| Mark Rutland | fbedc59 | 2018-12-07 18:39:31 +0000 | [diff] [blame] | 1 | Pointer authentication in AArch64 Linux |
| 2 | ======================================= |
| 3 | |
| 4 | Author: Mark Rutland <mark.rutland@arm.com> |
| 5 | Date: 2017-07-19 |
| 6 | |
| 7 | This document briefly describes the provision of pointer authentication |
| 8 | functionality in AArch64 Linux. |
| 9 | |
| 10 | |
| 11 | Architecture overview |
| 12 | --------------------- |
| 13 | |
| 14 | The ARMv8.3 Pointer Authentication extension adds primitives that can be |
| 15 | used to mitigate certain classes of attack where an attacker can corrupt |
| 16 | the contents of some memory (e.g. the stack). |
| 17 | |
| 18 | The extension uses a Pointer Authentication Code (PAC) to determine |
| 19 | whether pointers have been modified unexpectedly. A PAC is derived from |
| 20 | a pointer, another value (such as the stack pointer), and a secret key |
| 21 | held in system registers. |
| 22 | |
| 23 | The extension adds instructions to insert a valid PAC into a pointer, |
| 24 | and to verify/remove the PAC from a pointer. The PAC occupies a number |
| 25 | of high-order bits of the pointer, which varies dependent on the |
| 26 | configured virtual address size and whether pointer tagging is in use. |
| 27 | |
| 28 | A subset of these instructions have been allocated from the HINT |
| 29 | encoding space. In the absence of the extension (or when disabled), |
| 30 | these instructions behave as NOPs. Applications and libraries using |
| 31 | these instructions operate correctly regardless of the presence of the |
| 32 | extension. |
| 33 | |
| 34 | The extension provides five separate keys to generate PACs - two for |
| 35 | instruction addresses (APIAKey, APIBKey), two for data addresses |
| 36 | (APDAKey, APDBKey), and one for generic authentication (APGAKey). |
| 37 | |
| 38 | |
| 39 | Basic support |
| 40 | ------------- |
| 41 | |
| 42 | When CONFIG_ARM64_PTR_AUTH is selected, and relevant HW support is |
| 43 | present, the kernel will assign random key values to each process at |
| 44 | exec*() time. The keys are shared by all threads within the process, and |
| 45 | are preserved across fork(). |
| 46 | |
| 47 | Presence of address authentication functionality is advertised via |
| 48 | HWCAP_PACA, and generic authentication functionality via HWCAP_PACG. |
| 49 | |
| 50 | The number of bits that the PAC occupies in a pointer is 55 minus the |
| 51 | virtual address size configured by the kernel. For example, with a |
| 52 | virtual address size of 48, the PAC is 7 bits wide. |
| 53 | |
| 54 | Recent versions of GCC can compile code with APIAKey-based return |
| 55 | address protection when passed the -msign-return-address option. This |
| 56 | uses instructions in the HINT space (unless -march=armv8.3-a or higher |
| 57 | is also passed), and such code can run on systems without the pointer |
| 58 | authentication extension. |
| 59 | |
| 60 | In addition to exec(), keys can also be reinitialized to random values |
| 61 | using the PR_PAC_RESET_KEYS prctl. A bitmask of PR_PAC_APIAKEY, |
| 62 | PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY and PR_PAC_APGAKEY |
| 63 | specifies which keys are to be reinitialized; specifying 0 means "all |
| 64 | keys". |
| 65 | |
| 66 | |
| 67 | Debugging |
| 68 | --------- |
| 69 | |
| 70 | When CONFIG_ARM64_PTR_AUTH is selected, and HW support for address |
| 71 | authentication is present, the kernel will expose the position of TTBR0 |
| 72 | PAC bits in the NT_ARM_PAC_MASK regset (struct user_pac_mask), which |
| 73 | userspace can acquire via PTRACE_GETREGSET. |
| 74 | |
| 75 | The regset is exposed only when HWCAP_PACA is set. Separate masks are |
| 76 | exposed for data pointers and instruction pointers, as the set of PAC |
| 77 | bits can vary between the two. Note that the masks apply to TTBR0 |
| 78 | addresses, and are not valid to apply to TTBR1 addresses (e.g. kernel |
| 79 | pointers). |
| 80 | |
| 81 | |
| 82 | Virtualization |
| 83 | -------------- |
| 84 | |
| 85 | Pointer authentication is not currently supported in KVM guests. KVM |
| 86 | will mask the feature bits from ID_AA64ISAR1_EL1, and attempted use of |
| 87 | the feature will result in an UNDEFINED exception being injected into |
| 88 | the guest. |