Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3316249imm; Fri, 19 Oct 2018 08:37:50 -0700 (PDT) X-Google-Smtp-Source: ACcGV63RJnmRBjzVkFQos7fmkrkgtcs7n+aghoNrsDSsLIVYQCSYwM0nZWrDTdtU1LeRgAvHZlLd X-Received: by 2002:a63:c949:: with SMTP id y9-v6mr11262010pgg.331.1539963470697; Fri, 19 Oct 2018 08:37:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539963470; cv=none; d=google.com; s=arc-20160816; b=A9o49Ia4N1SsqHuiP3C8LG8qUWWqQKxZ7c697A+/8uzdCiSTXPLPwFKkiCsxPqDw5j xDe7W6OS5gr+CSynDcVBXG+m1jQZ00ciU+paMmuFRDOkxwgS4fbhRL/aHtr9PMy18+wV 5ySrZ7UsDMTKCcJUkBoYZz8sk99mUrXGQcyzHnnE510ZUFh7TLe1G6kFZoIgvk9yRE/7 BLluq+0CIaW17Zzt9R6g2T23nZoll+yF3Hp6J9HmnDZOTq7+qEkn6cR1hQpIsHQIrAIc XDFwcqfuw2/2pQ79gUl4omlatrMfg56FLa02SLZUho13kiiybzg8Q++1jJdmgDwFNcR7 BhIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=zyUmzzoNxoKLcxVLBiJahX1b1lQexKm/qTY8nETdCho=; b=WFVFz4lT2ZS5VJYSVTDg0NlYXfPmbVvMtz58pvcUwF+xbMlzYLHpZRJ4zCMpPvDagw SShQ2IEDm4YjYWjiz8PHzm+utmC1Cjz6LhrUj1GUiBnMwvd7EorPXuVjTWIWxM4oZx5I 7eZZGwuUBkaf4ORTzbM6Y5deb1hook2TwFhvaWxKwzKlfCI8HLCmZu/xvgqSMSTjIo07 rAQ3ydck5nEIL9DTPOrW11sTclV+6QNBtzVqT1QQTsHcMueq7uUh+ES11yq6sLys+Hc+ KWTnWo6DtmECCxGtup2pnhiDVe9eSLgWJ5tHg66w2w56DjyWPgD5rEM5MpiKumDtK0jn Fdyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=fL3KJX8F; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o10-v6si5837005pgg.389.2018.10.19.08.37.34; Fri, 19 Oct 2018 08:37:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=fL3KJX8F; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727641AbeJSXn1 (ORCPT + 99 others); Fri, 19 Oct 2018 19:43:27 -0400 Received: from mail-yw1-f66.google.com ([209.85.161.66]:38439 "EHLO mail-yw1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727111AbeJSXn1 (ORCPT ); Fri, 19 Oct 2018 19:43:27 -0400 Received: by mail-yw1-f66.google.com with SMTP id d126-v6so13348158ywa.5 for ; Fri, 19 Oct 2018 08:36:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zyUmzzoNxoKLcxVLBiJahX1b1lQexKm/qTY8nETdCho=; b=fL3KJX8Fmns3RKMdNSbp6cZWwIHpSQD2IcTeID+4CR5UMmV/KRoqk2fkprRWb1+EB+ q4FuOWsjgBbHDKBdVj18GHg0QJaigMdiUNR8HmP2uaipG42JdkSlGsmbIU/83jINypOL BPga/CJs4uV0xkEceeUoaEwfpcYqcXgy/yia0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zyUmzzoNxoKLcxVLBiJahX1b1lQexKm/qTY8nETdCho=; b=XTtWD0JmOju0me8KLD1a0w5J8csqcJtZHiDjqzm8tvzmJOcwqU1pyb4CqF9aQCE/89 tALEw9McF1Fgtd7DFTVoMYVoxSIiHzPo52AqY6IiX5gIrgTLY8RhTWZxIdeS/kfbXH3E Up6OevZ1JD4UOqbYS3l1KyKeDJvPUWj8KR09wbt4do/vmpf4yeMZj1iXBOHAUuBg1z8o yAYP1qHm+pepeTTwdhhJe/4fZ3a1tJB+HdSL0gjSxRtxBMdOHGCk67DC96y9PEVTDvO0 BzMYtALtHc8JLEWzKvHaMMlmHMzlPYfz0Co6HEp4mwWaysfhWrlB4HeQno01PUPOHn9T 6ofg== X-Gm-Message-State: ABuFfog3e3UzXC6vpHk99Oy2Qcz8S6NtUnOKTyswp1O12KIleSEquSjS mqe5ZHwxhyAauz6/M3PU2sGdIgCIz0s= X-Received: by 2002:a81:4c97:: with SMTP id z145-v6mr2829051ywa.131.1539963408997; Fri, 19 Oct 2018 08:36:48 -0700 (PDT) Received: from mail-yw1-f52.google.com (mail-yw1-f52.google.com. [209.85.161.52]) by smtp.gmail.com with ESMTPSA id j76-v6sm6950481ywj.5.2018.10.19.08.36.46 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Oct 2018 08:36:47 -0700 (PDT) Received: by mail-yw1-f52.google.com with SMTP id v1-v6so13341009ywv.6 for ; Fri, 19 Oct 2018 08:36:46 -0700 (PDT) X-Received: by 2002:a0d:fec6:: with SMTP id o189-v6mr24033659ywf.237.1539963405935; Fri, 19 Oct 2018 08:36:45 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:d116:0:0:0:0:0 with