Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp5980731iob; Tue, 10 May 2022 07:54:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJynLVHMdQwuBEgDntqNXfuFSVyOXNsftSAf5g+iXWTHmpAcw9fZWJrvwrs1soXiKsAjVP00 X-Received: by 2002:a17:903:1205:b0:15e:8cbc:fd2b with SMTP id l5-20020a170903120500b0015e8cbcfd2bmr21294834plh.99.1652194475423; Tue, 10 May 2022 07:54:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652194475; cv=none; d=google.com; s=arc-20160816; b=oM7s2if0lvYBXg5IRabuxvHSDhbfdJwJoK3qm86/VIazOrPE4CqQU9nIWi/3hfokqM HZ1Gl0amwKhOByuKZVRcvQSDPSGJcppfLd3w4/q/qSXEtdUYQiJQwrEAVTJWX5iH76fU JnBq31KU60iYFqkHzgERgRBuhaB+lu3eauathrkFGd4KgjdM99mMXHHiaL0Kk6PQcO5d AV/6vTniWRJpVv0M95VTBHt+F41KNSg1I3lLTvL8AstHaP/ct+hzZNrSA3/NDy7LEHx/ P1pnt7JsDa+TpJPn58TG11/UIXQXeW6V80HbcWt+HhKJH9tW8GGrhDrYTWWddi6z6vAa bfyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=oWkJBDkeq4gmtzRx6NRpFA5vku8/WyRK30dRLyQT1IE=; b=lZ/Edg/eN4Sd+6XdUothekbttfqyoSjkOUOGOMe2Q9jR2d+OyXORB+v6DiZ2GYrbQb 7dPu80ZUI1Go0LTO1IGayK+cLuhsb9kKH+3kElhsVbMGafPqRN8VQHg/MqVmIO74KPJS 84hZuPdbEM6AsQuO0wGjvedUw1rcbQk2Mn4tVSSqGAxe2wHU8NkNSzaWljLLIRTgPcWB OMU6t9GTz7pwdN39PiMOLrt1PUGhzYEyakZ6x6FiqWUiICrfGU4feddW6NRQlE7HoP6y yP6hmRKljB3JQvRPXTt5dS0e3HTVcnigxDKdwHvbgJx1Z6kDMiSGl2TlvHkt+soLrUdK SF8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=PMx3kpP5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b5-20020a6567c5000000b003c65a1f5f3csi15515409pgs.535.2022.05.10.07.54.19; Tue, 10 May 2022 07:54:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=PMx3kpP5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241533AbiEJMKL (ORCPT + 99 others); Tue, 10 May 2022 08:10:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241342AbiEJMKD (ORCPT ); Tue, 10 May 2022 08:10:03 -0400 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 122AD4BFFE for ; Tue, 10 May 2022 05:06:05 -0700 (PDT) Received: by mail-wm1-x32b.google.com with SMTP id k126so10050372wme.2 for ; Tue, 10 May 2022 05:06:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=oWkJBDkeq4gmtzRx6NRpFA5vku8/WyRK30dRLyQT1IE=; b=PMx3kpP5QtnuG3tHlO7CN/Gk4d74GFdWXB8ooztEhHRCs3ZJ8IM0IHuzldPIQFgmzQ E/ZHIcOVBdU9uUt3xPemFPxJ5m+V/CRWsRhh/Mny2hOs8j2F32a9kxTwb6hYTQkahf/Q SESYpg/i6i5JUV6RLTeR/xPSNZfLvyJVMhw8MVzxoYyFE5y6yYlx36SEyWruleFIV1D1 KWE20LvKALDAD/nkb5XoIOK5RimNSXgQCxWAynYVJf/rG1eeKK0gnRgdxDXDPVCMVq4S 0k9Ss6ijr37Jg4awdSWeNezXx/DlH3pSKyz8EWazKLNYGAlWV/zQ9pO1P4qEk9b+Kqlz tm5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=oWkJBDkeq4gmtzRx6NRpFA5vku8/WyRK30dRLyQT1IE=; b=61j1Aay4JiiTU87gW8ayOCbX6aJ1HPExjj0aw6JcpNx6hYSM/o0Cfnv0nihztytOGI RS3VS1+p2FiO8my7M5MYqX3QQdTptPQA00WPZ1bf64/AKeEEy4ijYGKOGLddb3XQJQM0 cV8ITY72ga/IqOlCm5OhGjUzkbUqoIpmASajpSpaw24Lz6bPmjRrNBOLTlKfdsPu6Nuh PxtE16tszZlmu+CkvmhQ+w1K+U9YOxTFNhrPlnKI+boGl3sjdvF4odYvLjSi3miHd+Qv V9LkBs0OreixO4cmGsNZFFz4AI7iNnJUYpQlMN00ZyAB/ItcIbtDHN7C/S5wRUSB04+f /htA== X-Gm-Message-State: AOAM531dpCiEYFlzqcIq6jsWomPgi97ugs3AwHcEd/QKdEQwnAJuyI57 njLU3ImfKERiCtJhBimMcs9OsA== X-Received: by 2002:a05:600c:4ed1:b0:394:8352:3ea1 with SMTP id g17-20020a05600c4ed100b0039483523ea1mr15503780wmq.153.1652184362787; Tue, 10 May 2022 05:06:02 -0700 (PDT) Received: from elver.google.com ([2a00:79e0:15:13:640f:aa66:3ec8:cbb6]) by smtp.gmail.com with ESMTPSA id d3-20020a05600c3ac300b00394586f696dsm2361872wms.11.2022.05.10.05.06.