[PATCH v2] arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS)

[Florian Weimer]

* Peter Collingbourne:

> This prctl allows the user program to control which PAC keys are enabled
> in a particular task. The main reason why this is useful is to enable a
> userspace ABI that uses PAC to sign and authenticate function pointers
> and other pointers exposed outside of the function, while still allowing
> binaries conforming to the ABI to interoperate with legacy binaries that
> do not sign or authenticate pointers.
>
> The idea is that a dynamic loader or early startup code would issue
> this prctl very early after establishing that a process may load legacy
> binaries, but before executing any PAC instructions.

I thought that the silicon did not support this?

What exactly does this switch on and off?  The signing itself (so that
the bits are zero again), or just the verification?

I do not know how easy it will be to adjust the glibc dynamic linker
to this because I expect it to use PAC instructions itself.  (It is an
interesting target, I suppose, so this makes sense to me.)  The loader
code used for initial process setup and later dlopen is the same.
Worst case, we could compile the loader twice.

There is also an issue with LD_AUDIT, where we run user-supplied code
(which might be PAC-compatible) before loading code that is not.  I
guess we could disable PAC by default in LD_AUDIT mode (which is
unusual, no relation to the kernel audit subsystem).