From patchwork Fri Oct 11 15:06:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Martin X-Patchwork-Id: 175973 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp881013ill; Fri, 11 Oct 2019 08:07:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqwEtUgkn7BTgb64AVJXqiGvLZ6bSnPJrcVqxPFP600trnxBrzRpKN5QKLahrUkM+DY++AGF X-Received: by 2002:aa7:c6cf:: with SMTP id b15mr13927941eds.215.1570806441537; Fri, 11 Oct 2019 08:07:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570806441; cv=none; d=google.com; s=arc-20160816; b=gR6OniQhWoqXUYQixShSF6fFwnCfi37Z9xTuWdtic6w8+fk27MhBHb7n5VyOo10nhU FInvMDTfEQ7PAzhGIQtnVV5w5ezfa2CQneLYIsK2aU4a7GKksLkwiPqcQmUFa2a58Sdl kVj6TvzHmSAnpJqLRZedHwfu0udyXt6d3pqRbx05785zghAQR6XSgPc1nQmIoz9Vjs4o 58esAG6XFWQrnqEFFkrweiItvERans4bdeZrAOTrXDQ5EP78MAJzAdaR7e83IMPxGToW EBM9jcPx5CED7Ujy0Qv8NLRGchI8SvVcPMFrXuXmRhLw/h1hYejkfsYkR4OnYsBENOL4 MeYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=NzjyGLcod0cjpwfONcLBy5b4iypziMEPQwfp0XSSut4=; b=xYBn7SVJFEckxUIVxRNAB+dshVRba7JZa3bjRoisDcKKUsL8GaKN0QOTVLVHQaO8D5 if/gftX6l8TQU1eE0rHiptXj9okDuOBBEQIuWALRCn0gC+9ymlK5VgNCiU7HlGmfDWzR EJooXsokcJt38UEFyn8Ji8aFhubvfCkeV231ImdKydJGAZd+xImvZUpQx6mzMwH3U/LU ox1RxfbmrjCSA5fjkVWc+AAWCX83GY/1rMzDd2Ytap9KZCtoufIvrfw5pLmEI50CkMYU iTgtRByStyxU6DOYj2Apnj/hnYC4pP2fgaoNACvNEpB3sG+7TOVqun3baj8yw6l3Ix+3 K53w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f14si5508192edt.92.2019.10.11.08.07.21; Fri, 11 Oct 2019 08:07:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728070AbfJKPHU (ORCPT + 20 others); Fri, 11 Oct 2019 11:07:20 -0400 Received: from foss.arm.com ([217.140.110.172]:35212 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726332AbfJKPHU (ORCPT ); Fri, 11 Oct 2019 11:07:20 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A77B8142F; Fri, 11 Oct 2019 08:07:19 -0700 (PDT) Received: from e103592.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id A59083F68E; Fri, 11 Oct 2019 08:07:16 -0700 (PDT) From: Dave Martin To: linux-kernel@vger.kernel.org Cc: Amit Kachhap , Andrew Jones , Arnd Bergmann , Catalin Marinas , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Kees Cook , =?utf-8?q?Kristina_Mart=C5=A1enko?= , Marc Zyngier , Mark Brown , Paul Elliott , Peter Zijlstra , Richard Henderson , Sudakshina Das , Suzuki Poulose , Szabolcs Nagy , Thomas Gleixner , Vincenzo Frascino , Will Deacon , Yu-cheng Yu , linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [FIXUP 1/2] squash! arm64: Basic Branch Target Identification support Date: Fri, 11 Oct 2019 16:06:28 +0100 Message-Id: <1570806389-16014-2-git-send-email-Dave.Martin@arm.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1570806389-16014-1-git-send-email-Dave.Martin@arm.com> References: <1570733080-21015-6-git-send-email-Dave.Martin@arm.com> <1570806389-16014-1-git-send-email-Dave.Martin@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Signed-off-by: Dave Martin --- Changes since v2: * Fix Kconfig typo that claimed that Pointer authentication is part of ARMv8.2. It's v8.3. --- arch/arm64/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.1.4 diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 563dec5..6e26b72 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1425,7 +1425,7 @@ config ARM64_BTI This is intended to provide complementary protection to other control flow integrity protection mechanisms, such as the Pointer - authentication mechanism provided as part of the ARMv8.2 Extensions. + authentication mechanism provided as part of the ARMv8.3 Extensions. To make use of BTI on CPUs that support it, say Y. From patchwork Fri Oct 11 15:06:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Martin X-Patchwork-Id: 175974 Delivered-To: patch@linaro.org Received: by 2002:a92:7e96:0:0:0:0:0 with SMTP id q22csp881132ill; Fri, 11 Oct 2019 08:07:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqypXFX1jNvaqVbfiC6k9KtzGogC3O5Tb8hX9Cg3ErMFRS54pFwMygYUL8je0MHeoyM5+mqd X-Received: by 2002:aa7:c513:: with SMTP id o19mr13817631edq.75.1570806445074; Fri, 11 Oct 2019 08:07:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570806445; cv=none; d=google.com; s=arc-20160816; b=L8W3MWrVTJrMSbrvUZthRAQADXOuUaqVMrDtvB/MNlRC/OzTQ3HhC1ENGVVCsQLbj5 EGOzgiBwgG/aaWP8mmFCLACfZrR2xF6LKgux8lZrLfupB/Vsavk5EKiCQYpZMsSBbIR3 +V2zFtH/IJM1O2130THpc/0vfP5qLgGad0St42MeRqeUWxBECmeMCGRiLmgYz+3a9LDj 2eb3MCk0mwTeLAbiVpLvRT/Vtd8c/p9v8SsEycuqvxZeeztLj7+fIINjhYc69PQvQZpY LBmkAoQN5plSCyIvmfIJthn6Pezo8YpJ4URCSD3l7V7UQ3EkBLv7SJCDJAFSDgXZe3Q9 u+3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=IC8KyDZTrciYl+VB/roz1HVLWFDLOeaP1QagINOkQpQ=; b=kZ/BB+0prT4ySUc9bfoMbsDlUV2DxMIi9mstcEqDv/zC9J5cVXoRuwFjHP35eCQoqg SfXc7S8Ewc0LfJ27j1pD18oLwwccbH98aUxlbN35VUMJGLvNRsbX2SEgiMcNETtrM0Ce +lBWyUWeXAtJRSy5TMn9pGhIvDMZQBybdFJUy8j7D2LNe0ye5sPpOdXs25xZbKYG2hVQ 9FBFAjqp+3J1Gx6X1za8Y0xRZFcFpafHvNdyDIuI66sVx0lLfajLcpjYgVwr1I+aNs9O FRXYmQn99uczvwz7iv5Id4OgO2B+wSK8VrlD4lbbxG45qHTBgzrSkiliXC4uHtzoeY8r RuBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f14si5508192edt.92.2019.10.11.08.07.24; Fri, 11 Oct 2019 08:07:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728111AbfJKPHY (ORCPT + 20 others); Fri, 11 Oct 2019 11:07:24 -0400 Received: from foss.arm.com ([217.140.110.172]:35242 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726332AbfJKPHX (ORCPT ); Fri, 11 Oct 2019 11:07:23 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D54291570; Fri, 11 Oct 2019 08:07:22 -0700 (PDT) Received: from e103592.