From: Luis Machado <luis.machado@arm.com>
To: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
Cc: gdb-patches@sourceware.org, jhb@FreeBSD.org
Subject: Re: [PATCH] [AArch64] Enable pointer authentication support for aarch64 bare metal/kernel mode addresses
Date: Tue, 20 Dec 2022 09:17:25 +0000 [thread overview]
Message-ID: <f18be1d5-40c0-5f6b-61e4-003cbaeb7254@arm.com> (raw)
In-Reply-To: <87ili692xl.fsf@linaro.org>
On 12/20/22 03:20, Thiago Jung Bauermann wrote:
>
> Hello Luis,
>
> Luis Machado <luis.machado@arm.com> writes:
>
>> At the moment GDB only handles pointer authentication (pauth) for userspace
>> addresses and if we're debugging a Linux-hosted program.
>>
>> The Linux Kernel can be configured to use pauth instructions for some
>> additional security hardening, but GDB doesn't handle this well.
>>
>> To overcome this limitation, GDB needs a couple things:
>>
>> 1 - The target needs to advertise pauth support.
>> 2 - The hook to remove non-address bits from a pointer needs to be registered
>> in aarch64-tdep.c as opposed to aarch64-linux-tdep.c.
>>
>> There is a patch for QEMU [1] that addresses the first point, and it makes
>> QEMU's gdbstub expose a couple more pauth mask registers, so overall we will
>> have up to 4 pauth masks (2 masks or 4 masks):
>>
>> pauth_dmask
>> pauth_cmask
>> pauth_dmask_high
>> pauth_cmask_high
>>
>> pauth_dmask and pauth_cmask are the masks used to remove pauth signatures
>> from userspace addresses. pauth_dmask_high and pauth_cmask_high masks are used
>> to remove pauth signatures from kernel addresses.
>>
>> The second point is easily addressed by moving code around.
>>
>> When debugging a Linux Kernel built with pauth with an unpatched GDB, we get
>> the following backtrace:
>>
>> #0 __fput (file=0xffff0000c17a6400) at /repos/linux/fs/file_table.c:296
>> #1 0xffff8000082bd1f0 in ____fput (work=<optimized out>) at /repos/linux/fs/file_table.c:348
>> #2 0x30008000080ade30 [PAC] in ?? ()
>> #3 0x30d48000080ade30 in ?? ()
>> Backtrace stopped: previous frame identical to this frame (corrupt stack?)
>>
>> With a patched GDB, we get something a lot more meaningful:
>>
>> #0 __fput (file=0xffff0000c1bcfa00) at /repos/linux/fs/file_table.c:296
>> #1 0xffff8000082bd1f0 in ____fput (work=<optimized out>) at /repos/linux/fs/file_table.c:348
>> #2 0xffff8000080ade30 [PAC] in task_work_run () at /repos/linux/kernel/task_work.c:179
>> #3 0xffff80000801db90 [PAC] in resume_user_mode_work (regs=0xffff80000a96beb0) at /repos/linux/include/linux/resume_user_mode.h:49
>> #4 do_notify_resume (regs=regs@entry=0xffff80000a96beb0, thread_flags=4) at /repos/linux/arch/arm64/kernel/signal.c:1127
>> #5 0xffff800008fb9974 [PAC] in prepare_exit_to_user_mode (regs=0xffff80000a96beb0) at /repos/linux/arch/arm64/kernel/entry-common.c:137
>> #6 exit_to_user_mode (regs=0xffff80000a96beb0) at /repos/linux/arch/arm64/kernel/entry-common.c:142
>> #7 el0_svc (regs=0xffff80000a96beb0) at /repos/linux/arch/arm64/kernel/entry-common.c:638
>> #8 0xffff800008fb9d34 [PAC] in el0t_64_sync_handler (regs=<optimized out>) at /repos/linux/arch/arm64/kernel/entry-common.c:655
>> #9 0xffff800008011548 [PAC] in el0t_64_sync () at /repos/linux/arch/arm64/kernel/entry.S:586
>> Backtrace stopped: Cannot access memory at address 0xffff80000a96c0c8
>>
>> [1] https://gitlab.com/rth7680/qemu/-/commit/e440ce6de3e14bf19ee70935be9086c05359f07b
>> ---
>> gdb/aarch64-linux-tdep.c | 40 ---------------
>> gdb/aarch64-tdep.c | 103 ++++++++++++++++++++++++++++++++++-----
>> gdb/aarch64-tdep.h | 2 +
>> gdb/arch/aarch64.h | 6 +++
>> 4 files changed, 100 insertions(+), 51 deletions(-)
>
> I studied this patch and it looks good to me, so FWIW:
>
> Reviewed-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
>
> One question: is it possible to run the testsuite against QEMU bare
> metal with pauth support? I would assume that there is at least one test
> (probably a lot more?) that fails without this patch and passes with it.
> Is that correct?
>
There isn't a specific test for this, but if you force pointer authentication in the compiler and the use of high
addresses (VA select bit 55 on), the regular GDB tests that do any sort of backtrace will fail without this patch.
Hardware watchpoints should also be affected by the pointer authentication bits.
The difficulty is setting up a gdb testsuite run against QEMU (or any other simulator). It would be nice to have that
though.
next prev parent reply other threads:[~2022-12-20 9:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-16 10:57 Luis Machado
2022-12-20 3:20 ` Thiago Jung Bauermann
2022-12-20 9:17 ` Luis Machado [this message]
2023-01-05 13:16 ` Luis Machado
2023-01-18 18:39 ` John Baldwin
2023-01-19 9:34 ` Luis Machado
2023-01-19 18:35 ` John Baldwin
2023-02-21 9:11 ` Luis Machado
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f18be1d5-40c0-5f6b-61e4-003cbaeb7254@arm.com \
--to=luis.machado@arm.com \
--cc=gdb-patches@sourceware.org \
--cc=jhb@FreeBSD.org \
--cc=thiago.bauermann@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).