Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp677731pxk; Thu, 24 Sep 2020 15:56:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyF46nGBmcEjLyI6zRwWGIljm2B+RTwYOzCYUdkfOBmER/q0AJnYQ3vdZW+lFtkAveR/QtN X-Received: by 2002:a17:906:c34d:: with SMTP id ci13mr872378ejb.356.1600988215658; Thu, 24 Sep 2020 15:56:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600988215; cv=none; d=google.com; s=arc-20160816; b=iq5dBDea5OvmgovwXycvSGuM93+UxbOxsFgX9Km1OnqR99ksY/AmdJt+SE6P8c17WA 6mv3zpyguDIMOUxQpRWBAdBh5qUYWVqCcbpHhea/URtx/EwH77FEkyVwcVWBGC1dYUgr G6lD5lfqvTGK06BGqr2knsnPKF1WiqmfgihwokX7vRekQOClLgz0ffPH72vQXXHNcVwZ n6hafj1+bPT/lKVeObbBhv6iQxRTxlGHml1Xs002rFrdV4549PBWUN7PieW68GuQkP1T pLuEfaqvJXcoj+0YEktkFa9M8CKQTfgU3rZMhxkFG9O31wXV6OqaR0yojwC/nkqN/0yJ HfcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:sender:dkim-signature; bh=hlOyvh18y00ONf+aBfuERwpVlPPlvhg4reGb29KekE0=; b=DHVy6WBrUb4Phn1Ql7ypObiNBSJhe3nTVJml2MtsV0bNbcY54GksrlynsxJBPh7Wq0 7ZBHtl485H6xZDfTihhIb7y07u2cYwPmoftSCblvmokMwhFoozIOyT5xR35s2XekSAyU PRHBbK+nqJO0sBIoT4R89a7E/V0ncH+xAfy5eyu2Vmx0r3VXp0Xo0PO2weOTU/XGvUeY BzSTyhz3YA/6HndFvAh+LiIP1aByNTShJtntXtIe1HjcUF1nSuBFQGuiN9kZMnzIQzZm 0dC9Zc+xWc+BwQsDBkoczTvLCvnrAk/8Bz3Y4lUen8uNiaHQjDZdytzTwZXj6wA3dt0K ctkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CORF9gJC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i19si612071ejd.384.2020.09.24.15.56.32; Thu, 24 Sep 2020 15:56:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CORF9gJC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727171AbgIXWwt (ORCPT + 99 others); Thu, 24 Sep 2020 18:52:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50790 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727109AbgIXWw2 (ORCPT ); Thu, 24 Sep 2020 18:52:28 -0400 Received: from mail-wr1-x449.google.com (mail-wr1-x449.google.com [IPv6:2a00:1450:4864:20::449]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1634CC0613D3 for ; Thu, 24 Sep 2020 15:52:28 -0700 (PDT) Received: by mail-wr1-x449.google.com with SMTP id 33so298586wre.0 for ; Thu, 24 Sep 2020 15:52:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:in-reply-to:message-id:mime-version:references:subject :from:to:cc; bh=hlOyvh18y00ONf+aBfuERwpVlPPlvhg4reGb29KekE0=; b=CORF9gJCrMWKBdiAEXzP4Wnk0pkHeLcpSnQB6iEngvluNFx3U2tyWzD0FJ+uauW6HO jjUqHGF5SIbkJ3CEyF5vKlaqWIAEkkOmzilgzekqIAPArB4tWFpiLLxIAOmqqDmgMiDV 5vO4Xb5j6DoGAsb4RgY6XAL26Z6cmgP1pjmX1oUT6hekkKMA8tGu8jO40cEEhTKpKqRV JqPlGzf6/2FDdS6I+znOq9c9JtfTPeuzq5s6c7L/5p28T1HT2Q2YCT2eiOSMSDM8NaTk NDT1BVsRzAYZRBEX8R/+VmqnWVQCh1QkoGLin/ftJiWo+mWNRu6PYU2fCeUm9MJEjAeE Hh5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=hlOyvh18y00ONf+aBfuERwpVlPPlvhg4reGb29KekE0=; b=afxEugv0GX52Bg8StEU+fJQhknEVOuLpnvyXnYz2SxhcLjUduxusmql9irHsUfdut8 yLuRlgTOb6YgoRrqpqok038dx6XgYF/B61qxJe3MGd5+FmqH/aD/qBjvTMhDznI7ER3N bVMN7Gc1RyPsUI3ehwRPyONhs4p2Dok2EuDaJYsgqDLGJ258cOCcg5zDzDihkn2BSqg3 NDHVdPyBHdXe4698ZqzQOgrUIxIfj2MmshYiS+mf1ufWk4rFJf9a2w6ELEu7QbNke2sU OYeTF4/eqbFQWwroGrUBkFN/GRkXtjBQ0+6pw2VXu4Py0HVmDq2ZRJOVfBDa5J4tMkZC AHvw== X-Gm-Message-State: AOAM532OXO+/ub+wQ0LK4/GRPV63MClCMMCV3RIMK9R/lB/zC5UUfbV7 u3Z3z92WHP9sBeq/lUHYhB21eRxWr2Sy8FRK Sender: "andreyknvl via sendgmr" X-Received: from andreyknvl3.muc.corp.google.com ([2a00:79e0:15:13:7220:84ff:fe09:7e9d]) (user=andreyknvl job=sendgmr) by 2002:adf:db4d:: with SMTP id f13mr1162110wrj.155.1600987946571; Thu, 24 Sep 2020 15:52:26 -0700 (PDT) Date: Fri, 25 Sep 2020 00:50:46 +0200 In-Reply-To: Message-Id: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.28.0.681.g6f77f65b4e-goog Subject: [PATCH v3 