Received: by 2002:a05:6a10:6006:0:0:0:0 with SMTP id w6csp1243975pxa; Fri, 28 Aug 2020 07:37:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz5vke29wSvtCJlY2IPHy5hi1zDjNnk1iPNU+LKq7WTY2CLi7At4i7wd+zkO9yDDfAr6+km X-Received: by 2002:a17:906:f98d:: with SMTP id li13mr2253296ejb.393.1598625470133; Fri, 28 Aug 2020 07:37:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598625470; cv=none; d=google.com; s=arc-20160816; b=cu6Yq6T970G2pp8d7UKBt80i0eFxQlZ1rPcpSvx7LhL90a0y6kBn0nx7YCofwdvaFg ikJHmkcXzf26CJ/eQxt5uJszO0NIRSfjesveqQaayVllUHp9zq4tiFHGq5uwqdI/llLU CZeC2rFwft1rm16LPIBRIfp3rDmtLkkVgtEBtxTmr+MTbOuc+rJtRhzFa+GmOSWq8qPr tyZcAWVvvmmZyqonNOxzQSAORz/s5Y/OFK3tgQI7fOyBWPl3CDk3DA9YF8zLkI9hFlPL WoHbyx3/XSqfHDVRUvb5/0JAZ0lFB+RVBimX/HvFdwOf/9Swo0/eIr6qw6QcmJlhzasp RtAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=x/G6bqBKQf4sh2+83c4i7EZMZnmzP/sAtPWkC6bfs+c=; b=H08ORQeZ+psCbqCqC5pXgYGcikUp/TRKyo+PnmCKSNkK7O4K0J1cIhXJGKurTvoV+2 ppbb5NKRiygr2Ej9JNJqGUQWb/nIujfkufppvODYb3J/HRYECVrrMIquA0i/pcuMjwqg Hf14uM4VrpvX2azTir3Nkkqnh9J7rLhmx9jul39KYTy13Rd35ot3ILaMBl7OP/4TSHcl 3DkGIbJfQ59Q5FWoUzKjN4+bK1jIjsf1AOhABUrhR05ETWxJmVdKVnZE+o/vRe7puYIt 5uXAC0Y8RqRKMu6joHtcjJr+BjaokxyuClax1ek6QKDjwSNNTQyOqY43u92euubprbmv sKtA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id by2si701687ejb.576.2020.08.28.07.37.26; Fri, 28 Aug 2020 07:37:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727777AbgH1Oeh (ORCPT + 99 others); Fri, 28 Aug 2020 10:34:37 -0400 Received: from foss.arm.com ([217.140.110.172]:50858 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726236AbgH1Oef (ORCPT ); Fri, 28 Aug 2020 10:34:35 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C05EE1FB; Fri, 28 Aug 2020 07:34:34 -0700 (PDT) Received: from [192.168.1.190] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 7FFB43F71F; Fri, 28 Aug 2020 07:34:33 -0700 (PDT) Subject: Re: [PATCH 4/4] kselftests/arm64: add PAuth tests for single threaded consistency and key uniqueness To: Boyan Karatotev , linux-arm-kernel@lists.infradead.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Cc: amit.kachhap@arm.com, boian4o1@gmail.com, Shuah Khan , Catalin Marinas , Will Deacon References: <20200828131606.7946-1-boyan.karatotev@arm.com> <20200828131606.7946-5-boyan.karatotev@arm.com> From: Vincenzo Frascino Message-ID: <5c6622cb-e81f-c175-8150-b14009877468@arm.com> Date: Fri, 28 Aug 2020 15:36:43 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200828131606.7946-5-boyan.karatotev@arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/28/20 2:16 PM, Boyan Karatotev wrote: > PAuth adds 5 different keys that can be used to sign addresses. > > Add a test that verifies that the kernel initializes them uniquely and > preserves them across context switches. > Reviewed-by: Vincenzo Frascino > Cc: Shuah Khan > Cc: Catalin Marinas > Cc: Will Deacon > Signed-off-by: Boyan Karatotev > --- > tools/testing/selftests/arm64/pauth/pac.c | 116 ++++++++++++++++++++++ > 1 file changed, 116 insertions(+) > > diff --git a/tools/testing/selftests/arm64/pauth/pac.c b/tools/testing/selftests/arm64/pauth/pac.c > index 16dea47b11c7..718f49adc275 100644 > --- a/tools/testing/selftests/arm64/pauth/pac.c > +++ b/tools/testing/selftests/arm64/pauth/pac.c > @@ -1,10 +1,13 @@ > // SPDX-License-Identifier: GPL-2.0 > // Copyright (C) 2020 ARM Limited > > +#define _GNU_SOURCE > + > #include > #include > #include > #include > +#include > > #include "../../kselftest_harness.h" > #include "helper.h" > @@ -21,6 +24,7 @@ > * The VA space size is 48 bits. Bigger is opt-in. > */ > #define PAC_MASK (~0xff80ffffffffffff) > +#define ARBITRARY_VALUE (0x1234) > #define ASSERT_PAUTH_ENABLED() \ > do { \ > unsigned long hwcaps = getauxval(AT_HWCAP); \ > @@ -66,13 +70,36 @@ int are_same(struct signatures *old, struct signatures *new, int nkeys) > return res; > } > > +int are_unique(struct signatures *sign, int nkeys) > +{ > + size_t vals[nkeys]; > + > + vals[0] = sign->keyia & PAC_MASK; > + vals[1] = sign->keyib & PAC_MASK; > + vals[2] = sign->keyda & PAC_MASK; > + vals[3] = sign->keydb & PAC_MASK; > + > + if (nkeys >= 4) > + vals[4] = sign->keyg & PAC_MASK; > + > + for (int i = 0; i < nkeys - 1; i++) { > + for (int j = i + 1; j < nkeys; j++) { > + if (vals[i] == vals[j]) > + return 0; > + } > + } > + return 1; > +} > + > int exec_sign_all(struct signatures *signed_vals, size_t val) > { > int new_stdin[2]; > int new_stdout[2]; > int status; > + int i; > ssize_t ret; > pid_t pid; > + cpu_set_t mask; > > ret = pipe(new_stdin); > if (ret == -1) { > @@ -86,6 +113,20 @@ int exec_sign_all(struct signatures *signed_vals, size_t val) > return -1; > } > > + /* > + * pin this process and all its children to a single CPU, so it can also > + * guarantee a context switch with its child > + */ > + sched_getaffinity(0, sizeof(mask), &mask); > + > + for (i = 0; i < sizeof(cpu_set_t); i++) > + if (CPU_ISSET(i, &mask)) > + break; > + > + CPU_ZERO(&mask); > + CPU_SET(i, &mask); > + sched_setaffinity(0, sizeof(mask), &mask); > + > pid = fork(); > // child > if (pid == 0) { > @@ -192,6 +233,38 @@ TEST(pac_instructions_not_nop_generic) > ASSERT_NE(0, keyg) TH_LOG("keyg instructions did nothing"); > } > > +TEST(single_thread_unique_keys) > +{ > + int unique = 0; > + int nkeys = NKEYS; > + struct signatures signed_vals; > + unsigned long hwcaps = getauxval(AT_HWCAP); > + > + /* generic and data key instructions are not in NOP space. This prevents a SIGILL */ > + ASSERT_NE(0, hwcaps & HWCAP_PACA) TH_LOG("PAUTH not enabled"); > + if (!(hwcaps & HWCAP_PACG)) { > + TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks"); > + nkeys = NKEYS - 1; > + } > + > + /* > + * The PAC field is up to 7 bits. Even with unique keys there is about > + * 5% chance for a collision. This chance rapidly increases the fewer > + * bits there are, a comparison of the keys directly will be more > + * reliable All signed values need to be unique at least once out of n > + * attempts to be certain that the keys are unique > + */ > + for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) { > + if (nkeys == NKEYS) > + sign_all(&signed_vals, i); > + else > + sign_specific(&signed_vals, i); > + unique |= are_unique(&signed_vals, nkeys); > + } > + > + ASSERT_EQ(1, unique) TH_LOG("keys clashed every time"); > +} > + > /* > * fork() does not change keys. Only exec() does so call a worker program. > * Its only job is to sign a value and report back the resutls > @@ -227,5 +300,48 @@ TEST(exec_unique_keys) > ASSERT_EQ(1, different) TH_LOG("exec() did not change keys"); > } > > +TEST(context_switch_keep_keys) > +{ > + int ret; > + struct signatures trash; > + struct signatures before; > + struct signatures after; > + > + ASSERT_PAUTH_ENABLED(); > + > + sign_specific(&before, ARBITRARY_VALUE); > + > + /* will context switch with a process with different keys at least once */ > + ret = exec_sign_all(&trash, ARBITRARY_VALUE); > + ASSERT_EQ(0, ret) TH_LOG("failed to run worker"); > + > + sign_specific(&after, ARBITRARY_VALUE); > + > + ASSERT_EQ(before.keyia, after.keyia) TH_LOG("keyia changed after context switching"); > + ASSERT_EQ(before.keyib, after.keyib) TH_LOG("keyib changed after context switching"); > + ASSERT_EQ(before.keyda, after.keyda) TH_LOG("keyda changed after context switching"); > + ASSERT_EQ(before.keydb, after.keydb) TH_LOG("keydb changed after context switching"); > +} > + > +TEST(context_switch_keep_keys_generic) > +{ > + int ret; > + struct signatures trash; > + size_t before; > + size_t after; > + > + ASSERT_GENERIC_PAUTH_ENABLED(); > + > + before = keyg_sign(ARBITRARY_VALUE); > + > + /* will context switch with a process with different keys at least once */ > + ret = exec_sign_all(&trash, ARBITRARY_VALUE); > + ASSERT_EQ(0, ret) TH_LOG("failed to run worker"); > + > + after = keyg_sign(ARBITRARY_VALUE); > + > + ASSERT_EQ(before, after) TH_LOG("keyg changed after context switching"); > +} > + > TEST_HARNESS_MAIN > > -- Regards, Vincenzo