Commit b27a9f41 authored by Daniel Kiss's avatar Daniel Kiss Committed by Will Deacon
Browse files

arm64: Add ARM64_PTR_AUTH_KERNEL config option 



This patch add the ARM64_PTR_AUTH_KERNEL config and deals with the
build aspect of it.

Userspace support has no dependency on the toolchain therefore all
toolchain checks and build flags are controlled the new config
option.
The default config behavior will not be changed.

Signed-off-by: default avatarDaniel Kiss <daniel.kiss@arm.com>
Acked-by: default avatarWill Deacon <will@kernel.org>
Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20210613092632.93591-2-daniel.kiss@arm.com


Signed-off-by: default avatarWill Deacon <will@kernel.org>
parent c4681547

arch/arm64/Kconfig

+19 −14
Original line number Diff line number Diff line
@@ -1481,12 +1481,6 @@ menu "ARMv8.3 architectural features" 
config ARM64_PTR_AUTH

	bool "Enable support for pointer authentication"

	default y

	depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC

	# Modern compilers insert a .note.gnu.property section note for PAC

	# which is only understood by binutils starting with version 2.33.1.

	depends on LD_IS_LLD || LD_VERSION >= 23301 || (CC_IS_GCC && GCC_VERSION < 90100)

	depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE

	depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS)

	help

	  Pointer authentication (part of the ARMv8.3 Extensions) provides

	  instructions for signing and authenticating pointers against secret
@@ -1498,13 +1492,6 @@ config ARM64_PTR_AUTH 
	  for each process at exec() time, with these keys being

	  context-switched along with the process.



	  If the compiler supports the -mbranch-protection or

	  -msign-return-address flag (e.g. GCC 7 or later), then this option

	  will also cause the kernel itself to be compiled with return address

	  protection. In this case, and if the target hardware is known to

	  support pointer authentication, then CONFIG_STACKPROTECTOR can be

	  disabled with minimal loss of protection.



	  The feature is detected at runtime. If the feature is not present in

	  hardware it will not be advertised to userspace/KVM guest nor will it

	  be enabled.
@@ -1515,6 +1502,24 @@ config ARM64_PTR_AUTH 
	  but with the feature disabled. On such a system, this option should

	  not be selected.



config ARM64_PTR_AUTH_KERNEL

	bool

	default y

	depends on ARM64_PTR_AUTH

	depends on (CC_HAS_SIGN_RETURN_ADDRESS || CC_HAS_BRANCH_PROT_PAC_RET) && AS_HAS_PAC

	# Modern compilers insert a .note.gnu.property section note for PAC

	# which is only understood by binutils starting with version 2.33.1.

	depends on LD_IS_LLD || LD_VERSION >= 23301 || (CC_IS_GCC && GCC_VERSION < 90100)

	depends on !CC_IS_CLANG || AS_HAS_CFI_NEGATE_RA_STATE

	depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS)

	help

	  If the compiler supports the -mbranch-protection or

	  -msign-return-address flag (e.g. GCC 7 or later), then this option

	  will cause the kernel itself to be compiled with return address

	  protection. In this case, and if the target hardware is known to

	  support pointer authentication, then CONFIG_STACKPROTECTOR can be

	  disabled with minimal loss of protection.



	  This feature works with FUNCTION_GRAPH_TRACER option only if

	  DYNAMIC_FTRACE_WITH_REGS is enabled.
@@ -1606,7 +1611,7 @@ config ARM64_BTI_KERNEL 
	bool "Use Branch Target Identification for kernel"

	default y

	depends on ARM64_BTI

	depends on ARM64_PTR_AUTH

	depends on ARM64_PTR_AUTH_KERNEL

	depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI

	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94697

	depends on !CC_IS_GCC || GCC_VERSION >= 100100

arch/arm64/Makefile

+1 −1
Original line number Diff line number Diff line
@@ -70,7 +70,7 @@ endif 
# off, this will be overridden if we are using branch protection.

branch-prot-flags-y += $(call cc-option,-mbranch-protection=none)



ifeq ($(CONFIG_ARM64_PTR_AUTH),y)

ifeq ($(CONFIG_ARM64_PTR_AUTH_KERNEL),y)

branch-prot-flags-$(CONFIG_CC_HAS_SIGN_RETURN_ADDRESS) := -msign-return-address=all

# We enable additional protection for leaf functions as there is some

# narrow potential for ROP protection benefits and no substantial

arch/arm64/kernel/asm-offsets.c

+2 −0
Original line number Diff line number Diff line
@@ -46,6 +46,8 @@ int main(void) 
  DEFINE(THREAD_SCTLR_USER,	offsetof(struct task_struct, thread.sctlr_user));

#ifdef CONFIG_ARM64_PTR_AUTH

  DEFINE(THREAD_KEYS_USER,	offsetof(struct task_struct, thread.keys_user));

#endif

#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL

  DEFINE(THREAD_KEYS_KERNEL,	offsetof(struct task_struct, thread.keys_kernel));

#endif

#ifdef CONFIG_ARM64_MTE

drivers/misc/lkdtm/bugs.c

+3 −3
Original line number Diff line number Diff line
@@ -463,7 +463,7 @@ void lkdtm_DOUBLE_FAULT(void) 
#ifdef CONFIG_ARM64

static noinline void change_pac_parameters(void)

{

	if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH)) {

	if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) {

		/* Reset the keys of current task */

		ptrauth_thread_init_kernel(current);

		ptrauth_thread_switch_kernel(current);
@@ -477,8 +477,8 @@ noinline void lkdtm_CORRUPT_PAC(void) 
#define CORRUPT_PAC_ITERATE	10

	int i;



	if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH))

		pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH\n");

	if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL))

		pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH_KERNEL\n");



	if (!system_supports_address_auth()) {

		pr_err("FAIL: CPU lacks pointer authentication feature\n");