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 May 2022 05:06:02 -0700 (PDT) Date: Tue, 10 May 2022 14:05:56 +0200 From: Marco Elver To: andrey.konovalov@linux.dev Cc: Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Andrey Ryabinin , kasan-dev@googlegroups.com, Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov Subject: Re: [PATCH 1/3] kasan: update documentation Message-ID: References: <5bd58ebebf066593ce0e1d265d60278b5f5a1874.1652123204.git.andreyknvl@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5bd58ebebf066593ce0e1d265d60278b5f5a1874.1652123204.git.andreyknvl@google.com> User-Agent: Mutt/2.1.4 (2021-12-11) X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 09, 2022 at 09:07PM +0200, andrey.konovalov@linux.dev wrote: > From: Andrey Konovalov > > Do assorted clean-ups and improvements to KASAN documentation, including: > > - Describe each mode in a dedicated paragraph. > - Split out a Support section that describes in details which compilers, > architectures and memory types each mode requires/supports. > - Capitalize the first letter in the names of each KASAN mode. > > Signed-off-by: Andrey Konovalov Reviewed-by: Marco Elver But see comment below. > --- > Documentation/dev-tools/kasan.rst | 143 ++++++++++++++++++------------ > 1 file changed, 87 insertions(+), 56 deletions(-) > > diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst > index 7614a1fc30fa..aca219ed1198 100644 > --- a/Documentation/dev-tools/kasan.rst > +++ b/Documentation/dev-tools/kasan.rst > @@ -4,39 +4,76 @@ The Kernel Address Sanitizer (KASAN) > Overview > -------- > > -KernelAddressSANitizer (KASAN) is a dynamic memory safety error detector > -designed to find out-of-bound and use-after-free bugs. KASAN has three modes: > +Kernel Address Sanitizer (KASAN) is a dynamic memory safety error detector > +designed to find out-of-bounds and use-after-free bugs. > > -1. generic KASAN (similar to userspace ASan), > -2. software tag-based KASAN (similar to userspace HWASan), > -3. hardware tag-based KASAN (based on hardware memory tagging). > +KASAN has three modes: > > -Generic KASAN is mainly used for debugging due to a large memory overhead. > -Software tag-based KASAN can be used for dogfood testing as it has a lower > -memory overhead that allows using it with real workloads. Hardware tag-based > -KASAN comes with low memory and performance overheads and, therefore, can be > -used in production. Either as an in-field memory bug detector or as a security > -mitigation. > +1. Generic KASAN > +2. Software Tag-Based KASAN > +3. Hardware Tag-Based KASAN > > -Software KASAN modes (#1 and #2) use compile-time instrumentation to insert > -validity checks before every memory access and, therefore, require a compiler > -version that supports that. > +Generic KASAN, enabled with CONFIG_KASAN_GENERIC, is the mode intended for > +debugging, similar to userspace ASan. This mode is supported on many CPU > +architectures, but it has significant performance and memory overheads. > > -Generic KASAN is supported in GCC and Clang. With GCC, it requires version > -8.3.0 or later. Any supported Clang version is compatible, but detection of > -out-of-bounds accesses for global variables is only supported since Clang 11. > +Software Tag-Based KASAN or SW_TAGS KASAN, enabled with CONFIG_KASAN_SW_TAGS, > +can be used for both debugging and dogfood testing, similar to userspace HWASan. > +This mode is only supported for arm64, but its moderate memory overhead allows > +using it for testing on memory-restricted devices with real workloads. > > -Software tag-based KASAN mode is only supported in Clang. > +Hardware Tag-Based KASAN or HW_TAGS KASAN, enabled with CONFIG_KASAN_HW_TAGS, > +is the mode intended to be used as an in-field memory bug detector or as a > +security mitigation. This mode only works on arm64 CPUs that support MTE > +(Memory Tagging Extension), but it has low memory and performance overheads and > +thus can be used in production. > > -The hardware