39/39] kasan: add documentation for hardware tag-based mode From: Andrey Konovalov To: Dmitry Vyukov , Vincenzo Frascino , Catalin Marinas , kasan-dev@googlegroups.com Cc: Andrey Ryabinin , Alexander Potapenko , Marco Elver , Evgenii Stepanov , Elena Petrova , Branislav Rankov , Kevin Brodsky , Will Deacon , Andrew Morton , linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add documentation for hardware tag-based KASAN mode and also add some clarifications for software tag-based mode. Signed-off-by: Andrey Konovalov Signed-off-by: Vincenzo Frascino --- Change-Id: Ib46cb444cfdee44054628940a82f5139e10d0258 --- Documentation/dev-tools/kasan.rst | 78 ++++++++++++++++++++++--------- 1 file changed, 57 insertions(+), 21 deletions(-) diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst index a3030fc6afe5..d2d47c82a7b9 100644 --- a/Documentation/dev-tools/kasan.rst +++ b/Documentation/dev-tools/kasan.rst @@ -5,12 +5,14 @@ Overview -------- KernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to -find out-of-bound and use-after-free bugs. KASAN has two modes: generic KASAN -(similar to userspace ASan) and software tag-based KASAN (similar to userspace -HWASan). +find out-of-bound and use-after-free bugs. KASAN has three modes: +1. generic KASAN (similar to userspace ASan), +2. software tag-based KASAN (similar to userspace HWASan), +3. hardware tag-based KASAN (based on hardware memory tagging). -KASAN uses compile-time instrumentation to insert validity checks before every -memory access, and therefore requires a compiler version that supports that. +Software KASAN modes (1 and 2) use compile-time instrumentation to insert +validity checks before every memory access, and therefore require a compiler +version that supports that. Generic KASAN is supported in both GCC and Clang. With GCC it requires version 8.3.0 or later. With Clang it requires version 7.0.0 or later, but detection of @@ -19,7 +21,7 @@ out-of-bounds accesses for global variables is only supported since Clang 11. Tag-based KASAN is only supported in Clang and requires version 7.0.0 or later. Currently generic KASAN is supported for the x86_64, arm64, xtensa, s390 and -riscv architectures, and tag-based KASAN is supported only for arm64. +riscv architectures, and tag-based KASAN modes are supported only for arm64. Usage ----- @@ -28,14 +30,16 @@ To enable KASAN configure kernel with:: CONFIG_KASAN = y -and choose between CONFIG_KASAN_GENERIC (to enable generic KASAN) and -CONFIG_KASAN_SW_TAGS (to enable software tag-based KASAN). +and choose between CONFIG_KASAN_GENERIC (to enable generic KASAN), +CONFIG_KASAN_SW_TAGS (to enable software tag-based KASAN), and +CONFIG_KASAN_HW_TAGS (to enable hardware tag-based KASAN). -You also need to choose between CONFIG_KASAN_OUTLINE and CONFIG_KASAN_INLINE. -Outline and inline are compiler instrumentation types. The former produces -smaller binary while the latter is 1.1 - 2 times faster. +For software modes, you also need to choose between CONFIG_KASAN_OUTLINE and +CONFIG_KASAN_INLINE. Outline and inline are compiler instrumentation types. +The former produces smaller binary while the latter is 1.1 - 2 times faster. -Both KASAN modes work with both SLUB and SLAB memory allocators. +Both software KASAN modes work with both SLUB and SLAB memory allocators, +hardware tag-based KASAN currently only support SLUB. For better bug detection and nicer reporting, enable CONFIG_STACKTRACE. To augment reports with last allocation and freeing stack of the physical page, @@ -196,17 +200,24 @@ and the second to