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id EDF4D3F68E; Fri, 11 Oct 2019 08:07:19 -0700 (PDT) From: Dave Martin To: linux-kernel@vger.kernel.org Cc: Amit Kachhap , Andrew Jones , Arnd Bergmann , Catalin Marinas , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Kees Cook , =?utf-8?q?Kristina_Mart=C5=A1enko?= , Marc Zyngier , Mark Brown , Paul Elliott , Peter Zijlstra , Richard Henderson , Sudakshina Das , Suzuki Poulose , Szabolcs Nagy , Thomas Gleixner , Vincenzo Frascino , Will Deacon , Yu-cheng Yu , linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: [FIXUP 2/2] squash! arm64: Basic Branch Target Identification support Date: Fri, 11 Oct 2019 16:06:29 +0100 Message-Id: <1570806389-16014-3-git-send-email-Dave.Martin@arm.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1570806389-16014-1-git-send-email-Dave.Martin@arm.com> References: <1570733080-21015-6-git-send-email-Dave.Martin@arm.com> <1570806389-16014-1-git-send-email-Dave.Martin@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [Add Kconfig dependency on CONFIG_ARM64_PTR_AUTH] Signed-off-by: Dave Martin --- This one could use some discussion. Two conforming hardware implementations containing BTI could nonetheless have incompatible Pointer auth implementations, meaning that we expose BTI to userspace but not Pointer auth. That's stupid hardware design, but the architecture doesn't forbid it today. We _could_ detect this and hide BTI from userspace too, but if a big.LITTLE system contains Pointer auth implementations with mismatched IMP DEF algorithms, we lose -- we have no direct way to detect that. Since BTI still provides some limited value without Pointer auth, disabling it unnecessarily might be regarded as too heavy-handed. Changes since v2: * Depend on CONFIG_ARM64_PTR_AUTH=y. During test hacking, I observed that there are situations where userspace should be entitled to assume that Pointer auth is present if BTI is present. Although the kernel BTI support doesn't require any aspect of Pointer authentication, there are architectural dependencies: * ARMv8.5 requires BTI to be implemented. [1] * BTI requires ARMv8.4-A to be implemented. [1], [2] * ARMv8.4 requires ARMv8.3 to be implemented. [3] * ARMv8.3 requires Pointer authentication to be implemented. [4] i.e., an implementation that supports BTI but not Pointer auth is broken. BTI is also designed to be complementary to Pointer authentication: without Pointer auth, BTI would offer no protection for function returns, seriously undermining the value of the feature. See ARM ARM for ARMv8-A (ARM DDI 0487E.a) Sections: [1] A2.8.1, "Architectural features added by ARMv8.5" [2] A2.2.1, "Permitted implementation of subsets of ARMv8.x and ARMv8.(x+1) architectural features" [3] A2.6.1, "Architectural features added by Armv8.3" [4] A2.6, "The Armv8.3 architecture extension" --- arch/arm64/Kconfig | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) -- 2.1.4 diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 6e26b72..a64d91d 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1418,16 +1418,21 @@ menu "ARMv8.5 architectural features" config ARM64_BTI bool "Branch Target Identification support" default y + depends on ARM64_PTR_AUTH help Branch Target Identification (part of the ARMv8.5 Extensions) provides a mechanism to limit the set of locations to which computed branch instructions such as BR or BLR can jump. - This is intended to provide complementary protection to other control + To make use of BTI on CPUs that support it, say Y. + + BTI is intended to provide complementary protection to other control flow integrity protection mechanisms, such as the Pointer authentication mechanism provided as part of the ARMv8.3 Extensions. + For this reason, it does not make sense to enable this option without + also enabling support for Pointer authentication. - To make use of BTI on CPUs that support it, say Y. + Thus, to enable this option you also need to select ARM64_PTR_AUTH=y. Userspace binaries must also be specifically compiled to make use of this mechanism. If you say N here or the hardware does not support