Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3.
It introduces instructions to sign addresses and later check for potential
corruption using a second modifier value and one of a set of keys. The
signature, in the form of the Pointer Authentication Code (PAC), is stored
in some of the top unused bits of the virtual address (e.g. [54: 49] if
TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of
controls are present to enable/disable groups of instructions (which use
certain keys) for compatibility with libraries that do not utilize the
feature. PAuth is used to verify the integrity of return addresses on the
stack with less memory than the stack canary.
This patchset adds kselftests to verify the kernel's configuration of the
feature and its runtime behaviour. There are 7 tests which verify that:
* an authentication failure leads to a SIGSEGV
* the data/instruction instruction groups are enabled
* the generic instructions are enabled
* all 5 keys are unique for a single thread
* exec() changes all keys to new unique ones
* context switching preserves the 4 data/instruction keys
* context switching preserves the generic keys
The tests have been verified to work on qemu without a working PAUTH
Implementation and on ARM's FVP with a full or partial PAuth
implementation.
Changes in v2:
* remove extra lines at end of files
* Patch 1: "kselftests: add a basic arm64 Pointer Authentication test"
* add checks for a compatible compiler in Makefile
* Patch 4: "kselftests: add PAuth tests for single threaded consistency and
key uniqueness"
* rephrase comment for clarity in pac.c
Cc: Shuah Khan <[email protected]>
Cc: Catalin Marinas <[email protected]>
Cc: Will Deacon <[email protected]>
Reviewed-by: Vincenzo Frascino <[email protected]>
Reviewed-by: Amit Daniel Kachhap <[email protected]>
Signed-off-by: Boyan Karatotev <[email protected]>
Boyan Karatotev (4):
kselftests/arm64: add a basic Pointer Authentication test
kselftests/arm64: add nop checks for PAuth tests
kselftests/arm64: add PAuth test for whether exec() changes keys
kselftests/arm64: add PAuth tests for single threaded consistency and
key uniqueness
tools/testing/selftests/arm64/Makefile | 2 +-
.../testing/selftests/arm64/pauth/.gitignore | 2 +
tools/testing/selftests/arm64/pauth/Makefile | 39 ++
.../selftests/arm64/pauth/exec_target.c | 35 ++
tools/testing/selftests/arm64/pauth/helper.c | 40 ++
tools/testing/selftests/arm64/pauth/helper.h | 29 ++
tools/testing/selftests/arm64/pauth/pac.c | 348 ++++++++++++++++++
.../selftests/arm64/pauth/pac_corruptor.S | 35 ++
8 files changed, 529 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/arm64/pauth/.gitignore
create mode 100644 tools/testing/selftests/arm64/pauth/Makefile
create mode 100644 tools/testing/selftests/arm64/pauth/exec_target.c
create mode 100644 tools/testing/selftests/arm64/pauth/helper.c
create mode 100644 tools/testing/selftests/arm64/pauth/helper.h
create mode 100644 tools/testing/selftests/arm64/pauth/pac.c
create mode 100644 tools/testing/selftests/arm64/pauth/pac_corruptor.S
--
2.17.1
On 8/31/20 5:04 AM, Boyan Karatotev wrote:
> Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3.
> It introduces instructions to sign addresses and later check for potential
> corruption using a second modifier value and one of a set of keys. The
> signature, in the form of the Pointer Authentication Code (PAC), is stored
> in some of the top unused bits of the virtual address (e.g. [54: 49] if
> TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of
> controls are present to enable/disable groups of instructions (which use
> certain keys) for compatibility with libraries that do not utilize the
> feature. PAuth is used to verify the integrity of return addresses on the
> stack with less memory than the stack canary.
>
> This patchset adds kselftests to verify the kernel's configuration of the
> feature and its runtime behaviour. There are 7 tests which verify that:
> * an authentication failure leads to a SIGSEGV
> * the data/instruction instruction groups are enabled
> * the generic instructions are enabled
> * all 5 keys are unique for a single thread
> * exec() changes all keys to new unique ones
> * context switching preserves the 4 data/instruction keys
> * context switching preserves the generic keys
>
> The tests have been verified to work on qemu without a working PAUTH
> Implementation and on ARM's FVP with a full or partial PAuth
> implementation.
