On Fri, Feb 12, 2021 at 3:01 AM James Morse <james.morse@xxxxxxx> wrote: > > Hi Peter, > > On 12/02/2021 05:01, Peter Collingbourne wrote: > > On Tue, Jan 26, 2021 at 5:09 AM Will Deacon <will@xxxxxxxxxx> wrote: > >> > >> On Tue, Dec 29, 2020 at 10:59:15PM -0800, Peter Collingbourne wrote: > >>> The kernel does not use any keys besides IA so we don't need to > >>> install IB/DA/DB/GA on kernel exit if we arrange to install them > >>> on task switch instead, which we can expect to happen an order of > >>> magnitude less often. > >>> > >>> Furthermore we can avoid installing the user IA in the case where the > >>> user task has IA disabled and just leave the kernel IA installed. This > >>> also lets us avoid needing to install IA on kernel entry. > >> > >> I've got to be honest, this makes me nervous in case there is a way for > >> userspace to recover the kernel key even though EnIA is clear. Currently, > >> EnIA doesn't affect XPAC* and PACGA instructions, and the architecture > > > For GA I would expect it to be controlled by a hypothetical EnGA, not > > by EnIA (and I'm a bit surprised that there isn't an EnGA; > > PACGA is undefined if the CPU doesn't implement PAC, whereas PACIASP is a NOP if the CPU > doesn't implement PAC. > > I think the reason from the SCTLR_ELx controls is to make unaware systems transform the > instructions that were hints back into hints. (e.g. the AddPACIA psuedo code). This is > needed on mismatched big-little systems, otherwise processes can't be migrated between them. It's needed for more than that, see the history of my PR_PAC_SET_ENABLED_KEYS patch, in particular [1]. > For the non-hint instructions, user-space needs to test the hwcap/id-register-emulation to > know it can use these instructions, and the compiler shouldn't output them unconditionally. Right, unless the target is known to support them. > > doesn't it > > mean that a userspace program running under an unaware kernel or > > hypervisor may sign things using the GA from potentially another > > hypervisor guest?) > > The hypervisor controls all this with HCR_EL2.API, which also traps PACGA et al. > For the hypervisor its all or nothing. > If the hypervisor is emulating a machine without PAC, it can emulate an undefined > exception regardless of whether the CPU supports PAC or not. > > Does this match your reading? I think that's right. So an unaware hypervisor would set API to 0 and none of the guests would be able to use the authentication instructions. Since it looks like API=0 would make the hint-space instructions trap as well, I would imagine that a hypervisor would need to emulate them as no-ops if it's emulating a machine without PAC. Peter [1] https://www.spinics.net/lists/arm-kernel/msg830889.html
