[PATCH bpf-next] bpf, arm64: sign return address for jited code

[PATCH bpf-next] bpf, arm64: sign return address for jited code

[Xu Kuohai]

Sign return address for jited code when the kernel is built with pointer
authentication enabled.

1. Sign lr with paciasp instruction before lr is pushed to stack. Since
   paciasp acts like landing pads for function entry, no need to insert
   bti instruction before paciasp.

2. Authenticate lr with autiasp instruction after lr is poped from stack.

Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
---
 arch/arm64/net/bpf_jit.h      |  3 +++
 arch/arm64/net/bpf_jit_comp.c | 11 +++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/net/bpf_jit.h b/arch/arm64/net/bpf_jit.h
index dd59b5ad8fe4..679c80aa1f2e 100644
--- a/arch/arm64/net/bpf_jit.h
+++ b/arch/arm64/net/bpf_jit.h
@@ -249,6 +249,9 @@
 /* HINTs */
 #define A64_HINT(x) aarch64_insn_gen_hint(x)
 
+#define A64_PACIASP A64_HINT(AARCH64_INSN_HINT_PACIASP)
+#define A64_AUTIASP A64_HINT(AARCH64_INSN_HINT_AUTIASP)
+
 /* BTI */
 #define A64_BTI_C  A64_HINT(AARCH64_INSN_HINT_BTIC)
 #define A64_BTI_J  A64_HINT(AARCH64_INSN_HINT_BTIJ)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index e850c69e128c..5dcf45e5944e 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -192,7 +192,7 @@ static bool is_addsub_imm(u32 imm)
 }
 
 /* Tail call offset to jump into */
-#if IS_ENABLED(CONFIG_ARM64_BTI_KERNEL)
+#if IS_ENABLED(CONFIG_ARM64_BTI_KERNEL) || IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)
 #define PROLOGUE_OFFSET 8
 #else
 #define PROLOGUE_OFFSET 7
@@ -233,8 +233,11 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf)
 	 *
 	 */
 
+	/* Sign lr */
+	if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL))
+		emit(A64_PACIASP, ctx);
 	/* BTI landing pad */
-	if (IS_ENABLED(CONFIG_ARM64_BTI_KERNEL))
+	else if (IS_ENABLED(CONFIG_ARM64_BTI_KERNEL))
 		emit(A64_BTI_C, ctx);
 
 	/* Save FP and LR registers to stay align with ARM64 AAPCS */
@@ -529,6 +532,10 @@ static void build_epilogue(struct jit_ctx *ctx)
 	/* Set return value */
 	emit(A64_MOV(1, A64_R(0), r0), ctx);
 
+	/* Authenticate lr */
+	if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL))
+		emit(A64_AUTIASP, ctx);
+
 	emit(A64_RET(A64_LR), ctx);
 }
 
-- 
2.30.2

Re: [PATCH bpf-next] bpf, arm64: sign return address for jited code

[Daniel Borkmann]

On 3/18/22 11:29 AM, Xu Kuohai wrote:
> Sign return address for jited code when the kernel is built with pointer
> authentication enabled.
> 
> 1. Sign lr with paciasp instruction before lr is pushed to stack. Since
>     paciasp acts like landing pads for function entry, no need to insert
>     bti instruction before paciasp.
> 
> 2. Authenticate lr with autiasp instruction after lr is poped from stack.
> 
> Signed-off-by: Xu Kuohai <xukuohai@huawei.com>

This would need a rebase, but please also use the commit description to provide
some more details how this inter-operates wrt BPF infra such as tail calls and
BPF-2-BPF calls when we look back into this in few months from now.

Thanks,
Daniel

Re: [PATCH bpf-next] bpf, arm64: sign return address for jited code

[Xu Kuohai]

On 4/2/2022 4:22 AM, Daniel Borkmann wrote:
> On 3/18/22 11:29 AM, Xu Kuohai wrote:
>> Sign return address for jited code when the kernel is built with pointer
>> authentication enabled.
>>
>> 1. Sign lr with paciasp instruction before lr is pushed to stack. Since
>>     paciasp acts like landing pads for function entry, no need to insert
>>     bti instruction before paciasp.
>>
>> 2. Authenticate lr with autiasp instruction after lr is poped from stack.
>>
>> Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
> 
> This would need a rebase, but please also use the commit description to 
> provide
> some more details how this inter-operates wrt BPF infra such as tail 
> calls and
> BPF-2-BPF calls when we look back into this in few months from now.
> 
> Thanks,
> Daniel
> .

updated in v2, thanks.