[PATCH] ARM64: Provide the ARM64_TBI option
Robin Murphy
robin.murphy at arm.com
Thu Jul 15 09:48:15 PDT 2021
On 2021-07-15 17:11, Will Deacon wrote:
> On Wed, Jul 14, 2021 at 07:43:03PM +0100, Robin Murphy wrote:
>> On 2021-07-14 19:06, Yuan Li wrote:
>>> The ARM64 provides the Top Byte Ignore (TBI) early on, so the kernel turns TBI
>>> on by default, but, it does not provide any option to turn the feature off.
>>>
>>> In ARMv8.3, the Pointer Authentication (PA) was introduced, and if TBI is
>>> turned off, the PA will be able to use the top byte, resulting longer pointer
>>> authentication codes, which is more secure.
>>>
>>> This patch changes the default support for the TBI to an option that can be
>>> turned off.
>>
>> This would have to be something that processes explicitly opt in to. See
>> Documentation/arm64/tagged-pointers.rst - silently disabling TBI0 *will*
>> break existing userspace software.
>
> Maybe the patch from Peter:
>
> https://lore.kernel.org/r/20210622051204.3682580-1-pcc@google.com
>
> is a better starting point?
Yeah, a command-line opt-in is certainly a more reasonable approach.
However it still seems to me that it would make most sense as a
per-process thing like the tagged address syscall ABI, since it's of no
automatic benefit to existing software built without pointer auth, and
AFAICS it's really up to individual programs whether they care more
about stronger signing than tagged pointers. It was bad enough when we
changed the VA_BITS default to 48 and discovered just how many things
were using the Mozilla JIT, so I'm not sure I relish the thought of
going through the same process with TBI0 ;)
Come to think of it I guess any option should probably disable the
tagged address syscall ABI, as that doesn't make much sense without
TBI0. Are we likely to want a signed pointer syscall ABI as well?
Robin.
More information about the linux-arm-kernel
mailing list