KASAN mode (#3) relies on hardware to perform the checks but > -still requires a compiler version that supports memory tagging instructions. > -This mode is supported in GCC 10+ and Clang 12+. > +For details about the memory and performance impact of each KASAN mode, see the > +descriptions of the corresponding Kconfig options. > > -Both software KASAN modes work with SLUB and SLAB memory allocators, > -while the hardware tag-based KASAN currently only supports SLUB. > +The Generic and the Software Tag-Based modes are commonly referred to as the > +software modes. The Software Tag-Based and the Hardware Tag-Based modes are > +referred to as the tag-based modes. > > -Currently, generic KASAN is supported for the x86_64, arm, arm64, xtensa, s390, > -and riscv architectures, and tag-based KASAN modes are supported only for arm64. > +Support > +------- > + > +Architectures > +~~~~~~~~~~~~~ > + > +Generic KASAN is supported on x86_64, arm, arm64, powerpc, riscv, s390, and > +xtensa, and the tag-based KASAN modes are supported only on arm64. > + > +Compilers > +~~~~~~~~~ > + > +Software KASAN modes use compile-time instrumentation to insert validity checks > +before every memory access and thus require a compiler version that provides > +support for that. The Hardware Tag-Based mode relies on hardware to perform > +these checks but still requires a compiler version that supports the memory > +tagging instructions. > + > +Generic KASAN requires GCC version 8.3.0 or later > +or any Clang version supported by the kernel. > + > +Software Tag-Based KASAN requires GCC 11+ > +or any Clang version supported by the kernel. > + > +Hardware Tag-Based KASAN requires GCC 10+ or Clang 12+. > + > +Memory types > +~~~~~~~~~~~~ > + > +Generic KASAN supports finding bugs in all of slab, page_alloc, vmap, vmalloc, > +stack, and global memory. > + > +Software Tag-Based KASAN supports slab, page_alloc, vmalloc, and stack memory. > + > +Hardware Tag-Based KASAN supports slab, page_alloc, and non-executable vmalloc > +memory. > + > +For slab, both software KASAN modes support SLUB and SLAB allocators, while > +Hardware Tag-Based KASAN only supports SLUB. > > Usage > ----- > @@ -45,13 +82,13 @@ To enable KASAN, configure the kernel with:: > > CONFIG_KASAN=y > > -and choose between ``CONFIG_KASAN_GENERIC`` (to enable generic KASAN), > -``CONFIG_KASAN_SW_TAGS`` (to enable software tag-based KASAN), and > -``CONFIG_KASAN_HW_TAGS`` (to enable hardware tag-based KASAN). > +and choose between ``CONFIG_KASAN_GENERIC`` (to enable Generic KASAN), > +``CONFIG_KASAN_SW_TAGS`` (to enable Software Tag-Based KASAN), and > +``CONFIG_KASAN_HW_TAGS`` (to enable Hardware Tag-Based KASAN). > > -For software modes, also choose between ``CONFIG_KASAN_OUTLINE`` and > +For the software modes, also choose between ``CONFIG_KASAN_OUTLINE`` and > ``CONFIG_KASAN_INLINE``. Outline and inline are compiler instrumentation types. > -The former produces a smaller binary while the latter is 1.1-2 times faster. > +The former produces a smaller binary while the latter is up to 2 times faster. > > To include alloc and free stack traces of affected slab objects into reports, > enable ``CONFIG_STACKTRACE``. To include alloc and free stack traces of affected > @@ -146,7 +183,7 @@ is either 8 or 16 aligned bytes depending on KASAN mode. Each number in the > memory state section of the report shows the state of one of the memory > granules that surround the accessed address. > > -For generic KASAN, the size of each memory granule is 8. The state of each > +For Generic KASAN, the size of each memory granule is 8. The state of each > granule is encoded in one shadow byte. Those 