On Fri, Aug 14, 2020 at 07:27PM +0200, Andrey Konovalov wrote: > Add documentation for hardware tag-based KASAN mode and also add some > clarifications for software tag-based mode. > > Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> > --- > Documentation/dev-tools/kasan.rst | 73 +++++++++++++++++++++---------- > 1 file changed, 51 insertions(+), 22 deletions(-) > > diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst > index a3030fc6afe5..aeed89d6eaf5 100644 [...] > -Tag-based KASAN uses the Top Byte Ignore (TBI) feature of modern arm64 CPUs to > -store a pointer tag in the top byte of kernel pointers. Like generic KASAN it > -uses shadow memory to store memory tags associated with each 16-byte memory > -cell (therefore it dedicates 1/16th of the kernel memory for shadow memory). > +Software tag-based KASAN uses the Top Byte Ignore (TBI) feature of modern arm64 > +CPUs to store a pointer tag in the top byte of kernel pointers. Like generic > +KASAN it uses shadow memory to store memory tags associated with each 16-byte > +memory cell (therefore it dedicates 1/16th of the kernel memory for shadow > +memory). It might be helpful to be more specific vs. saying "modern arm64 CPUs". Does the "modern" qualifier suggest not all arm64 CPUs support the feature? (HW tag-based KASAN below is specific, and mentions ARMv8.5.) > +On each memory allocation software tag-based KASAN generates a random tag, tags > +the allocated memory with this tag, and embeds this tag into the returned > +pointer. > > -On each memory allocation tag-based KASAN generates a random tag, tags the > -allocated memory with this tag, and embeds this tag into the returned pointer. > Software tag-based KASAN uses compile-time instrumentation to insert checks > before each memory access. These checks make sure that tag of the memory that > is being accessed is equal to tag of the pointer that is used to access this > -memory. In case of a tag mismatch tag-based KASAN prints a bug report. > +memory. In case of a tag mismatch software tag-based KASAN prints a bug report. > > Software tag-based KASAN also has two instrumentation modes (outline, that > emits callbacks to check memory accesses; and inline, that performs the shadow > @@ -215,9 +222,31 @@ simply printed from the function that performs the access check. With inline > instrumentation a brk instruction is emitted by the compiler, and a dedicated > brk handler is used to print bug reports. > > -A potential expansion of this mode is a hardware tag-based mode, which would > -use hardware memory tagging support instead of compiler instrumentation and > -manual shadow memory manipulation. > +Software tag-based KASAN uses 0xFF as a match-all pointer tag (accesses aren't > +checked). > + > +Software tag-based KASAN currently only supports tagging of slab memory. > + > +Hardware tag-based KASAN > +~~~~~~~~~~~~~~~~~~~~~~~~ > + > +Hardware tag-based KASAN is similar to the software mode in concept, but uses > +hardware memory tagging support instead of compiler instrumentation and > +shadow memory. > + > +Hardware tag-based KASAN is based on both arm64 Memory Tagging Extension (MTE) > +introduced in ARMv8.5 Instruction Set Architecture, and Top Byte Ignore (TBI). Is there anything inherently tying tag-based KASAN to arm64? I guess if some other architecture supports MTE, they just have to touch arch/, right? You could reword to say that "Hardware tag-based KASAN is currently only supported on the ARM64 architecture. On the ARM64 architecture, tag-based KASAN is based on both ..." Thanks, -- Marco
