• Amit Daniel Kachhap's avatar
    lkdtm: arm64: test kernel pointer authentication · 6cb6982f
    Amit Daniel Kachhap authored
    This test is specific for arm64. When in-kernel Pointer Authentication
    config is enabled, the return address stored in the stack is signed.
    This feature helps in ROP kind of attack. If any parameters used to
    generate the pac (<key, sp, lr>) is modified then this will fail in
    the authentication stage and will lead to abort.
    
    This test changes the input parameter APIA kernel keys to cause abort.
    The pac computed from the new key can be same as last due to hash
    collision so this is retried for few times as there is no reliable way
    to compare the pacs. Even though this test may fail even after retries
    but this may cause authentication failure at a later stage in earlier
    function returns.
    
    This test can be invoked as,
    echo CORRUPT_PAC > /sys/kernel/debug/provoke-crash/DIRECT
    
    or as below if inserted as a module,
    insmod lkdtm.ko cpoint_name=DIRECT cpoint_type=CORRUPT_PAC cpoint_count=1
    
    [   13.118166] lkdtm: Performing direct entry CORRUPT_PAC
    [   13.118298] lkdtm: Clearing PAC from the return address
    [   13.118466] Unable to handle kernel paging request at virtual address bfff8000108648ec
    [   13.118626] Mem abort info:
    [   13.118666]   ESR = 0x86000004
    [   13.118866]   EC = 0x21: IABT (current EL), IL = 32 bits
    [   13.118966]   SET = 0, FnV = 0
    [   13.119117]   EA = 0, S1PTW = 0
    Signed-off-by: default avatarAmit Daniel Kachhap <amit.kachhap@arm.com>
    Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    Cc: Kees Cook <keescook@chromium.org>
    Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    6cb6982f
bugs.c 10.1 KB