From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pcc@google.com>
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com
 [IPv6:2607:f8b0:4864:20::d42])
 by sourceware.org (Postfix) with ESMTPS id 49FDD3983A63
 for <libc-alpha@sourceware.org>; Tue, 17 Nov 2020 18:17:23 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 49FDD3983A63
Received: by mail-io1-xd42.google.com with SMTP id u21so22136983iol.12
 for <libc-alpha@sourceware.org>; Tue, 17 Nov 2020 10:17:23 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=ttXeKrhKcMls8e2meNyf1Yp9vx4Qupy+215G4JEYgyE=;
 b=Bh1BBmWQvE9VFv0Zxr3ki5yBuLdn+FR2A9JmQL+iBM3zpQIOerlh9bIIchc4DM37+T
 DLJs875Hou7pe3xtgmv8xkfhN5XiaBr4O6ROQ8PGN3o4Q3gH8RZM5uZn5nBhBRGiES5R
 locwwEYEK/sPMFr2Uri9ZqTrulm4WxjhHBnoaDc4Nb3ma7/8lUXmrwCTntMg8prOgMf/
 8o/sG3PuRxedeqnIjt6claTqncsw8Ap6dn3Xm0B1R37D5+De5nb6bxivOt01ejZsUWpB
 7oRcihy0sdfI0jsU5Y1lw7W+Tweul5nvqb9jrK1PqxpsEu6qTahrOLQmEkP4MEqb6uL1
 nPFQ==
X-Gm-Message-State: AOAM533z9iDW0Fi6pn7zqjbe2Gj7wUTGSSbqQAamwDzV/qum2wxW8I3Y
 oQheKc0iV/oH31fpv9pN3aHEts7LPm0yeaDPq/rukg==
X-Google-Smtp-Source: ABdhPJwJkTaHobAIO358KOOx6EVeXkRqDl2senlYO+76iU8R/dOi/Rm3jLJYK4cqZPNpt+Q/Uz+Yj4G7YWF7pX9dv+Y=
X-Received: by 2002:a5d:9cc7:: with SMTP id w7mr12383475iow.202.1605637042319; 
 Tue, 17 Nov 2020 10:17:22 -0800 (PST)
MIME-Version: 1.0
References: <20201014055106.25164-1-pcc@google.com>
 <87blfv6fj3.fsf@mid.deneb.enyo.de>
In-Reply-To: <87blfv6fj3.fsf@mid.deneb.enyo.de>
From: Peter Collingbourne <pcc@google.com>
Date: Tue, 17 Nov 2020 10:17:11 -0800
Message-ID: <CAMn1gO7a-uyP93P4KapbsXy1+HRSuJR4r_kyy0_-FCY69qO_nA@mail.gmail.com>
Subject: Re: [PATCH v2] arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS)
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
 Evgenii Stepanov <eugenis@google.com>, Kostya Serebryany <kcc@google.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>, 
 Dave Martin <Dave.Martin@arm.com>,
 Linux ARM <linux-arm-kernel@lists.infradead.org>, 
 Kevin Brodsky <kevin.brodsky@arm.com>, Andrey Konovalov <andreyknvl@google.com>,
 Will Deacon <will@kernel.org>, Linux API <linux-api@vger.kernel.org>,
 libc-alpha@sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-17.8 required=5.0 tests=BAYES_00, DKIMWL_WL_MED,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, USER_IN_DEF_DKIM_WL,
 USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 18:17:24 -0000

On Tue, Nov 17, 2020 at 9:48 AM Florian Weimer <fw@deneb.enyo.de> wrote:
>
> * Peter Collingbourne:
>
> > This prctl allows the user program to control which PAC keys are enabled
> > in a particular task. The main reason why this is useful is to enable a
> > userspace ABI that uses PAC to sign and authenticate function pointers
> > and other pointers exposed outside of the function, while still allowing
> > binaries conforming to the ABI to interoperate with legacy binaries that
> > do not sign or authenticate pointers.
> >
> > The idea is that a dynamic loader or early startup code would issue
> > this prctl very early after establishing that a process may load legacy
> > binaries, but before executing any PAC instructions.
>
> I thought that the silicon did not support this?

See e.g. the documentation for SCTLR_EL1.EnIA [1] for details. There
are also enable bits for the other three keys.

> What exactly does this switch on and off?  The signing itself (so that
> the bits are zero again), or just the verification?

Both the PAC* and AUT* instructions for the specific key become
no-ops, so the bits will be zero.

> I do not know how easy it will be to adjust the glibc dynamic linker
> to this because I expect it to use PAC instructions itself.  (It is an
> interesting target, I suppose, so this makes sense to me.)  The loader
> code used for initial process setup and later dlopen is the same.
> Worst case, we could compile the loader twice.

If you can avoid creating function pointers before the loader has
finished recursively scanning all libraries, and the ABI uses
different keys for function pointers and return addresses, you may be
able to get away with making the decision in the loader. The idea is
that you would disable the function pointer key and leave the return
address key enabled. This would also have the advantage of at least
providing return address protection for some libraries if function
pointer protection can't be enabled.

> There is also an issue with LD_AUDIT, where we run user-supplied code
> (which might be PAC-compatible) before loading code that is not.  I
> guess we could disable PAC by default in LD_AUDIT mode (which is
> unusual, no relation to the kernel audit subsystem).

Yes, LD_AUDIT may be difficult to deal with if it can influence which
libraries are loaded at startup. I agree that LD_AUDIT should disable
PAC by default.

Peter

[1] https://developer.arm.com/docs/ddi0601/d/aarch64-system-registers/sctlr_el1#EnIA_31