LXR linux/tools/testing/selftests/arm64/pauth/pac.c

   1// SPDX-License-Identifier: GPL-2.0
   2// Copyright (C) 2020 ARM Limited
   3
   4#define _GNU_SOURCE
   5
   6#include <sys/auxv.h>
   7#include <sys/types.h>
   8#include <sys/wait.h>
   9#include <signal.h>
  10#include <setjmp.h>
  11#include <sched.h>
  12
  13#include "../../kselftest_harness.h"
  14#include "helper.h"
  15
  16#define PAC_COLLISION_ATTEMPTS 10
  17/*
  18 * The kernel sets TBID by default. So bits 55 and above should remain
  19 * untouched no matter what.
  20 * The VA space size is 48 bits. Bigger is opt-in.
  21 */
  22#define PAC_MASK (~0xff80ffffffffffff)
  23#define ARBITRARY_VALUE (0x1234)
  24#define ASSERT_PAUTH_ENABLED() \
  25do { \
  26        unsigned long hwcaps = getauxval(AT_HWCAP); \
  27        /* data key instructions are not in NOP space. This prevents a SIGILL */ \
  28        if (!(hwcaps & HWCAP_PACA))                                     \
  29                SKIP(return, "PAUTH not enabled"); \
  30} while (0)
  31#define ASSERT_GENERIC_PAUTH_ENABLED() \
  32do { \
  33        unsigned long hwcaps = getauxval(AT_HWCAP); \
  34        /* generic key instructions are not in NOP space. This prevents a SIGILL */ \
  35        if (!(hwcaps & HWCAP_PACG)) \
  36                SKIP(return, "Generic PAUTH not enabled");      \
  37} while (0)
  38
  39void sign_specific(struct signatures *sign, size_t val)
  40{
  41        sign->keyia = keyia_sign(val);
  42        sign->keyib = keyib_sign(val);
  43        sign->keyda = keyda_sign(val);
  44        sign->keydb = keydb_sign(val);
  45}
  46
  47void sign_all(struct signatures *sign, size_t val)
  48{
  49        sign->keyia = keyia_sign(val);
  50        sign->keyib = keyib_sign(val);
  51        sign->keyda = keyda_sign(val);
  52        sign->keydb = keydb_sign(val);
  53        sign->keyg  = keyg_sign(val);
  54}
  55
  56int n_same(struct signatures *old, struct signatures *new, int nkeys)
  57{
  58        int res = 0;
  59
  60        res += old->keyia == new->keyia;
  61        res += old->keyib == new->keyib;
  62        res += old->keyda == new->keyda;
  63        res += old->keydb == new->keydb;
  64        if (nkeys == NKEYS)
  65                res += old->keyg == new->keyg;
  66
  67        return res;
  68}
  69
  70int n_same_single_set(struct signatures *sign, int nkeys)
  71{
  72        size_t vals[nkeys];
  73        int same = 0;
  74
  75        vals[0] = sign->keyia & PAC_MASK;
  76        vals[1] = sign->keyib & PAC_MASK;
  77        vals[2] = sign->keyda & PAC_MASK;
  78        vals[3] = sign->keydb & PAC_MASK;
  79
  80        if (nkeys >= 4)
  81                vals[4] = sign->keyg & PAC_MASK;
  82
  83        for (int i = 0; i < nkeys - 1; i++) {
  84                for (int j = i + 1; j < nkeys; j++) {
  85                        if (vals[i] == vals[j])
  86                                same += 1;
  87                }
  88        }
  89        return same;
  90}
  91
  92int exec_sign_all(struct signatures *signed_vals, size_t val)
  93{
  94        int new_stdin[2];
  95        int new_stdout[2];
  96        int status;
  97        int i;
  98        ssize_t ret;
  99        pid_t pid;
 100        cpu_set_t mask;
 101
 102        ret = pipe(new_stdin);
 103        if (ret == -1) {
 104                perror("pipe returned error");
 105                return -1;
 106        }
 107
 108        ret = pipe(new_stdout);
 109        if (ret == -1) {
 110                perror("pipe returned error");
 111                return -1;
 112        }
 113
 114        /*
 115         * pin this process and all its children to a single CPU, so it can also
 116         * guarantee a context switch with its child
 117         */
 118        sched_getaffinity(0, sizeof(mask), &mask);
 119
 120        for (i = 0; i < sizeof(cpu_set_t); i++)
 121                if (CPU_ISSET(i, &mask))
 122                        break;
 123
 124        CPU_ZERO(&mask);
 125        CPU_SET(i, &mask);
 126        sched_setaffinity(0, sizeof(mask), &mask);
 127
 128        pid = fork();
 129        // child
 130        if (pid == 0) {
 131                dup2(new_stdin[0], STDIN_FILENO);
 132                if (ret == -1) {
 133                        perror("dup2 returned error");
 134                        exit(1);
 135                }
 136
 137                dup2(new_stdout[1], STDOUT_FILENO);
 138                if (ret == -1) {
 139                        perror("dup2 returned error");
 140                        exit(1);
 141                }
