Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3359824imm;
        Fri, 19 Oct 2018 09:17:35 -0700 (PDT)
X-Google-Smtp-Source: ACcGV613qBn8g6Fy2Q3FOoPuP3h1lFySkWUMtCUQRWSX8XqUoMm0HFSkt3BiRoJnjqOa8SPxp3H+
X-Received: by 2002:a17:902:708b:: with SMTP id z11-v6mr35723369plk.151.1539965855431;
        Fri, 19 Oct 2018 09:17:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539965855; cv=none;
        d=google.com; s=arc-20160816;
        b=WbFgt9+9JhFh2jWJlmCVIu6ObSepVpBEkGRmR8hDnOY7Wq+gJR6xR84ulXRC3rLgkZ
         TvSfVzU64eUT93Dy9GhAub3B1u5roIBazr32Ua3DOZhLe4s/VrCotJdMC4yXib8pE5vM
         G+rk2/jINV8RQ0ES077tg8Uyt2v1ltYrQ5DiIlpf7nACsZSwl/JFBgZBmTrg7OCp8Meb
         O4juBWnyOT1r4Jm1+PYkT3HXDlK2aPvjktCcSmqVwnT8TdSUWc2jBda6YRhCeoiuqH9x
         qclcAC6u9A7+RA3LdGZDe7FkfrOVPNQ0dZHFZDKBKvMQNmuzVn1Mk6oR9saqhZ6xjb7M
         kTLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=3f9xn53Q+ImCsaePXBZI+mNylJq90xZ5ubA0bWyNb0I=;
        b=dSQSVG9rN3nxpHDF0Pd7N97vzYwFWoItuKCmGe818d+oa7azNIAyT+WFUe827Fc29y
         ERyJZ73zRImPsJAQogBE12DPFKhb2gaokefgFhP9g6T4reGWUhWoejwCi+xuBHgFY1GP
         f0g2RiiFDct3Z/DoDxu0DKmU5euVaq/6+cbX8OrgQU63P/bTOrgWUX3KvJcRDt0HTQay
         I9jXWjz5o0PA3gQsagE59r3GWu9XWz3tGvik0B86YT8xdiJsCzcbk90gbG7xXudyQCJf
         nmyEFWfsS7lwFW6KSkswPIJHNeAClUMDgNsTxx/RnUizJiAmgKV2bBVem1qkwBCyI7l2
         V3lw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i63-v6si23650815pli.354.2018.10.19.09.17.20;
        Fri, 19 Oct 2018 09:17:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727761AbeJTAXg (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Fri, 19 Oct 2018 20:23:36 -0400
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:55758 "EHLO
        foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727219AbeJTAXf (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Oct 2018 20:23:35 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C042580D;
        Fri, 19 Oct 2018 09:16:48 -0700 (PDT)
Received: from edgewater-inn.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 8FB273F71D;
        Fri, 19 Oct 2018 09:16:48 -0700 (PDT)
Received: by edgewater-inn.cambridge.arm.com (Postfix, from userid 1000)
        id AE6311AE06FD; Fri, 19 Oct 2018 17:16:51 +0100 (BST)
Date:   Fri, 19 Oct 2018 17:16:51 +0100
From:   Will Deacon <will.deacon@arm.com>
To:     Kees Cook <keescook@chromium.org>
Cc:     Mark Rutland <mark.rutland@arm.com>,
        linux-arch <linux-arch@vger.kernel.org>,
        Andrew Jones <drjones@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Jacob Bramley <jacob.bramley@arm.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Marc Zyngier <marc.zyngier@arm.com>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Adam Wallis <awallis@codeaurora.org>,
        "Suzuki K . Poulose" <suzuki.poulose@arm.com>,
        Christoffer Dall <christoffer.dall@arm.com>,
        Kristina Martsenko <kristina.martsenko@arm.com>,
        Dave P Martin <Dave.Martin@arm.com>,
        Cyrill Gorcunov <gorcunov@openvz.org>,
        Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>,
        Amit Kachhap <Amit.Kachhap@arm.com>,
        kvmarm@lists.cs.columbia.edu,
        linux-arm-kernel <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH v5 07/17] arm64: add basic pointer authentication support
Message-ID: <20181019161651.GE16771@arm.com>
References: <20181005084754.20950-1-kristina.martsenko@arm.com>
 <20181005084754.20950-8-kristina.martsenko@arm.com>
 <20181019111542.6wrvjguirglzg7vg@mbp>
 <20181019112404.GD14246@arm.com>
 <CAGXu5j+2axuzPJji_eCvMZDiPvrPsP3kAnG0CY_rsL5c=uFQFA@mail.gmail.com>
 <20181019154948.GD16771@arm.com>
 <CAGXu5jK8OK+430FQtztwVD8B95_SCjTWoysZXBdkZaDeSiV+ow@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGXu5jK8OK+430FQtztwVD8B95_SCjTWoysZXBdkZaDeSiV+ow@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Oct 19, 2018 at 09:05:57AM -0700, Kees Cook wrote:
> On Fri, Oct 19, 2018 at 8:49 AM, Will Deacon <will.deacon@arm.com> wrote:
> > On Fri, Oct 19, 2018 at 08:36:45AM -0700, Kees Cook wrote:
> >> On Fri, Oct 19, 2018 at 4:24 AM, Will Deacon <will.deacon@arm.com> wrote:
> >> > FWIW: I think we should be entertaining a prctl() interface to use a new
> >> > key on a per-thread basis. Obviously, this would need to be used with care
> >> > (e.g. you'd fork(); use the prctl() and then you'd better not return from
> >> > the calling function!).
> >> >
> >> > Assuming we want this (Kees -- I was under the impression that everything in
> >> > Android would end up with the same key otherwise?), then the question is
> >> > do we want:
> >> >
> >> >   - prctl() get/set operations for the key, or
> >> >   - prctl() set_random_key operation, or
> >> >   - both of the above?
> >> >
> >> > Part of the answer to that may lie in the requirements of CRIU, where I
> >> > strongly suspect they need explicit get/set operations, although these
> >> > could be gated on CONFIG_CHECKPOINT_RESTORE=y.
> >>
> >> Oh CRIU. Yikes. I'd like the get/set to be gated by the CONFIG, yes.
> >> No reason to allow explicit access to the key (and selected algo) if
> >> we don't have to.
> >
> > Makes sense.
> >
> >> As for per-thread or not, having a "pick a new key now" prctl() sounds
> >> good, but I'd like to have an eye toward having it just be "automatic"
> >> on clone().
> >
> > I thought about that too, but we're out of clone() flags afaict and there's
> > no arch hook in there. We could add yet another clone syscall, but yuck (and
> > I reckon viro would kill us).
> >
> > Or are you saying that we could infer the behaviour from the existing set
> > of flags?
> 
> I mean if it's starting a new thread, it should get a new key
> automatically, just like the ssp canary happens in dup_task_struct().
> 
> (Or did I miss some context for why that's not possible?)

The problem with that is if the child thread (in userspace) returns from
the function that called fork(), then it will explode because the link
register will have been signed with the parent key.

Will