Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/tools/testing/selftests/arm64/pauth/pac.c
26292 views
1
// SPDX-License-Identifier: GPL-2.0

2
// Copyright (C) 2020 ARM Limited

3


4
#define _GNU_SOURCE

5


6
#include <sys/auxv.h>

7
#include <sys/types.h>

8
#include <sys/wait.h>

9
#include <signal.h>

10
#include <setjmp.h>

11
#include <sched.h>

12


13
#include "../../kselftest_harness.h"

14
#include "helper.h"

15


16
#define PAC_COLLISION_ATTEMPTS 1000

17
/*

18
 * The kernel sets TBID by default. So bits 55 and above should remain

19
 * untouched no matter what.

20
 * The VA space size is 48 bits. Bigger is opt-in.

21
 */

22
#define PAC_MASK (~0xff80ffffffffffff)

23
#define ARBITRARY_VALUE (0x1234)

24
#define ASSERT_PAUTH_ENABLED() \

25
do { \

26
	unsigned long hwcaps = getauxval(AT_HWCAP); \

27
	/* data key instructions are not in NOP space. This prevents a SIGILL */ \

28
	if (!(hwcaps & HWCAP_PACA))					\

29
		SKIP(return, "PAUTH not enabled"); \

30
} while (0)

31
#define ASSERT_GENERIC_PAUTH_ENABLED() \

32
do { \

33
	unsigned long hwcaps = getauxval(AT_HWCAP); \

34
	/* generic key instructions are not in NOP space. This prevents a SIGILL */ \

35
	if (!(hwcaps & HWCAP_PACG)) \

36
		SKIP(return, "Generic PAUTH not enabled");	\

37
} while (0)

38


39
void sign_specific(struct signatures *sign, size_t val)

40
{

41
	sign->keyia = keyia_sign(val);

42
	sign->keyib = keyib_sign(val);

43
	sign->keyda = keyda_sign(val);

44
	sign->keydb = keydb_sign(val);

45
}

46


47
void sign_all(struct signatures *sign, size_t val)

48
{

49
	sign->keyia = keyia_sign(val);

50
	sign->keyib = keyib_sign(val);

51
	sign->keyda = keyda_sign(val);

52
	sign->keydb = keydb_sign(val);

53
	sign->keyg  = keyg_sign(val);

54
}

55


56
int n_same(struct signatures *old, struct signatures *new, int nkeys)

57
{

58
	int res = 0;

59


60
	res += old->keyia == new->keyia;

61
	res += old->keyib == new->keyib;

62
	res += old->keyda == new->keyda;

63
	res += old->keydb == new->keydb;

64
	if (nkeys == NKEYS)

65
		res += old->keyg == new->keyg;

66


67
	return res;

68
}

69


70
int n_same_single_set(struct signatures *sign, int nkeys)

71
{

72
	size_t vals[nkeys];

73
	int same = 0;

74


75
	vals[0] = sign->keyia & PAC_MASK;

76
	vals[1] = sign->keyib & PAC_MASK;

77
	vals[2] = sign->keyda & PAC_MASK;

78
	vals[3] = sign->keydb & PAC_MASK;

79


80
	if (nkeys >= 4)

81
		vals[4] = sign->keyg & PAC_MASK;

82


83
	for (int i = 0; i < nkeys - 1; i++) {

84
		for (int j = i + 1; j < nkeys; j++) {

85
			if (vals[i] == vals[j])

86
				same += 1;

87
		}

88
	}

89
	return same;

90
}

91


92
int exec_sign_all(struct signatures *signed_vals, size_t val)

93
{

94
	int new_stdin[2];

95
	int new_stdout[2];

96
	int status;

97
	int i;

98
	ssize_t ret;

99
	pid_t pid;

100
	cpu_set_t mask;

101


102
	ret = pipe(new_stdin);

103
	if (ret == -1) {

104
		perror("pipe returned error");

105
		return -1;

106
	}

107


108
	ret = pipe(new_stdout);

109
	if (ret == -1) {

110
		perror("pipe returned error");

111
		return -1;

112
	}

113


114
	/*

115
	 * pin this process and all its children to a single CPU, so it can also

116
	 * guarantee a context switch with its child

117
	 */

118
	sched_getaffinity(0, sizeof(mask), &mask);

119


120
	for (i = 0; i < sizeof(cpu_set_t); i++)

121
		if (CPU_ISSET(i, &mask))

122
			break;