 142
 143                close(new_stdin[0]);
 144                close(new_stdin[1]);
 145                close(new_stdout[0]);
 146                close(new_stdout[1]);
 147
 148                ret = execl("exec_target", "exec_target", (char *)NULL);
 149                if (ret == -1) {
 150                        perror("exec returned error");
 151                        exit(1);
 152                }
 153        }
 154
 155        close(new_stdin[0]);
 156        close(new_stdout[1]);
 157
 158        ret = write(new_stdin[1], &val, sizeof(size_t));
 159        if (ret == -1) {
 160                perror("write returned error");
 161                return -1;
 162        }
 163
 164        /*
 165         * wait for the worker to finish, so that read() reads all data
 166         * will also context switch with worker so that this function can be used
 167         * for context switch tests
 168         */
 169        waitpid(pid, &status, 0);
 170        if (WIFEXITED(status) == 0) {
 171                fprintf(stderr, "worker exited unexpectedly\n");
 172                return -1;
 173        }
 174        if (WEXITSTATUS(status) != 0) {
 175                fprintf(stderr, "worker exited with error\n");
 176                return -1;
 177        }
 178
 179        ret = read(new_stdout[0], signed_vals, sizeof(struct signatures));
 180        if (ret == -1) {
 181                perror("read returned error");
 182                return -1;
 183        }
 184
 185        return 0;
 186}
 187
 188sigjmp_buf jmpbuf;
 189void pac_signal_handler(int signum, siginfo_t *si, void *uc)
 190{
 191        if (signum == SIGSEGV || signum == SIGILL)
 192                siglongjmp(jmpbuf, 1);
 193}
 194
 195/* check that a corrupted PAC results in SIGSEGV or SIGILL */
 196TEST(corrupt_pac)
 197{
 198        struct sigaction sa;
 199
 200        ASSERT_PAUTH_ENABLED();
 201        if (sigsetjmp(jmpbuf, 1) == 0) {
 202                sa.sa_sigaction = pac_signal_handler;
 203                sa.sa_flags = SA_SIGINFO | SA_RESETHAND;
 204                sigemptyset(&sa.sa_mask);
 205
 206                sigaction(SIGSEGV, &sa, NULL);
 207                sigaction(SIGILL, &sa, NULL);
 208
 209                pac_corruptor();
 210                ASSERT_TRUE(0) TH_LOG("SIGSEGV/SIGILL signal did not occur");
 211        }
 212}
 213
 214/*
 215 * There are no separate pac* and aut* controls so checking only the pac*
 216 * instructions is sufficient
 217 */
 218TEST(pac_instructions_not_nop)
 219{
 220        size_t keyia = 0;
 221        size_t keyib = 0;
 222        size_t keyda = 0;
 223        size_t keydb = 0;
 224
 225        ASSERT_PAUTH_ENABLED();
 226
 227        for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {
 228                keyia |= keyia_sign(i) & PAC_MASK;
 229                keyib |= keyib_sign(i) & PAC_MASK;
 230                keyda |= keyda_sign(i) & PAC_MASK;
 231                keydb |= keydb_sign(i) & PAC_MASK;
 232        }
 233
 234        ASSERT_NE(0, keyia) TH_LOG("keyia instructions did nothing");
 235        ASSERT_NE(0, keyib) TH_LOG("keyib instructions did nothing");
 236        ASSERT_NE(0, keyda) TH_LOG("keyda instructions did nothing");
 237        ASSERT_NE(0, keydb) TH_LOG("keydb instructions did nothing");
 238}
 239
 240TEST(pac_instructions_not_nop_generic)
 241{
 242        size_t keyg = 0;
 243
 244        ASSERT_GENERIC_PAUTH_ENABLED();
 245
 246        for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++)
 247                keyg |= keyg_sign(i) & PAC_MASK;
 248
 249        ASSERT_NE(0, keyg)  TH_LOG("keyg instructions did nothing");
 250}
 251
 252TEST(single_thread_different_keys)
 253{
 254        int same = 10;
 255        int nkeys = NKEYS;
 256        int tmp;
 257        struct signatures signed_vals;
 258        unsigned long hwcaps = getauxval(AT_HWCAP);
 259
 260        /* generic and data key instructions are not in NOP space. This prevents a SIGILL */
 261        ASSERT_PAUTH_ENABLED();
 262        if (!(hwcaps & HWCAP_PACG)) {
 263                TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks");
 264                nkeys = NKEYS - 1;
 265        }
 266
 267        /*
 268         * In Linux the PAC field can be up to 7 bits wide. Even if keys are
 269         * different, there is about 5% chance for PACs to collide with
 270         * different addresses. This chance rapidly increases with fewer bits
 271         * allocated for the PAC (e.g. wider address). A comparison of the keys
 272         * directly will be more reliable.