HTTP; Fri, 19 Oct 2018 08:36:45 -0700 (PDT) In-Reply-To: <20181019112404.GD14246@arm.com> References: <20181005084754.20950-1-kristina.martsenko@arm.com> <20181005084754.20950-8-kristina.martsenko@arm.com> <20181019111542.6wrvjguirglzg7vg@mbp> <20181019112404.GD14246@arm.com> From: Kees Cook Date: Fri, 19 Oct 2018 08:36:45 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v5 07/17] arm64: add basic pointer authentication support To: Will Deacon Cc: Catalin Marinas , Kristina Martsenko , linux-arm-kernel , Mark Rutland , linux-arch , Andrew Jones , Jacob Bramley , Arnd Bergmann , Ard Biesheuvel , Marc Zyngier , Adam Wallis , "Suzuki K . Poulose" , Christoffer Dall , kvmarm@lists.cs.columbia.edu, Ramana Radhakrishnan , Amit Kachhap , Dave P Martin , LKML , Cyrill Gorcunov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 19, 2018 at 4:24 AM, Will Deacon wrote: > [+Cyrill Gorcunov for CRIU stuff] > > On Fri, Oct 19, 2018 at 12:15:43PM +0100, Catalin Marinas wrote: >> On Fri, Oct 05, 2018 at 09:47:44AM +0100, Kristina Martsenko wrote: >> > diff --git a/arch/arm64/include/asm/pointer_auth.h b/arch/arm64/include/asm/pointer_auth.h >> > new file mode 100644 >> > index 000000000000..2aefedc31d9e >> > --- /dev/null >> > +++ b/arch/arm64/include/asm/pointer_auth.h >> > @@ -0,0 +1,63 @@ >> > +// SPDX-License-Identifier: GPL-2.0 >> > +#ifndef __ASM_POINTER_AUTH_H >> > +#define __ASM_POINTER_AUTH_H >> > + >> > +#include >> > + >> > +#include >> > +#include >> > + >> > +#ifdef CONFIG_ARM64_PTR_AUTH >> > +/* >> > + * Each key is a 128-bit quantity which is split across a pair of 64-bit >> > + * registers (Lo and Hi). >> > + */ >> > +struct ptrauth_key { >> > + unsigned long lo, hi; >> > +}; >> > + >> > +/* >> > + * We give each process its own instruction A key (APIAKey), which is shared by >> > + * all threads. This is inherited upon fork(), and reinitialised upon exec*(). >> > + * All other keys are currently unused, with APIBKey, APDAKey, and APBAKey >> > + * instructions behaving as NOPs. >> > + */ >> >> I don't remember the past discussions but I assume the tools guys are ok >> with a single key shared by multiple threads. Ramana, could you ack this >> part, FTR? >> >> (and it would help if someone from the Android and Chrome camps can >> confirm) > > FWIW: I think we should be entertaining a prctl() interface to use a new > key on a per-thread basis. Obviously, this would need to be used with care > (e.g. you'd fork(); use the prctl() and then you'd better not return from > the calling function!). > > Assuming we want this (Kees -- I was under the impression that everything in > Android would end up with the same key otherwise?), then the question is > do we want: > > - prctl() get/set operations for the key, or > - prctl() set_random_key operation, or > - both of the above? > > Part of the answer to that may lie in the requirements of CRIU, where I > strongly suspect they need explicit get/set operations, although these > could be gated on CONFIG_CHECKPOINT_RESTORE=y. Oh CRIU. Yikes. I'd like the get/set to be gated by the CONFIG, yes. No reason to allow explicit access to the key (and selected algo) if we don't have to. As for per-thread or not, having a "pick a new key now" prctl() sounds good, but I'd like to have an eye toward having it just be "automatic" on clone(). -Kees -- Kees Cook Pixel Security