8 bytes can be accessible, > partially accessible, freed, or be a part of a redzone. KASAN uses the following > encoding for each shadow byte: 00 means that all 8 bytes of the corresponding > @@ -181,14 +218,14 @@ By default, KASAN prints a bug report only for the first invalid memory access. > With ``kasan_multi_shot``, KASAN prints a report on every invalid access. This > effectively disables ``panic_on_warn`` for KASAN reports. > > -Alternatively, independent of ``panic_on_warn`` the ``kasan.fault=`` boot > +Alternatively, independent of ``panic_on_warn``, the ``kasan.fault=`` boot > parameter can be used to control panic and reporting behaviour: > > - ``kasan.fault=report`` or ``=panic`` controls whether to only print a KASAN > report or also panic the kernel (default: ``report``). The panic happens even > if ``kasan_multi_shot`` is enabled. > > -Hardware tag-based KASAN mode (see the section about various modes below) is > +Hardware Tag-Based KASAN mode (see the section about various modes below) is > intended for use in production as a security mitigation. Therefore, it supports > additional boot parameters that allow disabling KASAN or controlling features: > > @@ -250,49 +287,46 @@ outline-instrumented kernel. > Generic KASAN is the only mode that delays the reuse of freed objects via > quarantine (see mm/kasan/quarantine.c for implementation). > > -Software tag-based KASAN > +Software Tag-Based KASAN > ~~~~~~~~~~~~~~~~~~~~~~~~ > > -Software tag-based KASAN uses a software memory tagging approach to checking > +Software Tag-Based KASAN uses a software memory tagging approach to checking > access validity. It is currently only implemented for the arm64 architecture. > > -Software tag-based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs > +Software Tag-Based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs > to store a pointer tag in the top byte of kernel pointers. It uses shadow memory > to store memory tags associated with each 16-byte memory cell (therefore, it > dedicates 1/16th of the kernel memory for shadow memory). > > -On each memory allocation, software tag-based KASAN generates a random tag, tags > +On each memory allocation, Software Tag-Based KASAN generates a random tag, tags > the allocated memory with this tag, and embeds the same tag into the returned > pointer. > > -Software tag-based KASAN uses compile-time instrumentation to insert checks > +Software Tag-Based KASAN uses compile-time instrumentation to insert checks > before each memory access. These checks make sure that the tag of the memory > that is being accessed is equal to the tag of the pointer that is used to access > -this memory. In case of a tag mismatch, software tag-based KASAN prints a bug > +this memory. In case of a tag mismatch, Software Tag-Based KASAN prints a bug > report. > > -Software tag-based KASAN also has two instrumentation modes (outline, which > +Software Tag-Based KASAN also has two instrumentation modes (outline, which > emits callbacks to check memory accesses; and inline, which performs the shadow > memory checks inline). With outline instrumentation mode, a bug report is > printed from the function that performs the access check. With inline > instrumentation, a ``brk`` instruction is emitted by the compiler, and a > dedicated ``brk`` handler is used to print bug reports. > > -Software tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through > +Software Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through > pointers with the 0xFF pointer tag are not checked). The value 0xFE is currently > reserved to tag freed memory regions. > > -Software tag-based KASAN currently