On Tue, Feb 02, 2021 at 06:14:14PM -0600, Josh Poimboeuf wrote: > On Tue, Feb 02, 2021 at 03:01:22PM -0800, Nick Desaulniers wrote: > > > >> Thus far we've been able to successfully reverse engineer it on x86, > > > >> though it hasn't been easy. > > > >> > > > >> There were some particulars for arm64 which made doing so impossible. > > > >> (I don't remember the details.) > > > > > > The main issue is that the tables for arm64 have more indirection than x86. > > > > I wonder if PAC or BTI also make this slightly more complex? PAC at > > least has implications for unwinders, IIUC. > > What is PAC/BTI? PAC is "Pointer Authentication Codes". The gist is that we munge some bits in pointers when they get stored in memory (called "signing"), and undo that with a check (called "authentication") when reading from memory, in order to detect unexpected modification. There's some new instructions that may exist in function prologues and epilogues, etc. There's a basic introduction at: https://events.static.linuxfound.org/sites/events/files/slides/slides_23.pdf https://www.kernel.org/doc/html/latest/arm64/pointer-authentication.html Return address signing/authentication uses the SP as an input, so without knowing the SP something was signed against it's not possible to alter it reliably (or to check it). The arm64 unwinder ignores the PAC bits, and ftrace uses patchable-function-entry so that we don't have to do anything special to manipulate the return address. Today the ABI used by the kernel doesn't mess with the pointers used in jump tables, but that may come in future as toolchain folk are working to define an ABI that might. BTI is "Branch Target Identification", which is a bit like CET's indirect branch tracking -- indirect branches need to land on a specific instruction, or they'll raise an exception. Thanks, Mark.
