[PATCH] ARM64: Provide the ARM64_TBI option

Peter Collingbourne pcc at google.com
Fri Jul 16 09:14:05 PDT 2021 

On Fri, Jul 16, 2021 at 1:09 AM Robin Murphy <robin.murphy at arm.com> wrote:
>
> On 2021-07-15 17:11, Will Deacon wrote:
> > On Wed, Jul 14, 2021 at 07:43:03PM +0100, Robin Murphy wrote:
> >> On 2021-07-14 19:06, Yuan Li wrote:
> >>> The ARM64 provides the Top Byte Ignore (TBI) early on, so the kernel turns TBI
> >>> on by default, but, it does not provide any option to turn the feature off.
> >>>
> >>> In ARMv8.3, the Pointer Authentication (PA) was introduced, and if TBI is
> >>> turned off, the PA will be able to use the top byte, resulting longer pointer
> >>> authentication codes, which is more secure.
> >>>
> >>> This patch changes the default support for the TBI to an option that can be
> >>> turned off.
> >>
> >> This would have to be something that processes explicitly opt in to. See
> >> Documentation/arm64/tagged-pointers.rst - silently disabling TBI0 *will*
> >> break existing userspace software.
> >
> > Maybe the patch from Peter:
> >
> > https://lore.kernel.org/r/20210622051204.3682580-1-pcc@google.com
> >
> > is a better starting point?
>
> Yeah, a command-line opt-in is certainly a more reasonable approach.
> However it still seems to me that it would make most sense as a
> per-process thing like the tagged address syscall ABI, since it's of no
> automatic benefit to existing software built without pointer auth, and
> AFAICS it's really up to individual programs whether they care more
> about stronger signing than tagged pointers. It was bad enough when we
> changed the VA_BITS default to 48 and discovered just how many things
> were using the Mozilla JIT, so I'm not sure I relish the thought of
> going through the same process with TBI0 ;)
>
>
> Come to think of it I guess any option should probably disable the
> tagged address syscall ABI, as that doesn't make much sense without
> TBI0. Are we likely to want a signed pointer syscall ABI as well?
>
> Robin.

Bear in mind that disabling TBI0 disables the ability to use MTE. At
least from our perspective, MTE is considered a more valuable
mitigation than PAC. That's why we're only intending to disable TBI
for code pointers, not for data pointers (via TBID0).

As Catalin wrote in [1], having this be a per-process option would be
more expensive, and may even be infeasible with the current
architecture. That's why we decided to go with a command line option.

Peter

[1] https://lore.kernel.org/linux-arm-kernel/20201124184742.GC42276@C02TF0J2HF1T.local/

More information about the linux-arm-kernel mailing list