Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2713532imu; Sun, 9 Dec 2018 07:43:51 -0800 (PST) X-Google-Smtp-Source: AFSGD/Xp1PpjS8c0JB8kgwbtqN3BqWpByzH2gcoM34wj/36rwroNzJRWESzi3dIfaBV0k6d45PWb X-Received: by 2002:a62:30c3:: with SMTP id w186mr9220991pfw.39.1544370231541; Sun, 09 Dec 2018 07:43:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544370231; cv=none; d=google.com; s=arc-20160816; b=J9acatarg1h1DjbIDrnl0Gv3QWAggHGxP9GeHfkh4ubzzt9IU8KXW+F+Y96zGWbvqt LIPBtzRvWJIoZZ0DGkIaxKk0z5bsIZiHanFfiZwCYbSpxwSr+LtLYIJ9/qu89Lbr3H7w lANpFenEnTxewiKghjsuaq5brsXsHTXmmrS+njEGEUuMe9wAUVVo3g9SsWlQlPPsQWEB 4wsMdUou81qfE5P5R8VwNrkB1t8m4Q7wEg/l4h++Hfw/fy4yKlr7HT6FILT6oJfmS3IE mkIKIKIuFcn6PGpgZRuCwjlpOWD76oYnel1eC+CRfsgSp+Uv9u91a/tJYQ7zSiaGYiSX YCLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject:dkim-signature; bh=KDIGYHKNMtE3j4moEPlaO/mHBiOVfDpfNQGNkGsMr6c=; b=nLJYa6iaVny1aC2++cV41FLHQLfiEO8GszCJzu6E6Z31cyxsLciJPBlkBFgt9P8CKT YbCaW5J4SPpfhbV31moUtKQAFXm9CWYBeS2mXNf0LBGF+VgDK9Zl4JuswJAggRnWmY/S 8cnu0LYHIAvn2LqGwHVfPqsBMnK12JNgkTMAmEKltel5CVt3WZKu4cis7xTMggCsJNOU BDh8Sk0k2QkF+yP5Rrjh/70TASrWixaSaUVAhmgLY+XjqCCZ0+ZqKOo4MK3Ftg8BSCuw BrLfCP8O4fzVyvpsyG1tJP3M3qLcZrVyer/YgIBhzv6F3WuEybhh0Lp3vrY5Nwm4C6Nl U/ng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=jr5msybb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c8si8436412pfe.243.2018.12.09.07.43.35; Sun, 09 Dec 2018 07:43:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=jr5msybb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726125AbeLIPlh (ORCPT + 99 others); Sun, 9 Dec 2018 10:41:37 -0500 Received: from mail-ot1-f65.google.com ([209.85.210.65]:36973 "EHLO mail-ot1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726076AbeLIPlh (ORCPT ); Sun, 9 Dec 2018 10:41:37 -0500 Received: by mail-ot1-f65.google.com with SMTP id 40so8170120oth.4 for ; Sun, 09 Dec 2018 07:41:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=subject:to:cc:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=KDIGYHKNMtE3j4moEPlaO/mHBiOVfDpfNQGNkGsMr6c=; b=jr5msybbQPH8aGCVuHeZCYGs098eCgi6wlCl4iFdq4H+rmDoNZxeZsahBvwCDYYS2l 06sJaI+HaiBy6deSj8XPr2g/po7r95kx711acIUqPANomGQzTo3W454SfEGZwpE2Alem zcU3rbzpUb3M1LLi/pwx16wm2W38QhQmVwXwQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=KDIGYHKNMtE3j4moEPlaO/mHBiOVfDpfNQGNkGsMr6c=; b=klmWH+PA3BvAP0+bRgrn8nmH4hs+5pkKe/O/Ad+RDnzjv1k9MiqxChr7YHRrHfSPjX JtIvj9cQEmdw8QvSrPlnqS8Z2Nq0706RAwadTZ07zoxUEP6uh991FI5XgStTbdiRNdpZ tzJ2ivSIK214StgN/2JWraiAMX7Pq8x7UQfIcSyUkgwR6avV4u4egV254OpMZT5fcsWy y/9AZbCgAnY2zysUIaUhnOBOJ33LE+2ayI9kr1/M3jE0ZyLABApBCIGLt1LubL6oJG98 Bac0XT4NgeDghtkCOUZuvJ/B7wWoGvhScYTK/MknOb1zmC7N9a2JqIns60jRSROjhTB/ lu3Q== X-Gm-Message-State: AA+aEWboC/FLE3fDmupvi0Lh2WGJ/VUTCsvRqj2qCbGaHOyb1nCOCiKY ki1RtmjHOre7HW3xvPBPVaU72bWDC5Jfdw== X-Received: by 2002:a9d:588c:: with SMTP id x12mr6696735otg.139.1544370095951; Sun, 09 Dec 2018 07:41:35 -0800 (PST) Received: from cloudburst.twiddle.net ([187.217.227.243]) by smtp.gmail.com with ESMTPSA id b18sm4353201oii.51.2018.12.09.07.41.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 09 Dec 2018 07:41:34 -0800 (PST) Subject: Re: [PATCH v6 08/13] arm64: expose user PAC bit positions via ptrace To: Kristina Martsenko , linux-arm-kernel@lists.infradead.org Cc: Adam Wallis , Amit Kachhap , Andrew Jones , Ard Biesheuvel , Catalin Marinas , Christoffer Dall , Cyrill Gorcunov , Dave P Martin , Jacob Bramley , Kees Cook , Marc Zyngier , Mark Rutland , Ramana Radhakrishnan , Suzuki K Poulose , Will Deacon , kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org References: <20181207183931.4285-1-kristina.martsenko@arm.com> <20181207183931.4285-9-kristina.martsenko@arm.com> From: Richard Henderson Openpgp: preference=signencrypt Message-ID: Date: Sun, 9 Dec 2018 09:41:31 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 MIME-Version: 1.0 In-Reply-To: <20181207183931.4285-9-kristina.martsenko@arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/7/18 12:39 PM, Kristina Martsenko wrote: > When pointer authentication is in use, data/instruction pointers have a > number of PAC bits inserted into them. The number and position of these > bits depends on the configured TCR_ELx.TxSZ and whether tagging is > enabled. ARMv8.3 allows tagging to differ for instruction and data > pointers. At this point I think it's worth starting a discussion about pointer tagging, and how we can make it controllable and not mandatory. With this patch set, we are enabling 7 authentication bits: [54:48]. However, it won't be too long before someone implements support for ARMv8.2-LVA, at which point, without changes to mandatory pointer tagging, we will only have 3 authentication bits: [54:52]. This seems useless and easily brute-force-able. I assume that pointer tagging is primarily used by Android, since I'm not aware of anything else that uses it at all. Unfortunately, there is no obvious path to making this optional that does not break compatibility with Documentation/arm64/tagged-pointers.txt. I've been thinking that there ought to be some sort of global setting, akin to /proc/sys/kernel/randomize_va_space, as well as a prctl which an application could use to selectively enable TBI/TBID for an application that actually uses tagging. The global /proc setting allows the default to remain 1, which would let any application using tagging to continue working. If there are none, the sysadmin can set the default to 0. Going forward, applications could be updated to use the prctl, allowing more systems to set the default to 0. FWIW, pointer authentication continues to work when enabling TBI, but not the other way around. Thus the prctl could be used to enable TBI at any point, but if libc is built with PAuth, there's no way to turn it back off again. r~