tools/testing/selftests/arm64/pauth/pac.c - linux - Git at Google

 // SPDX-License-Identifier: GPL-2.0
 // Copyright (C) 2020 ARM Limited

 #define _GNU_SOURCE

 #include <sys/auxv.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <signal.h>
 #include <setjmp.h>
 #include <sched.h>

 #include "../../kselftest_harness.h"
 #include "helper.h"

 #define PAC_COLLISION_ATTEMPTS 10
 /*
  * The kernel sets TBID by default. So bits 55 and above should remain
  * untouched no matter what.
  * The VA space size is 48 bits. Bigger is opt-in.
  */
 #define PAC_MASK (~0xff80ffffffffffff)
 #define ARBITRARY_VALUE (0x1234)
 #define ASSERT_PAUTH_ENABLED() \
 do { \
 	unsigned long hwcaps = getauxval(AT_HWCAP); \
 	/* data key instructions are not in NOP space. This prevents a SIGILL */ \
 	ASSERT_NE(0, hwcaps & HWCAP_PACA) TH_LOG("PAUTH not enabled"); \
 } while (0)
 #define ASSERT_GENERIC_PAUTH_ENABLED() \
 do { \
 	unsigned long hwcaps = getauxval(AT_HWCAP); \
 	/* generic key instructions are not in NOP space. This prevents a SIGILL */ \
 	ASSERT_NE(0, hwcaps & HWCAP_PACG) TH_LOG("Generic PAUTH not enabled"); \
 } while (0)

 void sign_specific(struct signatures *sign, size_t val)
 {
 	sign->keyia = keyia_sign(val);
 	sign->keyib = keyib_sign(val);
 	sign->keyda = keyda_sign(val);
 	sign->keydb = keydb_sign(val);
 }

 void sign_all(struct signatures *sign, size_t val)
 {
 	sign->keyia = keyia_sign(val);
 	sign->keyib = keyib_sign(val);
 	sign->keyda = keyda_sign(val);
 	sign->keydb = keydb_sign(val);
 	sign->keyg  = keyg_sign(val);
 }

 int n_same(struct signatures *old, struct signatures *new, int nkeys)
 {
 	int res = 0;

 	res += old->keyia == new->keyia;
 	res += old->keyib == new->keyib;
 	res += old->keyda == new->keyda;
 	res += old->keydb == new->keydb;
 	if (nkeys == NKEYS)
 		res += old->keyg == new->keyg;

 	return res;
 }

 int n_same_single_set(struct signatures *sign, int nkeys)
 {
 	size_t vals[nkeys];
 	int same = 0;

 	vals[0] = sign->keyia & PAC_MASK;
 	vals[1] = sign->keyib & PAC_MASK;
 	vals[2] = sign->keyda & PAC_MASK;
 	vals[3] = sign->keydb & PAC_MASK;

 	if (nkeys >= 4)
 		vals[4] = sign->keyg & PAC_MASK;

 	for (int i = 0; i < nkeys - 1; i++) {
 		for (int j = i + 1; j < nkeys; j++) {
 			if (vals[i] == vals[j])
 				same += 1;
 		}
 	}
 	return same;
 }

 int exec_sign_all(struct signatures *signed_vals, size_t val)
 {
 	int new_stdin[2];
 	int new_stdout[2];
 	int status;
 	int i;
 	ssize_t ret;
 	pid_t pid;
 	cpu_set_t mask;

 	ret = pipe(new_stdin);
 	if (ret == -1) {
 		perror("pipe returned error");
 		return -1;
 	}

 	ret = pipe(new_stdout);
 	if (ret == -1) {
 		perror("pipe returned error");
 		return -1;
 	}

 	/*
 	 * pin this process and all its children to a single CPU, so it can also
 	 * guarantee a context switch with its child
 	 */
 	sched_getaffinity(0, sizeof(mask), &mask);

 	for (i = 0; i < sizeof(cpu_set_t); i++)
 		if (CPU_ISSET(i, &mask))
 			break;

