1 // SPDX-License-Identifier: GPL-2.0 2 // Copyright (C) 2020 ARM Limited 3 4 #define _GNU_SOURCE 5 6 #include <sys/auxv.h> 7 #include <sys/types.h> 8 #include <sys/wait.h> 9 #include <signal.h> 10 #include <setjmp.h> 11 #include <sched.h> 12 13 #include "../../kselftest_harness.h" 14 #include "helper.h" 15 16 #define PAC_COLLISION_ATTEMPTS 10 17 /* 18 * The kernel sets TBID by default. So bits 55 and above should remain 19 * untouched no matter what. 20 * The VA space size is 48 bits. Bigger is opt-in. 21 */ 22 #define PAC_MASK (~0xff80ffffffffffff) 23 #define ARBITRARY_VALUE (0x1234) 24 #define ASSERT_PAUTH_ENABLED() \ 25 do { \ 26 unsigned long hwcaps = getauxval(AT_HWCAP); \ 27 /* data key instructions are not in NOP space. This prevents a SIGILL */ \ 28 if (!(hwcaps & HWCAP_PACA)) \ 29 SKIP(return, "PAUTH not enabled"); \ 30 } while (0) 31 #define ASSERT_GENERIC_PAUTH_ENABLED() \ 32 do { \ 33 unsigned long hwcaps = getauxval(AT_HWCAP); \ 34 /* generic key instructions are not in NOP space. This prevents a SIGILL */ \ 35 if (!(hwcaps & HWCAP_PACG)) \ 36 SKIP(return, "Generic PAUTH not enabled"); \ 37 } while (0) 38 39 void sign_specific(struct signatures *sign, size_t val) 40 { 41 sign->keyia = keyia_sign(val); 42 sign->keyib = keyib_sign(val); 43 sign->keyda = keyda_sign(val); 44 sign->keydb = keydb_sign(val); 45 } 46 47 void sign_all(struct signatures *sign, size_t val) 48 { 49 sign->keyia = keyia_sign(val); 50 sign->keyib = keyib_sign(val); 51 sign->keyda = keyda_sign(val); 52 sign->keydb = keydb_sign(val); 53 sign->keyg = keyg_sign(val); 54 } 55 56 int n_same(struct signatures *old, struct signatures *new, int nkeys) 57 { 58 int res = 0; 59 60 res += old->keyia == new->keyia; 61 res += old->keyib == new->keyib; 62 res += old->keyda == new->keyda; 63 res += old->keydb == new->keydb; 64 if (nkeys == NKEYS) 65 res += old->keyg == new->keyg; 66 67 return res; 68 } 69 70 int n_same_single_set(struct signatures *sign, int nkeys) 71 { 72 size_t vals[nkeys]; 73 int same = 0; 74 75 vals[0] = sign->keyia & PAC_MASK; 76 vals[1] = sign->keyib & PAC_MASK; 77 vals[2] = sign->keyda & PAC_MASK; 78 vals[3] = sign->keydb & PAC_MASK; 79 80 if (nkeys >= 4) 81 vals[4] = sign->keyg & PAC_MASK; 82 83 for (int i = 0; i < nkeys - 1; i++) { 84 for (int j = i + 1; j < nkeys; j++) { 85 if (vals[i] == vals[j]) 86 same += 1; 87 } 88 } 89 return same; 90 } 91 92 int exec_sign_all(struct signatures *signed_vals, size_t val) 93 { 94 int new_stdin[2]; 95 int new_stdout[2]; 96 int status; 97 int i; 98 ssize_t ret; 99 pid_t pid; 100 cpu_set_t mask; 101 102 ret = pipe(new_stdin); 103 if (ret == -1) { 104 perror("pipe returned error"); 105 return -1; 106 } 107 108 ret = pipe(new_stdout); 109 if (ret == -1) { 110 perror("pipe returned error"); 111 return -1; 112 } 113 114 /* 115 * pin this process and all its children to a single CPU, so it can also 116 * guarantee a context switch with its child 117 */ 118 sched_getaffinity(0, sizeof(mask), &mask); 119 120 for (i = 0; i < sizeof(cpu_set_t); i++) 121 if (CPU_ISSET(i, &mask)) 122 break; 123 124 CPU_ZERO(&mask); 125 CPU_SET(i, &mask); 126 sched_setaffinity(0, sizeof(mask), &mask); 127 128 pid = fork(); 129 // child 130 if (pid == 0) { 131 dup2(new_stdin[0], STDIN_FILENO); 132 if (ret == -1) { 133 perror("dup2 returned error"); 134 exit(1); 135 } 136 