[PATCH v2] arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS)

Catalin Marinas catalin.marinas@arm.com
Wed Nov 18 13:37:47 GMT 2020 

On Wed, Nov 18, 2020 at 01:31:21PM +0000, Szabolcs Nagy wrote:
> The 11/18/2020 12:33, Catalin Marinas wrote:
> > On Tue, Nov 17, 2020 at 06:39:13PM +0000, Szabolcs Nagy wrote:
> > > The 11/17/2020 10:17, Peter Collingbourne via Libc-alpha wrote:
> > > > On Tue, Nov 17, 2020 at 9:48 AM Florian Weimer <fw@deneb.enyo.de> wrote:
> > > > >
> > > > > * Peter Collingbourne:
> > > > >
> > > > > > This prctl allows the user program to control which PAC keys are enabled
> > > > > > in a particular task. The main reason why this is useful is to enable a
> > > > > > userspace ABI that uses PAC to sign and authenticate function pointers
> > > > > > and other pointers exposed outside of the function, while still allowing
> > > > > > binaries conforming to the ABI to interoperate with legacy binaries that
> > > > > > do not sign or authenticate pointers.
> > > > > >
> > > > > > The idea is that a dynamic loader or early startup code would issue
> > > > > > this prctl very early after establishing that a process may load legacy
> > > > > > binaries, but before executing any PAC instructions.
> > > > >
> > > > > I thought that the silicon did not support this?
> > 
> > I think the past discussion we had was around enabling PAC for kernel
> > while disabling it for user. The hardware doesn't give us separate bits,
> > so Peter's patch toggles them on kernel entry/return, with some overhead
> > given by the MSR+ISB (to be added).
> 
> ah ok. i probably incorrectly thought that toggling that sys
> register bit is too much overhead at kernel entry so assumed
> we cannot have PAC off by default or set per process.

I think Peter can rerun his benchmarks but with the ISB added after MSR.
If they are not too bad, we can take this series.

> (i think with the proposed prctl it's possible to disable PAC
> at early ld.so startup and reenable it before calling into the
> main exe entry code, if we ever need to disable PAC-RET.)
> 
> i assume thread creation/fork inherits the setting but exec
> does not (this is another point that may be worth adding to
> the documentation).

Yes, that's my understanding from the patch. It should be documented
explicitly (I haven't read the doc updates, maybe it does this already).

> if we run into issues in userspace with PAC then a prctl that
> can be inherited across exec is a possible workaround (so PAC
> can be disabled for an entire process tree).

Can you do something similar to MTE with an environment variable forcing
PAC off?

-- 
Catalin

More information about the Libc-alpha mailing list