last. Software tag-based KASAN ~~~~~~~~~~~~~~~~~~~~~~~~ -Tag-based KASAN uses the Top Byte Ignore (TBI) feature of modern arm64 CPUs to -store a pointer tag in the top byte of kernel pointers. Like generic KASAN it -uses shadow memory to store memory tags associated with each 16-byte memory +Software tag-based KASAN requires software memory tagging support in the form +of HWASan-like compiler instrumentation (see HWASan documentation for details). + +Software tag-based KASAN is currently only implemented for arm64 architecture. + +Software tag-based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs +to store a pointer tag in the top byte of kernel pointers. Like generic KASAN +it uses shadow memory to store memory tags associated with each 16-byte memory cell (therefore it dedicates 1/16th of the kernel memory for shadow memory). -On each memory allocation tag-based KASAN generates a random tag, tags the -allocated memory with this tag, and embeds this tag into the returned pointer. +On each memory allocation software tag-based KASAN generates a random tag, tags +the allocated memory with this tag, and embeds this tag into the returned +pointer. + Software tag-based KASAN uses compile-time instrumentation to insert checks before each memory access. These checks make sure that tag of the memory that is being accessed is equal to tag of the pointer that is used to access this -memory. In case of a tag mismatch tag-based KASAN prints a bug report. +memory. In case of a tag mismatch software tag-based KASAN prints a bug report. Software tag-based KASAN also has two instrumentation modes (outline, that emits callbacks to check memory accesses; and inline, that performs the shadow @@ -215,9 +226,34 @@ simply printed from the function that performs the access check. With inline instrumentation a brk instruction is emitted by the compiler, and a dedicated brk handler is used to print bug reports. -A potential expansion of this mode is a hardware tag-based mode, which would -use hardware memory tagging support instead of compiler instrumentation and -manual shadow memory manipulation. +Software tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through +pointers with 0xFF pointer tag aren't checked). The value 0xFE is currently +reserved to tag freed memory regions. + +Software tag-based KASAN currently only supports tagging of slab memory. + +Hardware tag-based KASAN +~~~~~~~~~~~~~~~~~~~~~~~~ + +Hardware tag-based KASAN is similar to the software mode in concept, but uses +hardware memory tagging support instead of compiler instrumentation and +shadow memory. + +Hardware tag-based KASAN is currently only implemented for arm64 architecture +and based on both arm64 Memory Tagging Extension (MTE) introduced in ARMv8.5 +Instruction Set Architecture, and Top Byte Ignore (TBI). + +Special arm64 instructions are used to assign memory tags for each allocation. +Same tags are assigned to pointers to those allocations. On every memory +access, hardware makes sure that tag of the memory that is being accessed is +equal to tag of the pointer that is used to access this memory. In case of a +tag mismatch a fault is generated and a report is printed. + +Hardware tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through +pointers with 0xFF pointer tag aren't checked). The value 0xFE is currently +reserved to tag freed memory regions. + +Hardware tag-based KASAN currently only supports tagging of slab memory. What memory accesses are sanitised by KASAN? -------------------------------------------- -- 2.28.0.681.g6f77f65b4e-goog