• Kristina Martsenko's avatar
    arm64: compile the kernel with ptrauth return address signing · 74afda40
    Kristina Martsenko authored
    Compile all functions with two ptrauth instructions: PACIASP in the
    prologue to sign the return address, and AUTIASP in the epilogue to
    authenticate the return address (from the stack). If authentication
    fails, the return will cause an instruction abort to be taken, followed
    by an oops and killing the task.
    
    This should help protect the kernel against attacks using
    return-oriented programming. As ptrauth protects the return address, it
    can also serve as a replacement for CONFIG_STACKPROTECTOR, although note
    that it does not protect other parts of the stack.
    
    The new instructions are in the HINT encoding space, so on a system
    without ptrauth they execute as NOPs.
    
    CONFIG_ARM64_PTR_AUTH now not only enables ptrauth for userspace and KVM
    guests, but also automatically builds the kernel with ptrauth
    instructions if the compiler supports it. If there is no compiler
    support, we do not warn that the kernel was built without ptrauth
    instructions.
    
    GCC 7 and 8 support the -msign-return-address option, while GCC 9
    deprecates that option and replaces it with -mbranch-protection. Support
    both options.
    
    Clang uses an external assembler hence this patch makes sure that the
    correct parameters (-march=armv8.3-a) are passed down to help it recognize
    the ptrauth instructions.
    
    Ftrace function tracer works properly with Ptrauth only when
    patchable-function-entry feature is present and is ensured by the
    Kconfig dependency.
    
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
    Reviewed-by: default avatarKees Cook <keescook@chromium.org>
    Reviewed-by: Vincenzo Frascino <Vincenzo.Frascino@arm.com> # not co-dev parts
    Co-developed-by: default avatarVincenzo Frascino <vincenzo.frascino@arm.com>
    Signed-off-by: default avatarVincenzo Frascino <vincenzo.frascino@arm.com>
    Signed-off-by: default avatarKristina Martsenko <kristina.martsenko@arm.com>
    [Amit: Cover leaf function, comments, Ftrace Kconfig]
    Signed-off-by: default avatarAmit Daniel Kachhap <amit.kachhap@arm.com>
    Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    74afda40
Kconfig 59 KB