 	CPU_ZERO(&mask);
 	CPU_SET(i, &mask);
 	sched_setaffinity(0, sizeof(mask), &mask);

 	pid = fork();
 	// child
 	if (pid == 0) {
 		dup2(new_stdin[0], STDIN_FILENO);
 		if (ret == -1) {
 			perror("dup2 returned error");
 			exit(1);
 		}

 		dup2(new_stdout[1], STDOUT_FILENO);
 		if (ret == -1) {
 			perror("dup2 returned error");
 			exit(1);
 		}

 		close(new_stdin[0]);
 		close(new_stdin[1]);
 		close(new_stdout[0]);
 		close(new_stdout[1]);

 		ret = execl("exec_target", "exec_target", (char *)NULL);
 		if (ret == -1) {
 			perror("exec returned error");
 			exit(1);
 		}
 	}

 	close(new_stdin[0]);
 	close(new_stdout[1]);

 	ret = write(new_stdin[1], &val, sizeof(size_t));
 	if (ret == -1) {
 		perror("write returned error");
 		return -1;
 	}

 	/*
 	 * wait for the worker to finish, so that read() reads all data
 	 * will also context switch with worker so that this function can be used
 	 * for context switch tests
 	 */
 	waitpid(pid, &status, 0);
 	if (WIFEXITED(status) == 0) {
 		fprintf(stderr, "worker exited unexpectedly\n");
 		return -1;
 	}
 	if (WEXITSTATUS(status) != 0) {
 		fprintf(stderr, "worker exited with error\n");
 		return -1;
 	}

 	ret = read(new_stdout[0], signed_vals, sizeof(struct signatures));
 	if (ret == -1) {
 		perror("read returned error");
 		return -1;
 	}

 	return 0;
 }

 sigjmp_buf jmpbuf;
 void pac_signal_handler(int signum, siginfo_t *si, void *uc)
 {
 	if (signum == SIGSEGV || signum == SIGILL)
 		siglongjmp(jmpbuf, 1);
 }

 /* check that a corrupted PAC results in SIGSEGV or SIGILL */
 TEST(corrupt_pac)
 {
 	struct sigaction sa;

 	ASSERT_PAUTH_ENABLED();
 	if (sigsetjmp(jmpbuf, 1) == 0) {
 		sa.sa_sigaction = pac_signal_handler;
 		sa.sa_flags = SA_SIGINFO | SA_RESETHAND;
 		sigemptyset(&sa.sa_mask);

 		sigaction(SIGSEGV, &sa, NULL);
 		sigaction(SIGILL, &sa, NULL);

 		pac_corruptor();
 		ASSERT_TRUE(0) TH_LOG("SIGSEGV/SIGILL signal did not occur");
 	}
 }

 /*
  * There are no separate pac* and aut* controls so checking only the pac*
  * instructions is sufficient
  */
 TEST(pac_instructions_not_nop)
 {
 	size_t keyia = 0;
 	size_t keyib = 0;
 	size_t keyda = 0;
 	size_t keydb = 0;

 	ASSERT_PAUTH_ENABLED();

 	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {
 		keyia |= keyia_sign(i) & PAC_MASK;
 		keyib |= keyib_sign(i) & PAC_MASK;
 		keyda |= keyda_sign(i) & PAC_MASK;
 		keydb |= keydb_sign(i) & PAC_MASK;
 	}

 	ASSERT_NE(0, keyia) TH_LOG("keyia instructions did nothing");
 	ASSERT_NE(0, keyib) TH_LOG("keyib instructions did nothing");
 	ASSERT_NE(0, keyda) TH_LOG("keyda instructions did nothing");
 	ASSERT_NE(0, keydb) TH_LOG("keydb instructions did nothing");
 }

 TEST(pac_instructions_not_nop_generic)
 {
 	size_t keyg = 0;

 	ASSERT_GENERIC_PAUTH_ENABLED();

 	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++)
 		keyg |= keyg_sign(i) & PAC_MASK;