only supports tagging of slab, page_alloc, > -and vmalloc memory. > - > -Hardware tag-based KASAN > +Hardware Tag-Based KASAN > ~~~~~~~~~~~~~~~~~~~~~~~~ > > -Hardware tag-based KASAN is similar to the software mode in concept but uses > +Hardware Tag-Based KASAN is similar to the software mode in concept but uses > hardware memory tagging support instead of compiler instrumentation and > shadow memory. > > -Hardware tag-based KASAN is currently only implemented for arm64 architecture > +Hardware Tag-Based KASAN is currently only implemented for arm64 architecture > and based on both arm64 Memory Tagging Extension (MTE) introduced in ARMv8.5 > Instruction Set Architecture and Top Byte Ignore (TBI). > > @@ -302,21 +336,18 @@ access, hardware makes sure that the tag of the memory that is being accessed is > equal to the tag of the pointer that is used to access this memory. In case of a > tag mismatch, a fault is generated, and a report is printed. > > -Hardware tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through > +Hardware Tag-Based KASAN uses 0xFF as a match-all pointer tag (accesses through > pointers with the 0xFF pointer tag are not checked). The value 0xFE is currently > reserved to tag freed memory regions. > > -Hardware tag-based KASAN currently only supports tagging of slab, page_alloc, > -and VM_ALLOC-based vmalloc memory. > - > -If the hardware does not support MTE (pre ARMv8.5), hardware tag-based KASAN > +If the hardware does not support MTE (pre ARMv8.5), Hardware Tag-Based KASAN > will not be enabled. In this case, all KASAN boot parameters are ignored. > > Note that enabling CONFIG_KASAN_HW_TAGS always results in in-kernel TBI being > enabled. Even when ``kasan.mode=off`` is provided or when the hardware does not > support MTE (but supports TBI). > > -Hardware tag-based KASAN only reports the first found bug. After that, MTE tag > +Hardware Tag-Based KASAN only reports the first found bug. After that, MTE tag > checking gets disabled. > > Shadow memory > @@ -414,15 +445,15 @@ generic ``noinstr`` one. > Note that disabling compiler instrumentation (either on a per-file or a > per-function basis) makes KASAN ignore the accesses that happen directly in > that code for software KASAN modes. It does not help when the accesses happen > -indirectly (through calls to instrumented functions) or with the hardware > -tag-based mode that does not use compiler instrumentation. > +indirectly (through calls to instrumented functions) or with Hardware > +Tag-Based KASAN, which does not use compiler instrumentation. > > For software KASAN modes, to disable KASAN reports in a part of the kernel code > for the current task, annotate this part of the code with a > ``kasan_disable_current()``/``kasan_enable_current()`` section. This also > disables the reports for indirect accesses that happen through function calls. > > -For tag-based KASAN modes (include the hardware one), to disable access > +For tag-based KASAN modes (include the Hardware one), to disable access The changes related to capitalization appear weird here. At least in this case, it starts with "tag-based" (lower case) and then in braces ".. the Hardware one". This does not look like correct English. The "hardware" here is not part of a name, so no need for capitalization. And "tag-based" can also stay lower case, since it is not part of a name either, but an adjective to "KASAN". Or you rewrite the sentence. > checking, use ``kasan_reset_tag()`` or ``page_kasan_tag_reset()``. Note that > temporarily disabling access checking via ``page_kasan_tag_reset()`` requires > saving and restoring the per-page KASAN tag via > -- > 2.25.1 >