Thread (11 messages) 11 messages, 3 authors, 2021-02-12

Re: [PATCH v6 3/3] arm64: pac: Optimize kernel entry/exit key installation code paths

From: Peter Collingbourne <hidden>
Date: 2021-02-12 18:21:35
Also in: linux-arm-kernel 

On Fri, Feb 12, 2021 at 3:01 AM James Morse [off-list ref] wrote:
Hi Peter,

On 12/02/2021 05:01, Peter Collingbourne wrote:
quoted
On Tue, Jan 26, 2021 at 5:09 AM Will Deacon [off-list ref] wrote:
quoted
On Tue, Dec 29, 2020 at 10:59:15PM -0800, Peter Collingbourne wrote:
quoted
The kernel does not use any keys besides IA so we don't need to
install IB/DA/DB/GA on kernel exit if we arrange to install them
on task switch instead, which we can expect to happen an order of
magnitude less often.

Furthermore we can avoid installing the user IA in the case where the
user task has IA disabled and just leave the kernel IA installed. This
also lets us avoid needing to install IA on kernel entry.
I've got to be honest, this makes me nervous in case there is a way for
userspace to recover the kernel key even though EnIA is clear. Currently,
EnIA doesn't affect XPAC* and PACGA instructions, and the architecture
quoted
For GA I would expect it to be controlled by a hypothetical EnGA, not
by EnIA (and I'm a bit surprised that there isn't an EnGA;
PACGA is undefined if the CPU doesn't implement PAC, whereas PACIASP is a NOP if the CPU
doesn't implement PAC.

I think the reason from the SCTLR_ELx controls is to make unaware systems transform the
instructions that were hints back into hints. (e.g. the AddPACIA psuedo code). This is
needed on mismatched big-little systems, otherwise processes can't be migrated between them.
It's needed for more than that, see the history of my
PR_PAC_SET_ENABLED_KEYS patch, in particular [1].

For the non-hint instructions, user-space needs to test the hwcap/id-register-emulation to
know it can use these instructions, and the compiler shouldn't output them unconditionally.
Right, unless the target is known to support them.

quoted
doesn't it
mean that a userspace program running under an unaware kernel or
hypervisor may sign things using the GA from potentially another
hypervisor guest?)
The hypervisor controls all this with HCR_EL2.API, which also traps PACGA et al.
For the hypervisor its all or nothing.
If the hypervisor is emulating a machine without PAC, it can emulate an undefined
exception regardless of whether the CPU supports PAC or not.

Does this match your reading?
I think that's right. So an unaware hypervisor would set API to 0 and
none of the guests would be able to use the authentication
instructions. Since it looks like API=0 would make the hint-space
instructions trap as well, I would imagine that a hypervisor would
need to emulate them as no-ops if it's emulating a machine without
PAC.

Peter

[1] https://www.spinics.net/lists/arm-kernel/msg830889.html
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help