This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH 0/2] aarch64: Enable pointer auth in PLT


On Tue, Jun 25, 2019 at 11:40:43AM +0100, Ramana Radhakrishnan wrote:
> On Fri, Jun 21, 2019 at 12:33 PM Szabolcs Nagy <Szabolcs.Nagy@arm.com> wrote:
> > On 21/06/2019 11:46, Florian Weimer wrote:
> > > * Szabolcs Nagy:
> > >> On 21/06/2019 10:12, Florian Weimer wrote:
> > >>> * Szabolcs Nagy:
> > >>>> Pointer authentication is an armv8.3-a extension and it can be used
> > >>>> to harden PLTGOT entries when that is not read-only protected.
> > >>>>
> > >>>> binutils bfd linker now supports creating binaries with -z pac-plt
> > >>>> and then PLT entries authenticate the pointers loaded from PLTGOT.
> > >>>>
> > >>>> To support such binaries the glibc dynamic linker has to "sign" the
> > >>>> pointers in the PLTGOT. On cpus without pointer authentication support,
> > >>>> both the sign and authentication operations are nops, so such binaries
> > >>>> may appear to work now, but on a new cpu they will crash without glibc
> > >>>> support.
> > >>>
> > >>> I think you need to enable this feature in a different way, similar to
> > >>> the non-executable stack.  Otherwise, people will have to decide whether
> > >>> they want to build portable binaries or binaries with security
> > >>> hardening, which is not desirable.
> > >>
> > >> with non-executable stack, a hardened binary works on
> > >> an old system that uses executable stack.
> > >>
> > >> in this case a hardened binary does not work on an old
> > >> system that's unaware of pointer auth.
> > >
> > > Does it work on an old system without kernel support for pointer
> > > authentication?  With just support in the CPU?
> >
> > the binaries work on an old system if pauth is not
> > enabled by the kernel.
> >
> > i think we don't have prctl or other control
> > in linux to enable/disable pauth per process
> > right now so it is not opt-in, the kernel just
> > informs userspace with a HWCAP that it is enabled.
> 
> There was certainly talk about a prctl call for pauth with the Android
> guys as they were interested in a model with zygote.

There's a prctl (PR_PAC_RESET_KEYS) which can be used to re-initialize
keys to new random values, but there's no kernel-provided mechanism to
NOP out the instructions.

Worknig on an old CPU but crashing on a new one seems especially
problematic. Is it possible to make the binaries depend on a glibc with
the necessary support, using the usual library versioning/dependency
mechanisms?

Thanks,
Mark.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]