linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
* [PATCH RFC 0/8] kasan: hardware tag-based mode for production use on arm64
@ 2020-10-14 20:44 Andrey Konovalov
  2020-10-14 20:44 ` [PATCH RFC 1/8] kasan: simplify quarantine_put call Andrey Konovalov
                   ` (10 more replies)
  0 siblings, 11 replies; 26+ messages in thread
From: Andrey Konovalov @ 2020-10-14 20:44 UTC (permalink / raw)
  To: Catalin Marinas, Will Deacon, Vincenzo Frascino, Dmitry Vyukov,
	Alexander Potapenko, Marco Elver, Evgenii Stepanov
  Cc: Andrey Ryabinin, Elena Petrova, Branislav Rankov, Kevin Brodsky,
	Andrew Morton, kasan-dev, linux-arm-kernel, linux-mm,
	linux-kernel, Andrey Konovalov

This patchset is not complete (see particular TODOs in the last patch),
and I haven't performed any benchmarking yet, but I would like to start the
discussion now and hear people's opinions regarding the questions mentioned
below.

=== Overview

This patchset adopts the existing hardware tag-based KASAN mode [1] for
use in production as a memory corruption mitigation. Hardware tag-based
KASAN relies on arm64 Memory Tagging Extension (MTE) [2] to perform memory
and pointer tagging. Please see [3] and [4] for detailed analysis of how
MTE helps to fight memory safety problems.

The current plan is reuse CONFIG_KASAN_HW_TAGS for production, but add a
boot time switch, that allows to choose between a debugging mode, that
includes all KASAN features as they are, and a production mode, that only
includes the essentials like tag checking.

It is essential that switching between these modes doesn't require
rebuilding the kernel with different configs, as this is required by the
Android GKI initiative [5].

The last patch of this series adds a new boot time parameter called
kasan_mode, which can have the following values:

- "kasan_mode=on" - only production features
- "kasan_mode=debug" - all debug features
- "kasan_mode=off" - no checks at all (not implemented yet)

Currently outlined differences between "on" and "debug":

- "on" doesn't keep track of alloc/free stacks, and therefore doesn't
  require the additional memory to store those
- "on" uses asyncronous tag checking (not implemented yet)

=== Questions

The intention with this kind of a high level switch is to hide the
implementation details. Arguably, we could add multiple switches that allow
to separately control each KASAN or MTE feature, but I'm not sure there's
much value in that.

Does this make sense? Any preference regarding the name of the parameter
and its values?

What should be the default when the parameter is not specified? I would
argue that it should be "debug" (for hardware that supports MTE, otherwise
"off"), as it's the implied default for all other KASAN modes.

Should we somehow control whether to panic the kernel on a tag fault?
Another boot time parameter perhaps?

Any ideas as to how properly estimate the slowdown? As there's no
MTE-enabled hardware yet, the only way to test these patches is use an
emulator (like QEMU). The delay that is added by the emulator (for setting
and checking the tags) is different from the hardware delay, and this skews
the results.

A question to KASAN maintainers: what would be the best way to support the
"off" mode? I see two potential approaches: add a check into each kasan
callback (easier to implement, but we still call kasan callbacks, even
though they immediately return), or add inline header wrappers that do the
same.

=== Notes

This patchset is available here:

https://github.com/xairy/linux/tree/up-prod-mte-rfc1

and on Gerrit here:

https://linux-review.googlesource.com/c/linux/kernel/git/torvalds/linux/+/3460

This patchset is based on v5 of "kasan: add hardware tag-based mode for
arm64" patchset [1].

