^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) =======================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) Pointer authentication in AArch64 Linux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) =======================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) Author: Mark Rutland <mark.rutland@arm.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) Date: 2017-07-19
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) This document briefly describes the provision of pointer authentication
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) functionality in AArch64 Linux.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) Architecture overview
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) ---------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) The ARMv8.3 Pointer Authentication extension adds primitives that can be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) used to mitigate certain classes of attack where an attacker can corrupt
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) the contents of some memory (e.g. the stack).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) The extension uses a Pointer Authentication Code (PAC) to determine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) whether pointers have been modified unexpectedly. A PAC is derived from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) a pointer, another value (such as the stack pointer), and a secret key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) held in system registers.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) The extension adds instructions to insert a valid PAC into a pointer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) and to verify/remove the PAC from a pointer. The PAC occupies a number
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) of high-order bits of the pointer, which varies dependent on the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) configured virtual address size and whether pointer tagging is in use.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) A subset of these instructions have been allocated from the HINT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) encoding space. In the absence of the extension (or when disabled),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) these instructions behave as NOPs. Applications and libraries using
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) these instructions operate correctly regardless of the presence of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) extension.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) The extension provides five separate keys to generate PACs - two for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) instruction addresses (APIAKey, APIBKey), two for data addresses
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) (APDAKey, APDBKey), and one for generic authentication (APGAKey).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) Basic support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) -------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) When CONFIG_ARM64_PTR_AUTH is selected, and relevant HW support is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) present, the kernel will assign random key values to each process at
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) exec*() time. The keys are shared by all threads within the process, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) are preserved across fork().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) Presence of address authentication functionality is advertised via
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) HWCAP_PACA, and generic authentication functionality via HWCAP_PACG.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) The number of bits that the PAC occupies in a pointer is 55 minus the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) virtual address size configured by the kernel. For example, with a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) virtual address size of 48, the PAC is 7 bits wide.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) Recent versions of GCC can compile code with APIAKey-based return
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) address protection when passed the -msign-return-address option. This
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) uses instructions in the HINT space (unless -march=armv8.3-a or higher
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) is also passed), and such code can run on systems without the pointer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) authentication extension.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) In addition to exec(), keys can also be reinitialized to random values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) using the PR_PAC_RESET_KEYS prctl. A bitmask of PR_PAC_APIAKEY,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY and PR_PAC_APGAKEY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) specifies which keys are to be reinitialized; specifying 0 means "all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) keys".
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) Debugging
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) ---------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) When CONFIG_ARM64_PTR_AUTH is selected, and HW support for address
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) authentication is present, the kernel will expose the position of TTBR0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) PAC bits in the NT_ARM_PAC_MASK regset (struct user_pac_mask), which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) userspace can acquire via PTRACE_GETREGSET.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) The regset is exposed only when HWCAP_PACA is set. Separate masks are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) exposed for data pointers and instruction pointers, as the set of PAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) bits can vary between the two. Note that the masks apply to TTBR0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) addresses, and are not valid to apply to TTBR1 addresses (e.g. kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) pointers).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) Additionally, when CONFIG_CHECKPOINT_RESTORE is also set, the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) will expose the NT_ARM_PACA_KEYS and NT_ARM_PACG_KEYS regsets (struct
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) user_pac_address_keys and struct user_pac_generic_keys). These can be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) used to get and set the keys for a thread.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) Virtualization
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) --------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) Pointer authentication is enabled in KVM guest when each virtual cpu is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) initialised by passing flags KVM_ARM_VCPU_PTRAUTH_[ADDRESS/GENERIC] and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) requesting these two separate cpu features to be enabled. The current KVM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) guest implementation works by enabling both features together, so both
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) these userspace flags are checked before enabling pointer authentication.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) The separate userspace flag will allow to have no userspace ABI changes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) if support is added in the future to allow these two features to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) enabled independently of one another.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) As Arm Architecture specifies that Pointer Authentication feature is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) implemented along with the VHE feature so KVM arm64 ptrauth code relies
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) on VHE mode to be present.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) Additionally, when these vcpu feature flags are not set then KVM will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) filter out the Pointer Authentication system key registers from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) KVM_GET/SET_REG_* ioctls and mask those features from cpufeature ID
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) register. Any attempt to use the Pointer Authentication instructions will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) result in an UNDEFINED exception being injected into the guest.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) Enabling and disabling keys
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) ---------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) The prctl PR_PAC_SET_ENABLED_KEYS allows the user program to control which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) PAC keys are enabled in a particular task. It takes two arguments, the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) first being a bitmask of PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) and PR_PAC_APDBKEY specifying which keys shall be affected by this prctl,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) and the second being a bitmask of the same bits specifying whether the key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) should be enabled or disabled. For example::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) prctl(PR_PAC_SET_ENABLED_KEYS,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) PR_PAC_APIAKEY | PR_PAC_APIBKEY | PR_PAC_APDAKEY | PR_PAC_APDBKEY,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) PR_PAC_APIBKEY, 0, 0);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) disables all keys except the IB key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) The main reason why this is useful is to enable a userspace ABI that uses PAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) instructions to sign and authenticate function pointers and other pointers
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) exposed outside of the function, while still allowing binaries conforming to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) the ABI to interoperate with legacy binaries that do not sign or authenticate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) pointers.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) The idea is that a dynamic loader or early startup code would issue this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) prctl very early after establishing that a process may load legacy binaries,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) but before executing any PAC instructions.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) For compatibility with previous kernel versions, processes start up with IA,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) IB, DA and DB enabled, and are reset to this state on exec(). Processes created
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) via fork() and clone() inherit the key enabled state from the calling process.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) It is recommended to avoid disabling the IA key, as this has higher performance
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) overhead than disabling any of the other keys.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags