Up to [cvs.NetBSD.org] / src / sys / arch / aarch64 / include
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: phil-wifi-20200421
Revision 1.7 / (download) - annotate - [select for diffs], Sun Apr 12 07:49:58 2020 UTC (4 years ago) by maxv
Branch: MAIN
CVS Tags: phil-wifi-20200421,
bouyer-xenpvh-base2,
bouyer-xenpvh-base1
Changes since 1.6: +19 -1
lines
Diff to previous 1.6 (colored)
Add support for Pointer Authentication (PAC). We use the "pac-ret" option, to sign the return instruction pointer on function entry, and authenticate it on function exit. This acts as a mitigation against ROP. The authentication uses a per-lwp (secret) I-A key stored in the 128bit APIAKey register and part of the lwp context. During lwp creation, the kernel generates a random key, and during context switches, it installs the key of the target lwp on the CPU. Userland cannot read the APIAKey register directly. However, it can sign its pointers with it, because the register is architecturally shared between userland and the kernel. Although part of the CPU design, it is a bit of an undesired behavior, because it allows to forge valid kernel pointers from userland. To avoid that, we don't share the key with userland, and rather switch it in EL0<->EL1 transitions. This means that when userland executes, a different key is loaded in APIAKey than the one the kernel uses. For now the userland key is a fixed 128bit zero value. The DDB stack unwinder is changed to strip the authentication code from the pointers in lr. Two problems are known: * Currently the idlelwps' keys are not really secret. This is because the RNG is not yet available when we spawn these lwps. Not overly important, but would be nice to fix with UEFI RNG. * The key switching in EL0<->EL1 transitions is not the most optimized code on the planet. Instead of checking aarch64_pac_enabled, it would be better to hot-patch the code at boot time, but there currently is no hot-patch support on aarch64. Tested on Qemu.