 273         * All signed values need to be different at least once out of n
 274         * attempts to be certain that the keys are different
 275         */
 276        for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {
 277                if (nkeys == NKEYS)
 278                        sign_all(&signed_vals, i);
 279                else
 280                        sign_specific(&signed_vals, i);
 281
 282                tmp = n_same_single_set(&signed_vals, nkeys);
 283                if (tmp < same)
 284                        same = tmp;
 285        }
 286
 287        ASSERT_EQ(0, same) TH_LOG("%d keys clashed every time", same);
 288}
 289
 290/*
 291 * fork() does not change keys. Only exec() does so call a worker program.
 292 * Its only job is to sign a value and report back the resutls
 293 */
 294TEST(exec_changed_keys)
 295{
 296        struct signatures new_keys;
 297        struct signatures old_keys;
 298        int ret;
 299        int same = 10;
 300        int nkeys = NKEYS;
 301        unsigned long hwcaps = getauxval(AT_HWCAP);
 302
 303        /* generic and data key instructions are not in NOP space. This prevents a SIGILL */
 304        ASSERT_PAUTH_ENABLED();
 305        if (!(hwcaps & HWCAP_PACG)) {
 306                TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks");
 307                nkeys = NKEYS - 1;
 308        }
 309
 310        for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {
 311                ret = exec_sign_all(&new_keys, i);
 312                ASSERT_EQ(0, ret) TH_LOG("failed to run worker");
 313
 314                if (nkeys == NKEYS)
 315                        sign_all(&old_keys, i);
 316                else
 317                        sign_specific(&old_keys, i);
 318
 319                ret = n_same(&old_keys, &new_keys, nkeys);
 320                if (ret < same)
 321                        same = ret;
 322        }
 323
 324        ASSERT_EQ(0, same) TH_LOG("exec() did not change %d keys", same);
 325}
 326
 327TEST(context_switch_keep_keys)
 328{
 329        int ret;
 330        struct signatures trash;
 331        struct signatures before;
 332        struct signatures after;
 333
 334        ASSERT_PAUTH_ENABLED();
 335
 336        sign_specific(&before, ARBITRARY_VALUE);
 337
 338        /* will context switch with a process with different keys at least once */
 339        ret = exec_sign_all(&trash, ARBITRARY_VALUE);
 340        ASSERT_EQ(0, ret) TH_LOG("failed to run worker");
 341
 342        sign_specific(&after, ARBITRARY_VALUE);
 343
 344        ASSERT_EQ(before.keyia, after.keyia) TH_LOG("keyia changed after context switching");
 345        ASSERT_EQ(before.keyib, after.keyib) TH_LOG("keyib changed after context switching");
 346        ASSERT_EQ(before.keyda, after.keyda) TH_LOG("keyda changed after context switching");
 347        ASSERT_EQ(before.keydb, after.keydb) TH_LOG("keydb changed after context switching");
 348}
 349
 350TEST(context_switch_keep_keys_generic)
 351{
 352        int ret;
 353        struct signatures trash;
 354        size_t before;
 355        size_t after;
 356
 357        ASSERT_GENERIC_PAUTH_ENABLED();
 358
 359        before = keyg_sign(ARBITRARY_VALUE);
 360
 361        /* will context switch with a process with different keys at least once */
 362        ret = exec_sign_all(&trash, ARBITRARY_VALUE);
 363        ASSERT_EQ(0, ret) TH_LOG("failed to run worker");
 364
 365        after = keyg_sign(ARBITRARY_VALUE);
 366
 367        ASSERT_EQ(before, after) TH_LOG("keyg changed after context switching");
 368}
 369
 370TEST_HARNESS_MAIN
 371