137 dup2(new_stdout[1], STDOUT_FILENO); 138 if (ret == -1) { 139 perror("dup2 returned error"); 140 exit(1); 141 } 142 143 close(new_stdin[0]); 144 close(new_stdin[1]); 145 close(new_stdout[0]); 146 close(new_stdout[1]); 147 148 ret = execl("exec_target", "exec_target", (char *)NULL); 149 if (ret == -1) { 150 perror("exec returned error"); 151 exit(1); 152 } 153 } 154 155 close(new_stdin[0]); 156 close(new_stdout[1]); 157 158 ret = write(new_stdin[1], &val, sizeof(size_t)); 159 if (ret == -1) { 160 perror("write returned error"); 161 return -1; 162 } 163 164 /* 165 * wait for the worker to finish, so that read() reads all data 166 * will also context switch with worker so that this function can be used 167 * for context switch tests 168 */ 169 waitpid(pid, &status, 0); 170 if (WIFEXITED(status) == 0) { 171 fprintf(stderr, "worker exited unexpectedly\n"); 172 return -1; 173 } 174 if (WEXITSTATUS(status) != 0) { 175 fprintf(stderr, "worker exited with error\n"); 176 return -1; 177 } 178 179 ret = read(new_stdout[0], signed_vals, sizeof(struct signatures)); 180 if (ret == -1) { 181 perror("read returned error"); 182 return -1; 183 } 184 185 return 0; 186 } 187 188 sigjmp_buf jmpbuf; 189 void pac_signal_handler(int signum, siginfo_t *si, void *uc) 190 { 191 if (signum == SIGSEGV || signum == SIGILL) 192 siglongjmp(jmpbuf, 1); 193 } 194 195 /* check that a corrupted PAC results in SIGSEGV or SIGILL */ 196 TEST(corrupt_pac) 197 { 198 struct sigaction sa; 199 200 ASSERT_PAUTH_ENABLED(); 201 if (sigsetjmp(jmpbuf, 1) == 0) { 202 sa.sa_sigaction = pac_signal_handler; 203 sa.sa_flags = SA_SIGINFO | SA_RESETHAND; 204 sigemptyset(&sa.sa_mask); 205 206 sigaction(SIGSEGV, &sa, NULL); 207 sigaction(SIGILL, &sa, NULL); 208 209 pac_corruptor(); 210 ASSERT_TRUE(0) TH_LOG("SIGSEGV/SIGILL signal did not occur"); 211 } 212 } 213 214 /* 215 * There are no separate pac* and aut* controls so checking only the pac* 216 * instructions is sufficient 217 */ 218 TEST(pac_instructions_not_nop) 219 { 220 size_t keyia = 0; 221 size_t keyib = 0; 222 size_t keyda = 0; 223 size_t keydb = 0; 224 225 ASSERT_PAUTH_ENABLED(); 226 227 for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) { 228 keyia |= keyia_sign(i) & PAC_MASK; 229 keyib |= keyib_sign(i) & PAC_MASK; 230 keyda |= keyda_sign(i) & PAC_MASK; 231 keydb |= keydb_sign(i) & PAC_MASK; 232 } 233 234 ASSERT_NE(0, keyia) TH_LOG("keyia instructions did nothing"); 235 ASSERT_NE(0, keyib) TH_LOG("keyib instructions did nothing"); 236 ASSERT_NE(0, keyda) TH_LOG("keyda instructions did nothing"); 237 ASSERT_NE(0, keydb) TH_LOG("keydb instructions did nothing"); 238 } 239 240 TEST(pac_instructions_not_nop_generic) 241 { 242 size_t keyg = 0; 243 244 ASSERT_GENERIC_PAUTH_ENABLED(); 245 246 for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) 247 keyg |= keyg_sign(i) & PAC_MASK; 248 249 ASSERT_NE(0, keyg) TH_LOG("keyg instructions did nothing"); 250 } 251 252 TEST(single_thread_different_keys) 253 { 254 int same = 10; 255 int nkeys = NKEYS; 256 int tmp; 257 struct signatures signed_vals; 258 unsigned long hwcaps = getauxval(AT_HWCAP); 259 260 /* generic and data key instructions are not in NOP space. This prevents a SIGILL */ 261 ASSERT_PAUTH_ENABLED(); 262 if (!