 	ASSERT_NE(0, keyg)  TH_LOG("keyg instructions did nothing");
 }

 TEST(single_thread_different_keys)
 {
 	int same = 10;
 	int nkeys = NKEYS;
 	int tmp;
 	struct signatures signed_vals;
 	unsigned long hwcaps = getauxval(AT_HWCAP);

 	/* generic and data key instructions are not in NOP space. This prevents a SIGILL */
 	ASSERT_NE(0, hwcaps & HWCAP_PACA) TH_LOG("PAUTH not enabled");
 	if (!(hwcaps & HWCAP_PACG)) {
 		TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks");
 		nkeys = NKEYS - 1;
 	}

 	/*
 	 * In Linux the PAC field can be up to 7 bits wide. Even if keys are
 	 * different, there is about 5% chance for PACs to collide with
 	 * different addresses. This chance rapidly increases with fewer bits
 	 * allocated for the PAC (e.g. wider address). A comparison of the keys
 	 * directly will be more reliable.
 	 * All signed values need to be different at least once out of n
 	 * attempts to be certain that the keys are different
 	 */
 	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {
 		if (nkeys == NKEYS)
 			sign_all(&signed_vals, i);
 		else
 			sign_specific(&signed_vals, i);

 		tmp = n_same_single_set(&signed_vals, nkeys);
 		if (tmp < same)
 			same = tmp;
 	}

 	ASSERT_EQ(0, same) TH_LOG("%d keys clashed every time", same);
 }

 /*
  * fork() does not change keys. Only exec() does so call a worker program.
  * Its only job is to sign a value and report back the resutls
  */
 TEST(exec_changed_keys)
 {
 	struct signatures new_keys;
 	struct signatures old_keys;
 	int ret;
 	int same = 10;
 	int nkeys = NKEYS;
 	unsigned long hwcaps = getauxval(AT_HWCAP);

 	/* generic and data key instructions are not in NOP space. This prevents a SIGILL */
 	ASSERT_NE(0, hwcaps & HWCAP_PACA) TH_LOG("PAUTH not enabled");
 	if (!(hwcaps & HWCAP_PACG)) {
 		TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks");
 		nkeys = NKEYS - 1;
 	}

 	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {
 		ret = exec_sign_all(&new_keys, i);
 		ASSERT_EQ(0, ret) TH_LOG("failed to run worker");

 		if (nkeys == NKEYS)
 			sign_all(&old_keys, i);
 		else
 			sign_specific(&old_keys, i);

 		ret = n_same(&old_keys, &new_keys, nkeys);
 		if (ret < same)
 			same = ret;
 	}

 	ASSERT_EQ(0, same) TH_LOG("exec() did not change %d keys", same);
 }

 TEST(context_switch_keep_keys)
 {
 	int ret;
 	struct signatures trash;
 	struct signatures before;
 	struct signatures after;

 	ASSERT_PAUTH_ENABLED();

 	sign_specific(&before, ARBITRARY_VALUE);

 	/* will context switch with a process with different keys at least once */
 	ret = exec_sign_all(&trash, ARBITRARY_VALUE);
 	ASSERT_EQ(0, ret) TH_LOG("failed to run worker");

 	sign_specific(&after, ARBITRARY_VALUE);

 	ASSERT_EQ(before.keyia, after.keyia) TH_LOG("keyia changed after context switching");
 	ASSERT_EQ(before.keyib, after.keyib) TH_LOG("keyib changed after context switching");
 	ASSERT_EQ(before.keyda, after.keyda) TH_LOG("keyda changed after context switching");
 	ASSERT_EQ(before.keydb, after.keydb) TH_LOG("keydb changed after context switching");
 }

 TEST(context_switch_keep_keys_generic)
 {
 	int ret;
 	struct signatures trash;
 	size_t before;
 	size_t after;

 	ASSERT_GENERIC_PAUTH_ENABLED();

 	before = keyg_sign(ARBITRARY_VALUE);

 	/* will context switch with a process with different keys at least once */
 	ret = exec_sign_all(&trash, ARBITRARY_VALUE);
 	ASSERT_EQ(0, ret) TH_LOG("failed to run worker");

 	after = keyg_sign(ARBITRARY_VALUE);