123


124
	CPU_ZERO(&mask);

125
	CPU_SET(i, &mask);

126
	sched_setaffinity(0, sizeof(mask), &mask);

127


128
	pid = fork();

129
	// child

130
	if (pid == 0) {

131
		dup2(new_stdin[0], STDIN_FILENO);

132
		if (ret == -1) {

133
			perror("dup2 returned error");

134
			exit(1);

135
		}

136


137
		dup2(new_stdout[1], STDOUT_FILENO);

138
		if (ret == -1) {

139
			perror("dup2 returned error");

140
			exit(1);

141
		}

142


143
		close(new_stdin[0]);

144
		close(new_stdin[1]);

145
		close(new_stdout[0]);

146
		close(new_stdout[1]);

147


148
		ret = execl("exec_target", "exec_target", (char *)NULL);

149
		if (ret == -1) {

150
			perror("exec returned error");

151
			exit(1);

152
		}

153
	}

154


155
	close(new_stdin[0]);

156
	close(new_stdout[1]);

157


158
	ret = write(new_stdin[1], &val, sizeof(size_t));

159
	if (ret == -1) {

160
		perror("write returned error");

161
		return -1;

162
	}

163


164
	/*

165
	 * wait for the worker to finish, so that read() reads all data

166
	 * will also context switch with worker so that this function can be used

167
	 * for context switch tests

168
	 */

169
	waitpid(pid, &status, 0);

170
	if (WIFEXITED(status) == 0) {

171
		fprintf(stderr, "worker exited unexpectedly\n");

172
		return -1;

173
	}

174
	if (WEXITSTATUS(status) != 0) {

175
		fprintf(stderr, "worker exited with error\n");

176
		return -1;

177
	}

178


179
	ret = read(new_stdout[0], signed_vals, sizeof(struct signatures));

180
	if (ret == -1) {

181
		perror("read returned error");

182
		return -1;

183
	}

184


185
	close(new_stdin[1]);

186
	close(new_stdout[0]);

187


188
	return 0;

189
}

190


191
sigjmp_buf jmpbuf;

192
void pac_signal_handler(int signum, siginfo_t *si, void *uc)

193
{

194
	if (signum == SIGSEGV || signum == SIGILL)

195
		siglongjmp(jmpbuf, 1);

196
}

197


198
/* check that a corrupted PAC results in SIGSEGV or SIGILL */

199
TEST(corrupt_pac)

200
{

201
	struct sigaction sa;

202


203
	ASSERT_PAUTH_ENABLED();

204
	if (sigsetjmp(jmpbuf, 1) == 0) {

205
		sa.sa_sigaction = pac_signal_handler;

206
		sa.sa_flags = SA_SIGINFO | SA_RESETHAND;

207
		sigemptyset(&sa.sa_mask);

208


209
		sigaction(SIGSEGV, &sa, NULL);

210
		sigaction(SIGILL, &sa, NULL);

211


212
		pac_corruptor();

213
		ASSERT_TRUE(0) TH_LOG("SIGSEGV/SIGILL signal did not occur");

214
	}

215
}

216


217
/*

218
 * There are no separate pac* and aut* controls so checking only the pac*

219
 * instructions is sufficient

220
 */

221
TEST(pac_instructions_not_nop)

222
{

223
	size_t keyia = 0;

224
	size_t keyib = 0;

225
	size_t keyda = 0;

226
	size_t keydb = 0;

227


228
	ASSERT_PAUTH_ENABLED();

229


230
	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {

231
		keyia |= keyia_sign(i) & PAC_MASK;

232
		keyib |= keyib_sign(i) & PAC_MASK;

233
		keyda |= keyda_sign(i) & PAC_MASK;

234
		keydb |= keydb_sign(i) & PAC_MASK;

235
	}

236


237
	ASSERT_NE(0, keyia) TH_LOG("keyia instructions did nothing");

238
	ASSERT_NE(0, keyib) TH_LOG("keyib instructions did nothing");

239
	ASSERT_NE(0, keyda) TH_LOG("keyda instructions did nothing");

240
	ASSERT_NE(0, keydb) TH_LOG("keydb instructions did nothing");

241
}

242


243
TEST(pac_instructions_not_nop_generic)

244
{

245
	size_t keyg = 0;

246


247
	ASSERT_GENERIC_PAUTH_ENABLED();

248


249
	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++)

250
		keyg |= keyg_sign(i) & PAC_MASK;

251


252
	ASSERT_NE(0, keyg)  TH_LOG("keyg instructions did nothing");

253
}

254


255
TEST(single_thread_different_keys)

256
{

257
	int same = 10;

