On Mon, Sep 30, 2024 at 04:41:19PM GMT, Maciej Żenczykowski wrote: > On Mon, Sep 30, 2024 at 4:35 PM Maciej Żenczykowski <maze@xxxxxxxxxx> wrote: > > I think the OP is trying to verify the 'sanctity' of EL1 code pages. > > (ie. prove via signature that they're all legit, which is hard with jit) > > Presumably he's doing this from EL2 (I seriously doubt he's in EL3). > > There's been talk of > > unjitting/rejitting/regenerating/peephole-verifying the BPF jitted > > dynamically generated kernel executable pages - to verify they're > > 'safe'. > > Moving just the 'bpf verifier/jit' into EL2 would seem to solve that > > particular problem. > > Though of course that is a fair bit of code (though the only untrusted > > input to it, post boot completion, is cBPF which is pretty small in > > scope)... > > Compromises of EL0/EL1 would no longer be able to write gadget over > > the bpf jitted kernel executable page prior to them being marked -W+X. > > I'm not certain how much of a win in safety this is though? > > I guess it depends on how easy the bpf verifier/jitter is to audit. > > Note: if the full blown bpf verifier/jitter is too hard to audit, you > could potentially write a new EL2 jitter just for cBPF. It could just > be a trimmed down version of the generic eBPF jitter. cBPF is much > much simpler. As of yesterday I confirmed a simple version of the above I was able to whip up in 2-3 days works on Android 14. It operates at EL2 and passes standard tests for camera, browsing, etc.. cBPF is, in fact, the saving grace here! :-) Cheers, Maxwell Bland