 	ASSERT_EQ(before, after) TH_LOG("keyg changed after context switching");
 }

 TEST_HARNESS_MAIN
	// SPDX-License-Identifier: GPL-2.0
	// Copyright (C) 2020 ARM Limited

	#define _GNU_SOURCE

	#include <sys/auxv.h>
	#include <sys/types.h>
	#include <sys/wait.h>
	#include <signal.h>
	#include <setjmp.h>
	#include <sched.h>

	#include "../../kselftest_harness.h"
	#include "helper.h"

	#define PAC_COLLISION_ATTEMPTS 10
	/*
	* The kernel sets TBID by default. So bits 55 and above should remain
	* untouched no matter what.
	* The VA space size is 48 bits. Bigger is opt-in.
	*/
	#define PAC_MASK (~0xff80ffffffffffff)
	#define ARBITRARY_VALUE (0x1234)
	#define ASSERT_PAUTH_ENABLED() \
	do { \
	unsigned long hwcaps = getauxval(AT_HWCAP); \
	/* data key instructions are not in NOP space. This prevents a SIGILL */ \
	ASSERT_NE(0, hwcaps & HWCAP_PACA) TH_LOG("PAUTH not enabled"); \
	} while (0)
	#define ASSERT_GENERIC_PAUTH_ENABLED() \
	do { \
	unsigned long hwcaps = getauxval(AT_HWCAP); \
	/* generic key instructions are not in NOP space. This prevents a SIGILL */ \
	ASSERT_NE(0, hwcaps & HWCAP_PACG) TH_LOG("Generic PAUTH not enabled"); \
	} while (0)

	void sign_specific(struct signatures *sign, size_t val)
	{
	sign->keyia = keyia_sign(val);
	sign->keyib = keyib_sign(val);
	sign->keyda = keyda_sign(val);
	sign->keydb = keydb_sign(val);
	}

	void sign_all(struct signatures *sign, size_t val)
	{
	sign->keyia = keyia_sign(val);
	sign->keyib = keyib_sign(val);
	sign->keyda = keyda_sign(val);
	sign->keydb = keydb_sign(val);
	sign->keyg = keyg_sign(val);
	}

	int n_same(struct signatures old, struct signatures new, int nkeys)
	{
	int res = 0;

	res += old->keyia == new->keyia;
	res += old->keyib == new->keyib;
	res += old->keyda == new->keyda;
	res += old->keydb == new->keydb;
	if (nkeys == NKEYS)
	res += old->keyg == new->keyg;

	return res;
	}

	int n_same_single_set(struct signatures *sign, int nkeys)
	{
	size_t vals[nkeys];
	int same = 0;

	vals[0] = sign->keyia & PAC_MASK;
	vals[1] = sign->keyib & PAC_MASK;
	vals[2] = sign->keyda & PAC_MASK;
	vals[3] = sign->keydb & PAC_MASK;

	if (nkeys >= 4)
	vals[4] = sign->keyg & PAC_MASK;

	for (int i = 0; i < nkeys - 1; i++) {
	for (int j = i + 1; j < nkeys; j++) {
	if (vals[i] == vals[j])
	same += 1;
	}
	}
	return same;
	}

	int exec_sign_all(struct signatures *signed_vals, size_t val)
	{
	int new_stdin[2];
	int new_stdout[2];
	int status;
	int i;
	ssize_t ret;
	pid_t pid;
	cpu_set_t mask;

	ret = pipe(new_stdin);
	if (ret == -1) {
	perror("pipe returned error");
	return -1;
	}

	ret = pipe(new_stdout);
	if (ret == -1) {
	perror("pipe returned error");
	return -1;
	}

	/*
	* pin this process and all its children to a single CPU, so it can also
	* guarantee a context switch with its child
	*/
	sched_getaffinity(0, sizeof(mask), &mask);

	for (i = 0; i < sizeof(cpu_set_t); i++)
	if (CPU_ISSET(i, &mask))
	break;

