Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3347285imm; Fri, 19 Oct 2018 09:07:19 -0700 (PDT) X-Google-Smtp-Source: ACcGV63zG8caRSaKZ0WQP9jNW0jsyNgaBZdMfUOPAtwuLWUT7wOqWsNhj8LeTRDNwpmEySyvF1yu X-Received: by 2002:a62:ce47:: with SMTP id y68-v6mr2164921pfg.201.1539965239757; Fri, 19 Oct 2018 09:07:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539965239; cv=none; d=google.com; s=arc-20160816; b=0h4RjPPfGtCiw2kQ+FDU3/YLCFWoZ3Ki+T/Q5EySCQLBNaW21Pe429QoS7PfOLmQ0S foEOAOLMKrnyQbVDdVCajh0QK7w6SROi/VKoNkEf7KNnWBrf/TgWkBdlnUcKCqupqJaP rxlOoWQsqA2b8FHLHj1aeq46gWtMBAShAxwUP6c9KoZq0/Qakj0sFzoVLUyEa05EPMGl PwU2PRQUm22uH0r/Sadss8vdZ0P9yVAKIbjUaTYZecIvQ4zYoCgGIGY9g4aqPWdtjdnS X9LSi0ZxHU224HNzFdCYPJhHwQCWygT1J98XFYIccIb1MAjpiiSsz+jskY39FAbF8yTC tAwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=k07tQgriygijEHZva+Rdyw1dO1Gz+TCdiZKe/B9bFSg=; b=hhcUYiMmTr1Pud9tutc/TzczeuFRCRBkSxdFp2KR8FCkKlNnyHH6uidsS/UXvnTkTt CcW21ZF68L/rFhzNxaEzuwv271DfZvRinh2u6LIeJgY37M11WgWZTeBnK/PF78dKVU3g XJ1vPKguU8mt8DgHyW6apbmITsDviecOYDAaLVgf3RYXqtjBqzoTk11MNXyaJoNr7AMT PtDxtNKdGvEkISiW7FTdyZFpgUARHtcqaiH1lPgKdhSmO/94pqLbgeXBUKERkf/m2QJf Y/4z1Nkbqc14NDweX31j3DQjzLKGhQH4Vi3uZcJiGj282Ieyz47Wo/EoXFMIdq09VgAe 6lUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Xz+r7r01; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x16-v6si24675595pgh.41.2018.10.19.09.07.03; Fri, 19 Oct 2018 09:07:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Xz+r7r01; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727865AbeJTAMr (ORCPT + 99 others); Fri, 19 Oct 2018 20:12:47 -0400 Received: from mail-yb1-f194.google.com ([209.85.219.194]:33055 "EHLO mail-yb1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727358AbeJTAMr (ORCPT ); Fri, 19 Oct 2018 20:12:47 -0400 Received: by mail-yb1-f194.google.com with SMTP id m184-v6so2366486ybm.0 for ; Fri, 19 Oct 2018 09:06:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=k07tQgriygijEHZva+Rdyw1dO1Gz+TCdiZKe/B9bFSg=; b=Xz+r7r010MPZHUzdOYtxFp+uNSiSXeK4tXyercq+pytS37gl3CAA9jyKF9ItjO61Vr flhyvbwm0xAEmvNG6wzeF3pnhWU93nMeDkIlegtBibA1ALxu0PO7BVS0LlS6hhFFQy3t bVW/n52jvggDZpHcro2RoQ3Fw5AR/16F6yQ1Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=k07tQgriygijEHZva+Rdyw1dO1Gz+TCdiZKe/B9bFSg=; b=ReRFT9B6+v3DGPyUq6IvVx8b0t/p4UgfSqFijzizU50fzN1rdX/ZlpicM7fdUcTGBZ DAvPPL2VrUNoiNami8E5aw7+ayPToRh0Ea9R7tiwp7U4kBz5vU+27yCo9yMGrABKPO0W 9nhT7J4VgFugynNFgQ8D3j9A1SCcAo3RjtSJct4l+sbQfXEg4be0eY+6SqlrGT/+Flpb GLXcTKBHGhl9QSKL74GOZEyAfT50bQXcRCU1hOs7KjZqd4uaBM0ve2u2RsJ6DZmmi0bg 13yVSgKNpp4aNU/Kh/RDlR4ynqpBKwk93ZJKsf0v7KKKNQ2lnOiNGc5q+o1NxtZXjbR3 BZnQ== X-Gm-Message-State: AGRZ1gJ98hSTLWyEqL0q9FhLfkW6YEZ/JUFE2inG5/AouRvjrHzT8qWI 7vpZz0+dIOIxhENXwkcgHVjm3HjdVFo= X-Received: by 2002:a25:ad5d:: with SMTP id l29-v6mr1287657ybe.398.1539965162267; Fri, 19 Oct 2018 09:06:02 -0700 (PDT) Received: from mail-yb1-f172.google.com (mail-yb1-f172.google.com. [209.85.219.172]) by smtp.gmail.com with ESMTPSA id r8-v6sm9574309ywa.56.2018.10.19.09.05.