(hwcaps & HWCAP_PACG)) { 263 TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks"); 264 nkeys = NKEYS - 1; 265 } 266 267 /* 268 * In Linux the PAC field can be up to 7 bits wide. Even if keys are 269 * different, there is about 5% chance for PACs to collide with 270 * different addresses. This chance rapidly increases with fewer bits 271 * allocated for the PAC (e.g. wider address). A comparison of the keys 272 * directly will be more reliable. 273 * All signed values need to be different at least once out of n 274 * attempts to be certain that the keys are different 275 */ 276 for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) { 277 if (nkeys == NKEYS) 278 sign_all(&signed_vals, i); 279 else 280 sign_specific(&signed_vals, i); 281 282 tmp = n_same_single_set(&signed_vals, nkeys); 283 if (tmp < same) 284 same = tmp; 285 } 286 287 ASSERT_EQ(0, same) TH_LOG("%d keys clashed every time", same); 288 } 289 290 /* 291 * fork() does not change keys. Only exec() does so call a worker program. 292 * Its only job is to sign a value and report back the resutls 293 */ 294 TEST(exec_changed_keys) 295 { 296 struct signatures new_keys; 297 struct signatures old_keys; 298 int ret; 299 int same = 10; 300 int nkeys = NKEYS; 301 unsigned long hwcaps = getauxval(AT_HWCAP); 302 303 /* generic and data key instructions are not in NOP space. This prevents a SIGILL */ 304 ASSERT_PAUTH_ENABLED(); 305 if (!(hwcaps & HWCAP_PACG)) { 306 TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks"); 307 nkeys = NKEYS - 1; 308 } 309 310 for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) { 311 ret = exec_sign_all(&new_keys, i); 312 ASSERT_EQ(0, ret) TH_LOG("failed to run worker"); 313 314 if (nkeys == NKEYS) 315 sign_all(&old_keys, i); 316 else 317 sign_specific(&old_keys, i); 318 319 ret = n_same(&old_keys, &new_keys, nkeys); 320 if (ret < same) 321 same = ret; 322 } 323 324 ASSERT_EQ(0, same) TH_LOG("exec() did not change %d keys", same); 325 } 326 327 TEST(context_switch_keep_keys) 328 { 329 int ret; 330 struct signatures trash; 331 struct signatures before; 332 struct signatures after; 333 334 ASSERT_PAUTH_ENABLED(); 335 336 sign_specific(&before, ARBITRARY_VALUE); 337 338 /* will context switch with a process with different keys at least once */ 339 ret = exec_sign_all(&trash, ARBITRARY_VALUE); 340 ASSERT_EQ(0, ret) TH_LOG("failed to run worker"); 341 342 sign_specific(&after, ARBITRARY_VALUE); 343 344 ASSERT_EQ(before.keyia, after.keyia) TH_LOG("keyia changed after context switching"); 345 ASSERT_EQ(before.keyib, after.keyib) TH_LOG("keyib changed after context switching"); 346 ASSERT_EQ(before.keyda, after.keyda) TH_LOG("keyda changed after context switching"); 347 ASSERT_EQ(before.keydb, after.keydb) TH_LOG("keydb changed after context switching"); 348 } 349 350 TEST(context_switch_keep_keys_generic) 351 { 352 int ret; 353 struct signatures trash; 354 size_t before; 355 size_t after; 356 357 ASSERT_GENERIC_PAUTH_ENABLED(); 358 359 before = keyg_sign(ARBITRARY_VALUE); 360 361 /* will context switch with a process with different keys at least once */ 362 ret = exec_sign_all(&trash, ARBITRARY_VALUE); 363 ASSERT_EQ(0, ret) TH_LOG("failed to run worker"); 364 365 after = keyg_sign(ARBITRARY_VALUE); 366 367 ASSERT_EQ(before, after) TH_LOG("keyg changed after context switching"); 368 } 369 370 TEST_HARNESS_MAIN 371
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.