	CPU_ZERO(&mask);
	CPU_SET(i, &mask);
	sched_setaffinity(0, sizeof(mask), &mask);

	pid = fork();
	// child
	if (pid == 0) {
	dup2(new_stdin[0], STDIN_FILENO);
	if (ret == -1) {
	perror("dup2 returned error");
	exit(1);
	}

	dup2(new_stdout[1], STDOUT_FILENO);
	if (ret == -1) {
	perror("dup2 returned error");
	exit(1);
	}

	close(new_stdin[0]);
	close(new_stdin[1]);
	close(new_stdout[0]);
	close(new_stdout[1]);

	ret = execl("exec_target", "exec_target", (char *)NULL);
	if (ret == -1) {
	perror("exec returned error");
	exit(1);
	}
	}

	close(new_stdin[0]);
	close(new_stdout[1]);

	ret = write(new_stdin[1], &val, sizeof(size_t));
	if (ret == -1) {
	perror("write returned error");
	return -1;
	}

	/*
	* wait for the worker to finish, so that read() reads all data
	* will also context switch with worker so that this function can be used
	* for context switch tests
	*/
	waitpid(pid, &status, 0);
	if (WIFEXITED(status) == 0) {
	fprintf(stderr, "worker exited unexpectedly\n");
	return -1;
	}
	if (WEXITSTATUS(status) != 0) {
	fprintf(stderr, "worker exited with error\n");
	return -1;
	}

	ret = read(new_stdout[0], signed_vals, sizeof(struct signatures));
	if (ret == -1) {
	perror("read returned error");
	return -1;
	}

	return 0;
	}

	sigjmp_buf jmpbuf;
	void pac_signal_handler(int signum, siginfo_t si, void uc)
	{
	if (signum == SIGSEGV \|\| signum == SIGILL)
	siglongjmp(jmpbuf, 1);
	}

	/* check that a corrupted PAC results in SIGSEGV or SIGILL */
	TEST(corrupt_pac)
	{
	struct sigaction sa;

	ASSERT_PAUTH_ENABLED();
	if (sigsetjmp(jmpbuf, 1) == 0) {
	sa.sa_sigaction = pac_signal_handler;
	sa.sa_flags = SA_SIGINFO \| SA_RESETHAND;
	sigemptyset(&sa.sa_mask);

	sigaction(SIGSEGV, &sa, NULL);
	sigaction(SIGILL, &sa, NULL);

	pac_corruptor();
	ASSERT_TRUE(0) TH_LOG("SIGSEGV/SIGILL signal did not occur");
	}
	}

	/*
	* There are no separate pac* and aut* controls so checking only the pac*
	* instructions is sufficient
	*/
	TEST(pac_instructions_not_nop)
	{
	size_t keyia = 0;
	size_t keyib = 0;
	size_t keyda = 0;
	size_t keydb = 0;

	ASSERT_PAUTH_ENABLED();

	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {
	keyia \|= keyia_sign(i) & PAC_MASK;
	keyib \|= keyib_sign(i) & PAC_MASK;
	keyda \|= keyda_sign(i) & PAC_MASK;
	keydb \|= keydb_sign(i) & PAC_MASK;
	}

	ASSERT_NE(0, keyia) TH_LOG("keyia instructions did nothing");
	ASSERT_NE(0, keyib) TH_LOG("keyib instructions did nothing");
	ASSERT_NE(0, keyda) TH_LOG("keyda instructions did nothing");
	ASSERT_NE(0, keydb) TH_LOG("keydb instructions did nothing");
	}

	TEST(pac_instructions_not_nop_generic)
	{
	size_t keyg = 0;

	ASSERT_GENERIC_PAUTH_ENABLED();

	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++)
	keyg \|= keyg_sign(i) & PAC_MASK;

	ASSERT_NE(0, keyg) TH_LOG("keyg instructions did nothing");
	}

	TEST(single_thread_different_keys)
	{
	int same = 10;
	int nkeys = NKEYS;
	int tmp;
	struct signatures signed_vals;
	unsigned long hwcaps = getauxval(AT_HWCAP);

