On Wed, Sep 14, 2016 at 1:52 AM, Mark Rutland [off-list ref] wrote:

On Tue, Sep 13, 2016 at 01:45:21PM -0700, Kees Cook wrote:

quoted

On Tue, Sep 13, 2016 at 10:46 AM, Catalin Marinas

quoted

+static inline bool system_uses_ttbr0_pan(void)
+{
+       return IS_ENABLED(CONFIG_ARM64_SW_TTBR0_PAN) &&
+               !cpus_have_cap(ARM64_HAS_PAN);
+}
+

[...]

quoted

quoted

 #define __uaccess_enable(alt)                                          \
 do {                                                                   \
-       asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), alt,                  \
-                       CONFIG_ARM64_PAN));                             \
+       if (system_uses_ttbr0_pan())                                    \
+               uaccess_ttbr0_enable();                                 \
+       else                                                            \
+               asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), alt,          \
+                               CONFIG_ARM64_PAN));                     \
 } while (0)

Does this mean that with CONFIG_ARM64_SW_TTBR0_PAN, even with ARMv8.1,
a cpu capability bitmask check is done each time we go through
__uaccess_{en,dis}able?

Catalin reworked cpus_have_cap() to use static keys [1], and that's
queued in the arm64 for-next/core branch [2].

Oh awesome! Okay, thanks.

So this should expand to a single branch or nop that we patch when we
detect the presence/absence of PAN. There should be no bitmap check.

/me is looking forward to v4.9 :)

Thanks,
Mark.

[1] http://lists.infradead.org/pipermail/linux-arm-kernel/2016-September/454025.html
[2] https://git.kernel.org/cgit/linux/kernel/git/arm64/linux.git/log/?h=for-next/core

-Kees

-- 
Kees Cook
Nexus Security