Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3359824imm; Fri, 19 Oct 2018 09:17:35 -0700 (PDT) X-Google-Smtp-Source: ACcGV613qBn8g6Fy2Q3FOoPuP3h1lFySkWUMtCUQRWSX8XqUoMm0HFSkt3BiRoJnjqOa8SPxp3H+ X-Received: by 2002:a17:902:708b:: with SMTP id z11-v6mr35723369plk.151.1539965855431; Fri, 19 Oct 2018 09:17:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539965855; cv=none; d=google.com; s=arc-20160816; b=WbFgt9+9JhFh2jWJlmCVIu6ObSepVpBEkGRmR8hDnOY7Wq+gJR6xR84ulXRC3rLgkZ TvSfVzU64eUT93Dy9GhAub3B1u5roIBazr32Ua3DOZhLe4s/VrCotJdMC4yXib8pE5vM G+rk2/jINV8RQ0ES077tg8Uyt2v1ltYrQ5DiIlpf7nACsZSwl/JFBgZBmTrg7OCp8Meb O4juBWnyOT1r4Jm1+PYkT3HXDlK2aPvjktCcSmqVwnT8TdSUWc2jBda6YRhCeoiuqH9x qclcAC6u9A7+RA3LdGZDe7FkfrOVPNQ0dZHFZDKBKvMQNmuzVn1Mk6oR9saqhZ6xjb7M kTLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=3f9xn53Q+ImCsaePXBZI+mNylJq90xZ5ubA0bWyNb0I=; b=dSQSVG9rN3nxpHDF0Pd7N97vzYwFWoItuKCmGe818d+oa7azNIAyT+WFUe827Fc29y ERyJZ73zRImPsJAQogBE12DPFKhb2gaokefgFhP9g6T4reGWUhWoejwCi+xuBHgFY1GP f0g2RiiFDct3Z/DoDxu0DKmU5euVaq/6+cbX8OrgQU63P/bTOrgWUX3KvJcRDt0HTQay I9jXWjz5o0PA3gQsagE59r3GWu9XWz3tGvik0B86YT8xdiJsCzcbk90gbG7xXudyQCJf nmyEFWfsS7lwFW6KSkswPIJHNeAClUMDgNsTxx/RnUizJiAmgKV2bBVem1qkwBCyI7l2 V3lw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i63-v6si23650815pli.354.2018.10.19.09.17.20; Fri, 19 Oct 2018 09:17:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727761AbeJTAXg (ORCPT + 99 others); Fri, 19 Oct 2018 20:23:36 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:55758 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727219AbeJTAXf (ORCPT ); Fri, 19 Oct 2018 20:23:35 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C042580D; Fri, 19 Oct 2018 09:16:48 -0700 (PDT) Received: from edgewater-inn.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 8FB273F71D; Fri, 19 Oct 2018 09:16:48 -0700 (PDT) Received: by edgewater-inn.cambridge.arm.com (Postfix, from userid 1000) id AE6311AE06FD; Fri, 19 Oct 2018 17:16:51 +0100 (BST) Date: Fri, 19 Oct 2018 17:16:51 +0100 From: Will Deacon To: Kees Cook Cc: Mark Rutland , linux-arch , Andrew Jones , LKML , Jacob Bramley , Arnd Bergmann , Ard Biesheuvel , Marc Zyngier , Catalin Marinas , Adam Wallis , "Suzuki K . Poulose" , Christoffer Dall , Kristina Martsenko , Dave P Martin , Cyrill Gorcunov , Ramana Radhakrishnan , Amit Kachhap , kvmarm@lists.cs.columbia.edu, linux-arm-kernel Subject: Re: [PATCH v5 07/17] arm64: add basic pointer authentication support Message-ID: <20181019161651.GE16771@arm.com> References: <20181005084754.20950-1-kristina.martsenko@arm.com> <20181005084754.20950-8-kristina.martsenko@arm.com> <20181019111542.6wrvjguirglzg7vg@mbp> <20181019112404.GD14246@arm.com> <20181019154948.GD16771@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 19, 2018 at 09:05:57AM -0700, Kees Cook wrote: > On Fri, Oct 19, 2018 at 8:49 AM, Will Deacon wrote: > > On Fri, Oct 19, 2018 at 08:36:45AM -0700, Kees Cook wrote: > >> On Fri, Oct 19, 2018 at 4:24 AM, Will Deacon wrote: > >> > FWIW: I think we should be entertaining a prctl() interface to use a new > >> > key on a per-thread basis. Obviously, this would need to be used with care > >> > (e.g. you'd fork(); use the prctl() and then you'd better not return from > >> > the calling function!). > >> > > >> > Assuming we want this (Kees -- I was under the impression that everything in > >> > Android would end up with the same key otherwise?), then the question is > >> > do we want: > >> > > >> > - prctl() get/set operations for the key, or > >> > - prctl() set_random_key operation, or > >> > - both of the above? > >> > > >> > Part of the answer to that may lie in the requirements of CRIU, where I > >> > strongly suspect they need explicit get/set operations, although these > >> > could be gated on CONFIG_CHECKPOINT_RESTORE=y. > >> > >> Oh CRIU. Yikes. I'd like the get/set to be gated by the CONFIG, yes. > >> No reason to allow explicit access to the key (and selected algo) if > >> we don't have to. > > > > Makes sense. > > > >> As for per-thread or not, having a "pick a new key now" prctl() sounds > >> good, but I'd like to have an eye toward having it just be "automatic" > >> on clone(). > > > > I thought about that too, but we're out of clone() flags afaict and there's > > no arch hook in there. We could add yet another clone syscall, but yuck (and > > I reckon viro would kill us). > > > > Or are you saying that we could infer the behaviour from the existing set > > of flags? > > I mean if it's starting a new thread, it should get a new key > automatically, just like the ssp canary happens in dup_task_struct(). > > (Or did I miss some context for why that's not possible?) The problem with that is if the child thread (in userspace) returns from the function that called fork(), then it will explode because the link register will have been signed with the parent key. Will