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Oct 2018 09:06:00 -0700 (PDT) Received: by mail-yb1-f172.google.com with SMTP id x5-v6so13444760ybl.11 for ; Fri, 19 Oct 2018 09:05:59 -0700 (PDT) X-Received: by 2002:a25:7643:: with SMTP id r64-v6mr3630700ybc.403.1539965158327; Fri, 19 Oct 2018 09:05:58 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:d116:0:0:0:0:0 with HTTP; Fri, 19 Oct 2018 09:05:57 -0700 (PDT) In-Reply-To: <20181019154948.GD16771@arm.com> References: <20181005084754.20950-1-kristina.martsenko@arm.com> <20181005084754.20950-8-kristina.martsenko@arm.com> <20181019111542.6wrvjguirglzg7vg@mbp> <20181019112404.GD14246@arm.com> <20181019154948.GD16771@arm.com> From: Kees Cook Date: Fri, 19 Oct 2018 09:05:57 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v5 07/17] arm64: add basic pointer authentication support To: Will Deacon Cc: Catalin Marinas , Kristina Martsenko , linux-arm-kernel , Mark Rutland , linux-arch , Andrew Jones , Jacob Bramley , Arnd Bergmann , Ard Biesheuvel , Marc Zyngier , Adam Wallis , "Suzuki K . Poulose" , Christoffer Dall , kvmarm@lists.cs.columbia.edu, Ramana Radhakrishnan , Amit Kachhap , Dave P Martin , LKML , Cyrill Gorcunov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 19, 2018 at 8:49 AM, Will Deacon wrote: > On Fri, Oct 19, 2018 at 08:36:45AM -0700, Kees Cook wrote: >> On Fri, Oct 19, 2018 at 4:24 AM, Will Deacon wrote: >> > FWIW: I think we should be entertaining a prctl() interface to use a new >> > key on a per-thread basis. Obviously, this would need to be used with care >> > (e.g. you'd fork(); use the prctl() and then you'd better not return from >> > the calling function!). >> > >> > Assuming we want this (Kees -- I was under the impression that everything in >> > Android would end up with the same key otherwise?), then the question is >> > do we want: >> > >> > - prctl() get/set operations for the key, or >> > - prctl() set_random_key operation, or >> > - both of the above? >> > >> > Part of the answer to that may lie in the requirements of CRIU, where I >> > strongly suspect they need explicit get/set operations, although these >> > could be gated on CONFIG_CHECKPOINT_RESTORE=y. >> >> Oh CRIU. Yikes. I'd like the get/set to be gated by the CONFIG, yes. >> No reason to allow explicit access to the key (and selected algo) if >> we don't have to. > > Makes sense. > >> As for per-thread or not, having a "pick a new key now" prctl() sounds >> good, but I'd like to have an eye toward having it just be "automatic" >> on clone(). > > I thought about that too, but we're out of clone() flags afaict and there's > no arch hook in there. We could add yet another clone syscall, but yuck (and > I reckon viro would kill us). > > Or are you saying that we could infer the behaviour from the existing set > of flags? I mean if it's starting a new thread, it should get a new key automatically, just like the ssp canary happens in dup_task_struct(). (Or did I miss some context for why that's not possible?) -Kees -- Kees Cook Pixel Security