2 18/21] kasan: rename kasan_poison_kfree Andrey Konovalov
2020-10-28 16:58   ` Dmitry Vyukov
2020-10-22 13:19 ` [PATCH RFC v2 19/21] kasan: don't round_up too much Andrey Konovalov
2020-10-28 17:01   ` Dmitry Vyukov
2020-10-22 13:19 ` [PATCH RFC v2 20/21] kasan: simplify assign_tag and set_tag calls Andrey Konovalov
2020-10-28 17:03   ` Dmitry Vyukov
2020-10-22 13:19 ` [PATCH RFC v2 21/21] kasan: clarify comment in __kasan_kfree_large Andrey Konovalov
2020-10-28 17:04   ` Dmitry Vyukov
2020-10-22 15:15 ` [PATCH RFC v2 00/21] kasan: hardware tag-based mode for production use on arm64 Dmitry Vyukov
2020-10-22 17:00   ` Andrey Konovalov
2020-10-22 18:29     ` Kostya Serebryany

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).