[PATCH 00/11] ARMv8.3 pointer authentication userspace support

[PATCH 00/11] ARMv8.3 pointer authentication userspace support · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
[PATCH 01/11] arm64: docs: describe ELF hwcaps · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
Re: [PATCH 01/11] arm64: docs: describe ELF hwcaps · Dave Martin <Dave.Martin@arm.com> · 2017-07-21
Re: [PATCH 01/11] arm64: docs: describe ELF hwcaps · Suzuki K Poulose <Suzuki.Poulose@arm.com> · 2017-07-24
Re: [PATCH 01/11] arm64: docs: describe ELF hwcaps · Catalin Marinas <catalin.marinas@arm.com> · 2017-08-03
Re: [PATCH 01/11] arm64: docs: describe ELF hwcaps · Kees Cook <hidden> · 2017-08-03
[PATCH 03/11] arm64: add pointer authentication register bits · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
[PATCH 04/11] arm64/cpufeature: add ARMv8.3 id_aa64isar1 bits · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
Re: [PATCH 04/11] arm64/cpufeature: add ARMv8.3 id_aa64isar1 bits · Suzuki K Poulose <Suzuki.Poulose@arm.com> · 2017-07-24
[PATCH 05/11] arm64/cpufeature: detect pointer authentication · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
[PATCH 06/11] arm64: Don't trap host pointer auth use to EL2 · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
Re: [PATCH 06/11] arm64: Don't trap host pointer auth use to EL2 · Dave Martin <Dave.Martin@arm.com> · 2017-07-24
[PATCH 07/11] arm64: add basic pointer authentication support · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
Re: [PATCH 07/11] arm64: add basic pointer authentication support · Dave Martin <Dave.Martin@arm.com> · 2017-07-25
Re: [PATCH 07/11] arm64: add basic pointer authentication support · Yao Qi <hidden> · 2017-08-11
Re: [PATCH 07/11] arm64: add basic pointer authentication support · Dave Martin <Dave.Martin@arm.com> · 2017-08-11
[PATCH 08/11] arm64: expose user PAC bit positions via ptrace · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
[PATCH 10/11] arm64/kvm: context-switch ptrauth registers · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
Re: [PATCH 10/11] arm64/kvm: context-switch ptrauth registers · Christoffer Dall <hidden> · 2017-08-01
Re: [PATCH 10/11] arm64/kvm: context-switch ptrauth registers · Mark Rutland <mark.rutland@arm.com> · 2017-08-01
Re: [PATCH 10/11] arm64/kvm: context-switch ptrauth registers · Will Deacon <hidden> · 2017-08-01
Re: [PATCH 10/11] arm64/kvm: context-switch ptrauth registers · Christoffer Dall <hidden> · 2017-08-01
[PATCH 11/11] arm64: docs: document pointer authentication · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
[PATCH 09/11] arm64/kvm: preserve host HCR_EL2 value · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
Re: [PATCH 09/11] arm64/kvm: preserve host HCR_EL2 value · Christoffer Dall <hidden> · 2017-08-01
[PATCH 02/11] asm-generic: mm_hooks: allow hooks to be overridden individually · Mark Rutland <mark.rutland@arm.com> · 2017-07-19
Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support · Dave Martin <Dave.Martin@arm.com> · 2017-07-21
Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support · Mark Rutland <mark.rutland@arm.com> · 2017-07-25
Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support · Jiong Wang <hidden> · 2017-07-25
Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support · Mark Rutland <mark.rutland@arm.com> · 2017-08-11
Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support · Yao Qi <hidden> · 2017-07-24
Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support · Yao Qi <hidden> · 2017-07-25
Re: [PATCH 00/11] ARMv8.3 pointer authentication userspace support · Mark Rutland <mark.rutland@arm.com> · 2017-07-25
Re: [kernel-hardening] [PATCH 00/11] ARMv8.3 pointer authentication userspace support · Li Kun <hidden> · 2017-07-25
Re: [kernel-hardening] [PATCH 00/11] ARMv8.3 pointer authentication userspace support · Mark Rutland <mark.rutland@arm.com> · 2017-07-25

From: mark.rutland@arm.com (Mark Rutland)
Date: 2017-08-11 11:30:34
Also in: kvmarm, linux-arch, lkml

On Tue, Jul 25, 2017 at 01:06:43PM +0100, Mark Rutland wrote:

On Fri, Jul 21, 2017 at 06:05:09PM +0100, Dave Martin wrote:

quoted

On Wed, Jul 19, 2017 at 05:01:21PM +0100, Mark Rutland wrote:

quoted

This series adds support for the ARMv8.3 pointer authentication extension.

quoted

Open questions
==============

* Should keys be per-thread rather than per-process?

  My understanding is that glibc can't (currently) handle threads having
  different keys, but it might be that another libc would prefer per-thread

Can you elaborate?

It's not valid to do a function return from one thread to another.

Regardless of whether it's valid per the C spec or POSIX, some people
use {set,get}context and {set,long}jmp in this manner (IIRC, QEMU does
this), and my understanding is that similar tricks are in use in the
bowels of glibc.

Otherwise, my preference would be to have per-thread keys from day one.

Having considered comments I've received elsewhere, I've reversed my
position here. I think per-process keys are the more
sensible default since:

* This will allow us to protect function pointers in shared
  datastructures such as vtables.

* Tasks have their own stacks, and values leaked from one stack cannot
  be used to spoof return addresses on another.

* If an attacker can take control of one thread, they've already gained
  code execution and/or primitives that can be used to attack the
  process by other means.

Thanks,
Mark.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help