258
	int nkeys = NKEYS;

259
	int tmp;

260
	struct signatures signed_vals;

261
	unsigned long hwcaps = getauxval(AT_HWCAP);

262


263
	/* generic and data key instructions are not in NOP space. This prevents a SIGILL */

264
	ASSERT_PAUTH_ENABLED();

265
	if (!(hwcaps & HWCAP_PACG)) {

266
		TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks");

267
		nkeys = NKEYS - 1;

268
	}

269


270
	/*

271
	 * In Linux the PAC field can be up to 7 bits wide. Even if keys are

272
	 * different, there is about 5% chance for PACs to collide with

273
	 * different addresses. This chance rapidly increases with fewer bits

274
	 * allocated for the PAC (e.g. wider address). A comparison of the keys

275
	 * directly will be more reliable.

276
	 * All signed values need to be different at least once out of n

277
	 * attempts to be certain that the keys are different

278
	 */

279
	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {

280
		if (nkeys == NKEYS)

281
			sign_all(&signed_vals, i);

282
		else

283
			sign_specific(&signed_vals, i);

284


285
		tmp = n_same_single_set(&signed_vals, nkeys);

286
		if (tmp < same)

287
			same = tmp;

288
	}

289


290
	ASSERT_EQ(0, same) TH_LOG("%d keys clashed every time", same);

291
}

292


293
/*

294
 * fork() does not change keys. Only exec() does so call a worker program.

295
 * Its only job is to sign a value and report back the resutls

296
 */

297
TEST(exec_changed_keys)

298
{

299
	struct signatures new_keys;

300
	struct signatures old_keys;

301
	int ret;

302
	int same = 10;

303
	int nkeys = NKEYS;

304
	unsigned long hwcaps = getauxval(AT_HWCAP);

305


306
	/* generic and data key instructions are not in NOP space. This prevents a SIGILL */

307
	ASSERT_PAUTH_ENABLED();

308
	if (!(hwcaps & HWCAP_PACG)) {

309
		TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks");

310
		nkeys = NKEYS - 1;

311
	}

312


313
	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {

314
		ret = exec_sign_all(&new_keys, i);

315
		ASSERT_EQ(0, ret) TH_LOG("failed to run worker");

316


317
		if (nkeys == NKEYS)

318
			sign_all(&old_keys, i);

319
		else

320
			sign_specific(&old_keys, i);

321


322
		ret = n_same(&old_keys, &new_keys, nkeys);

323
		if (ret < same)

324
			same = ret;

325
	}

326


327
	ASSERT_EQ(0, same) TH_LOG("exec() did not change %d keys", same);

328
}

329


330
TEST(context_switch_keep_keys)

331
{

332
	int ret;

333
	struct signatures trash;

334
	struct signatures before;

335
	struct signatures after;

336


337
	ASSERT_PAUTH_ENABLED();

338


339
	sign_specific(&before, ARBITRARY_VALUE);

340


341
	/* will context switch with a process with different keys at least once */

342
	ret = exec_sign_all(&trash, ARBITRARY_VALUE);

343
	ASSERT_EQ(0, ret) TH_LOG("failed to run worker");

344


345
	sign_specific(&after, ARBITRARY_VALUE);

346


347
	ASSERT_EQ(before.keyia, after.keyia) TH_LOG("keyia changed after context switching");

348
	ASSERT_EQ(before.keyib, after.keyib) TH_LOG("keyib changed after context switching");

349
	ASSERT_EQ(before.keyda, after.keyda) TH_LOG("keyda changed after context switching");

350
	ASSERT_EQ(before.keydb, after.keydb) TH_LOG("keydb changed after context switching");

351
}

352


353
TEST(context_switch_keep_keys_generic)

354
{

355
	int ret;

356
	struct signatures trash;

357
	size_t before;

358
	size_t after;

359


360
	ASSERT_GENERIC_PAUTH_ENABLED();

361


362
	before = keyg_sign(ARBITRARY_VALUE);

363


364
	/* will context switch with a process with different keys at least once */

365
	ret = exec_sign_all(&trash, ARBITRARY_VALUE);

366
	ASSERT_EQ(0, ret) TH_LOG("failed to run worker");

367


368
	after = keyg_sign(ARBITRARY_VALUE);

369


370
	ASSERT_EQ(before, after) TH_LOG("keyg changed after context switching");

371
}

372


373
TEST_HARNESS_MAIN

374


375