	/* generic and data key instructions are not in NOP space. This prevents a SIGILL */
	ASSERT_NE(0, hwcaps & HWCAP_PACA) TH_LOG("PAUTH not enabled");
	if (!(hwcaps & HWCAP_PACG)) {
	TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks");
	nkeys = NKEYS - 1;
	}

	/*
	* In Linux the PAC field can be up to 7 bits wide. Even if keys are
	* different, there is about 5% chance for PACs to collide with
	* different addresses. This chance rapidly increases with fewer bits
	* allocated for the PAC (e.g. wider address). A comparison of the keys
	* directly will be more reliable.
	* All signed values need to be different at least once out of n
	* attempts to be certain that the keys are different
	*/
	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {
	if (nkeys == NKEYS)
	sign_all(&signed_vals, i);
	else
	sign_specific(&signed_vals, i);

	tmp = n_same_single_set(&signed_vals, nkeys);
	if (tmp < same)
	same = tmp;
	}

	ASSERT_EQ(0, same) TH_LOG("%d keys clashed every time", same);
	}

	/*
	* fork() does not change keys. Only exec() does so call a worker program.
	* Its only job is to sign a value and report back the resutls
	*/
	TEST(exec_changed_keys)
	{
	struct signatures new_keys;
	struct signatures old_keys;
	int ret;
	int same = 10;
	int nkeys = NKEYS;
	unsigned long hwcaps = getauxval(AT_HWCAP);

	/* generic and data key instructions are not in NOP space. This prevents a SIGILL */
	ASSERT_NE(0, hwcaps & HWCAP_PACA) TH_LOG("PAUTH not enabled");
	if (!(hwcaps & HWCAP_PACG)) {
	TH_LOG("WARNING: Generic PAUTH not enabled. Skipping generic key checks");
	nkeys = NKEYS - 1;
	}

	for (int i = 0; i < PAC_COLLISION_ATTEMPTS; i++) {
	ret = exec_sign_all(&new_keys, i);
	ASSERT_EQ(0, ret) TH_LOG("failed to run worker");

	if (nkeys == NKEYS)
	sign_all(&old_keys, i);
	else
	sign_specific(&old_keys, i);

	ret = n_same(&old_keys, &new_keys, nkeys);
	if (ret < same)
	same = ret;
	}

	ASSERT_EQ(0, same) TH_LOG("exec() did not change %d keys", same);
	}

	TEST(context_switch_keep_keys)
	{
	int ret;
	struct signatures trash;
	struct signatures before;
	struct signatures after;

	ASSERT_PAUTH_ENABLED();

	sign_specific(&before, ARBITRARY_VALUE);

	/* will context switch with a process with different keys at least once */
	ret = exec_sign_all(&trash, ARBITRARY_VALUE);
	ASSERT_EQ(0, ret) TH_LOG("failed to run worker");

	sign_specific(&after, ARBITRARY_VALUE);

	ASSERT_EQ(before.keyia, after.keyia) TH_LOG("keyia changed after context switching");
	ASSERT_EQ(before.keyib, after.keyib) TH_LOG("keyib changed after context switching");
	ASSERT_EQ(before.keyda, after.keyda) TH_LOG("keyda changed after context switching");
	ASSERT_EQ(before.keydb, after.keydb) TH_LOG("keydb changed after context switching");
	}

	TEST(context_switch_keep_keys_generic)
	{
	int ret;
	struct signatures trash;
	size_t before;
	size_t after;

	ASSERT_GENERIC_PAUTH_ENABLED();

	before = keyg_sign(ARBITRARY_VALUE);

	/* will context switch with a process with different keys at least once */
	ret = exec_sign_all(&trash, ARBITRARY_VALUE);
	ASSERT_EQ(0, ret) TH_LOG("failed to run worker");

	after = keyg_sign(ARBITRARY_VALUE);

	ASSERT_EQ(before, after) TH_LOG("keyg changed after context switching");
	}

	TEST_HARNESS_MAIN