For testing in QEMU hardware tag-based KASAN requires:

1. QEMU built from master [6] (use "-machine virt,mte=on -cpu max" arguments
   to run).
2. GCC version 10.

[1] https://lore.kernel.org/linux-arm-kernel/cover.1602535397.git.andreyknvl@google.com/
[2] https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety
[3] https://arxiv.org/pdf/1802.09517.pdf
[4] https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf
[5] https://source.android.com/devices/architecture/kernel/generic-kernel-image
[6] https://github.com/qemu/qemu

Andrey Konovalov (8):
  kasan: simplify quarantine_put call
  kasan: rename get_alloc/free_info
  kasan: introduce set_alloc_info
  kasan: unpoison stack only with CONFIG_KASAN_STACK
  kasan: mark kasan_init_tags as __init
  kasan, arm64: move initialization message
  arm64: kasan: Add system_supports_tags helper
  kasan: add and integrate kasan_mode boot param

 arch/arm64/include/asm/memory.h  |  1 +
 arch/arm64/kernel/sleep.S        |  2 +-
 arch/arm64/mm/kasan_init.c       |  3 ++
 arch/x86/kernel/acpi/wakeup_64.S |  2 +-
 include/linux/kasan.h            | 14 ++---
 mm/kasan/common.c                | 90 ++++++++++++++++++--------------
 mm/kasan/generic.c               | 18 ++++---
 mm/kasan/hw_tags.c               | 63 ++++++++++++++++++++--
 mm/kasan/kasan.h                 | 25 ++++++---
 mm/kasan/quarantine.c            |  5 +-
 mm/kasan/report.c                | 22 +++++---
 mm/kasan/report_sw_tags.c        |  2 +-
 mm/kasan/sw_tags.c               | 14 +++--
 13 files changed, 182 insertions(+), 79 deletions(-)

-- 
2.28.0.1011.ga647a8990f-goog



^ permalink raw reply	[flat|nested] 26+ messages in thread

end of thread, other threads:[~2020-10-20 12:39 UTC | newest]

Thread overview: 26+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-14 20:44 [PATCH RFC 0/8] kasan: hardware tag-based mode for production use on arm64 Andrey Konovalov
2020-10-14 20:44 ` [PATCH RFC 1/8] kasan: simplify quarantine_put call Andrey Konovalov
2020-10-14 20:44 ` [PATCH RFC 2/8] kasan: rename get_alloc/free_info Andrey Konovalov
2020-10-14 20:44 ` [PATCH RFC 3/8] kasan: introduce set_alloc_info Andrey Konovalov
2020-10-14 20:44 ` [PATCH RFC 4/8] kasan: unpoison stack only with CONFIG_KASAN_STACK Andrey Konovalov
2020-10-14 20:44 ` [PATCH RFC 5/8] kasan: mark kasan_init_tags as __init Andrey Konovalov
2020-10-15 10:23   ` Marco Elver
2020-10-16 13:04     ` Andrey Konovalov
2020-10-14 20:44 ` [PATCH RFC 6/8] kasan, arm64: move initialization message Andrey Konovalov
2020-10-14 20:44 ` [PATCH RFC 7/8] arm64: kasan: Add system_supports_tags helper Andrey Konovalov
2020-10-20  6:22   ` Hillf Danton
2020-10-20 12:39     ` Andrey Konovalov
2020-10-14 20:44 ` [PATCH RFC 8/8] kasan: add and integrate kasan_mode boot param Andrey Konovalov
2020-10-15 13:56   ` Marco Elver
2020-10-16 13:10     ` Andrey Konovalov
2020-10-15 14:41 ` [PATCH RFC 0/8] kasan: hardware tag-based mode for production use on arm64 Marco Elver
2020-10-16 13:17   ` Andrey Konovalov
2020-10-16 13:31     ` Marco Elver
2020-10-16 15:52       ` Andrey Konovalov
2020-10-19 22:51         ` Kostya Serebryany
2020-10-20  5:34           ` Dmitry Vyukov
2020-10-20 12:13             ` Andrey Konovalov
2020-10-16 15:52   ` Andrey Konovalov
2020-10-16 15:50 ` Andrey Konovalov
2020-10-19 12:23 ` Marco Elver
2020-10-20  5:20   ` Dmitry Vyukov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).