Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5558974imu; Tue, 13 Nov 2018 08:19:44 -0800 (PST) X-Google-Smtp-Source: AJdET5eS0eVztWwLlz6cXDLMjEQ8lcvAS20w6tp3gCLuxSw2BVPVKv7/BN9rHa6MT9mb5g0VwRy6 X-Received: by 2002:a17:902:b498:: with SMTP id y24-v6mr5848065plr.179.1542125984124; Tue, 13 Nov 2018 08:19:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542125984; cv=none; d=google.com; s=arc-20160816; b=UQnloTng482VZDZZBNL5ksVzIJRZbQsBZefr0M6d15v97Jca4uzC5b9wlIaQ3SNvfE OC25ukwBwiF7tCta6rAOzDvAoT7jKVVXIWce2jIypnbSEzE777FDj2C3eYei2JbpiMyf huz6qykyYtXTAlMNoMcO7Nf1v0vOI8cK5k6z3W3oTTLzhcCuw4AolQoqhdqA1d5It37s QgG08Um6FwCAVsFy1XXsMqTG06mAQTf3esQNYEf1H2WJirz9k0KA4GSouRK0DL127DOf nuvgnZxQwWSQ3ar2idE9yXFkkas0H84Hmh/17yCc9Mh+xtCkcNnpAGPbWql0jeKGpJpB 7nUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=iuFiyW4T7+wd8gMfiPrndIHtayHn852hCp4b13HafLs=; b=l0x1MDXZnrgHSUYhDzJiGU5wva+VAaZRTMzN0pk+VFUMODAUBSM4eZoRugWUJxSLm9 X916Q6ipHFqoJFdn/et80+G9P8lnkYxH7eM70KGiMlVb/AaSl6L9OxcfSLo4mYNOfV2p 9qzgoANU9Cp/Felj2TUkOyR28aXi6QNWXhiXjSr+xCRZybldiK8CP27GQDLedo1e8pse rEbJVeTyVvcbNoOZbokcPku7ymQTc3T7Iulu1Z2sXe6ynnj1Gpf18AlteK318FHWzs4p OK9TmAk2g/cF6VhYxdHzw99vIxUb98xzf5DBetOOyZq3G5I5OaiwJ5tU/edpRaHC1lbd GKSQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a128-v6si23406134pfb.24.2018.11.13.08.19.11; Tue, 13 Nov 2018 08:19:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730690AbeKNCP6 (ORCPT + 99 others); Tue, 13 Nov 2018 21:15:58 -0500 Received: from foss.arm.com ([217.140.101.70]:58944 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726517AbeKNCP6 (ORCPT ); Tue, 13 Nov 2018 21:15:58 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 943E5A78; Tue, 13 Nov 2018 08:17:12 -0800 (PST) Received: from [10.1.197.21] (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9CC193F5CF; Tue, 13 Nov 2018 08:17:09 -0800 (PST) Subject: Re: [PATCH 00/17] ARMv8.3 pointer authentication support To: Kees Cook Cc: linux-arm-kernel , Adam Wallis , Amit Kachhap , Andrew Jones , Ard Biesheuvel , Arnd Bergmann , Catalin Marinas , Christoffer Dall , Dave P Martin , Jacob Bramley , Marc Zyngier , Mark Rutland , Ramana Radhakrishnan , "Suzuki K . Poulose" , Will Deacon , kvmarm@lists.cs.columbia.edu, linux-arch , LKML References: <20181005084754.20950-1-kristina.martsenko@arm.com> From: Kristina Martsenko Message-ID: Date: Tue, 13 Nov 2018 16:17:07 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (Sorry for the really late response!) On 15/10/2018 23:42, Kees Cook wrote: > On Fri, Oct 5, 2018 at 1:47 AM, Kristina Martsenko > wrote: >> This series adds support for the ARMv8.3 pointer authentication >> extension. The series contains Mark's original patches to enable pointer >> authentication for userspace [1], followed by early RFC patches using >> pointer authentication in the kernel. > > It wasn't obvious to me where the PAC mismatch exceptions will be > caught. I'm mainly curious to compare the PAC exception handling to > the existing stack-protector panic(). Can you point me to which > routines manage that? (Perhaps I just missed it in the series...) When the PAC authentication fails, it doesn't actually generate an exception, it just flips a bit in the high-order bits of the pointer, making the pointer invalid. Then when the pointer is dereferenced (e.g. as a function return address), it generates the usual type of exception for an invalid address. So when a function return fails in user mode, the exception is handled in __do_user_fault and a forced SIGSEGV is delivered to the task. When a function return fails in kernel mode, the exception is handled in __do_kernel_fault and the task is killed. This is different from stack protector as we don't panic the kernel, we just kill the task. It would be difficult to panic as we don't have a reliable way of knowing that the exception was caused by a PAC authentication failure (we just have an invalid pointer with a specific bit flipped). We also don't print out any PAC-related warning. Thanks, Kristina