>
> Changes in v2:
> * remove extra lines at end of files
> * Patch 1: "kselftests: add a basic arm64 Pointer Authentication test"
> * add checks for a compatible compiler in Makefile
> * Patch 4: "kselftests: add PAuth tests for single threaded consistency and
> key uniqueness"
> * rephrase comment for clarity in pac.c
>
> Cc: Shuah Khan <[email protected]>
> Cc: Catalin Marinas <[email protected]>
> Cc: Will Deacon <[email protected]>
> Reviewed-by: Vincenzo Frascino <[email protected]>
> Reviewed-by: Amit Daniel Kachhap <[email protected]>
> Signed-off-by: Boyan Karatotev <[email protected]>
>
> Boyan Karatotev (4):
> kselftests/arm64: add a basic Pointer Authentication test
> kselftests/arm64: add nop checks for PAuth tests
> kselftests/arm64: add PAuth test for whether exec() changes keys
> kselftests/arm64: add PAuth tests for single threaded consistency and
> key uniqueness
>
> tools/testing/selftests/arm64/Makefile | 2 +-
> .../testing/selftests/arm64/pauth/.gitignore | 2 +
> tools/testing/selftests/arm64/pauth/Makefile | 39 ++
> .../selftests/arm64/pauth/exec_target.c | 35 ++
> tools/testing/selftests/arm64/pauth/helper.c | 40 ++
> tools/testing/selftests/arm64/pauth/helper.h | 29 ++
> tools/testing/selftests/arm64/pauth/pac.c | 348 ++++++++++++++++++
> .../selftests/arm64/pauth/pac_corruptor.S | 35 ++
> 8 files changed, 529 insertions(+), 1 deletion(-)
> create mode 100644 tools/testing/selftests/arm64/pauth/.gitignore
> create mode 100644 tools/testing/selftests/arm64/pauth/Makefile
> create mode 100644 tools/testing/selftests/arm64/pauth/exec_target.c
> create mode 100644 tools/testing/selftests/arm64/pauth/helper.c
> create mode 100644 tools/testing/selftests/arm64/pauth/helper.h
> create mode 100644 tools/testing/selftests/arm64/pauth/pac.c
> create mode 100644 tools/testing/selftests/arm64/pauth/pac_corruptor.S
>
> --
> 2.17.1
>
>
Will, Catalin,
Patches look good to me from selftests perspective. My acked by
for these patches to go through arm64.
Acked-by: Shuah Khan <[email protected]>
If you would like me to take these through kselftest tree, give
me your Acks. I can queue these up for 5.10-rc1
thanks,
-- Shuah
On Mon, Aug 31, 2020 at 12:04:46PM +0100, Boyan Karatotev wrote:
> Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3.
> It introduces instructions to sign addresses and later check for potential
> corruption using a second modifier value and one of a set of keys. The
> signature, in the form of the Pointer Authentication Code (PAC), is stored
> in some of the top unused bits of the virtual address (e.g. [54: 49] if
> TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of
> controls are present to enable/disable groups of instructions (which use
> certain keys) for compatibility with libraries that do not utilize the
> feature. PAuth is used to verify the integrity of return addresses on the
> stack with less memory than the stack canary.
Any chance of a v3 addressing the couple of small comments from Dave on
the third patch, please? Then I can pick up the whole lot for 5.10.
Cheers,
Will
Hi Will,
On 9/11/20 7:15 PM, Will Deacon wrote:
> On Mon, Aug 31, 2020 at 12:04:46PM +0100, Boyan Karatotev wrote:
>> Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3.
>> It introduces instructions to sign addresses and later check for potential
>> corruption using a second modifier value and one of a set of keys. The
>> signature, in the form of the Pointer Authentication Code (PAC), is stored
>> in some of the top unused bits of the virtual address (e.g. [54: 49] if
>> TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of
>> controls are present to enable/disable groups of instructions (which use
>> certain keys) for compatibility with libraries that do not utilize the
>> feature. PAuth is used to verify the integrity of return addresses on the
>> stack with less memory than the stack canary.
>
> Any chance of a v3 addressing the couple of small comments from Dave on
> the third patch, please? Then I can pick up the whole lot for 5.10.
>
Boyan is on it. Thank you.
> Cheers,
>
> Will
>
--
Regards,
Vincenzo