On Fri, Aug 28, 2020 at 1:12 PM Marco Elver <elver@xxxxxxxxxx> wrote: > > On Fri, Aug 14, 2020 at 07:27PM +0200, Andrey Konovalov wrote: > > Add documentation for hardware tag-based KASAN mode and also add some > > clarifications for software tag-based mode. > > > > Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx> > > --- > > Documentation/dev-tools/kasan.rst | 73 +++++++++++++++++++++---------- > > 1 file changed, 51 insertions(+), 22 deletions(-) > > > > diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst > > index a3030fc6afe5..aeed89d6eaf5 100644 > [...] > > -Tag-based KASAN uses the Top Byte Ignore (TBI) feature of modern arm64 CPUs to > > -store a pointer tag in the top byte of kernel pointers. Like generic KASAN it > > -uses shadow memory to store memory tags associated with each 16-byte memory > > -cell (therefore it dedicates 1/16th of the kernel memory for shadow memory). > > +Software tag-based KASAN uses the Top Byte Ignore (TBI) feature of modern arm64 > > +CPUs to store a pointer tag in the top byte of kernel pointers. Like generic > > +KASAN it uses shadow memory to store memory tags associated with each 16-byte > > +memory cell (therefore it dedicates 1/16th of the kernel memory for shadow > > +memory). > > It might be helpful to be more specific vs. saying "modern arm64 CPUs". > Does the "modern" qualifier suggest not all arm64 CPUs support the > feature? (HW tag-based KASAN below is specific, and mentions ARMv8.5.) Will clarify this in v2. > > +On each memory allocation software tag-based KASAN generates a random tag, tags > > +the allocated memory with this tag, and embeds this tag into the returned > > +pointer. > > > > -On each memory allocation tag-based KASAN generates a random tag, tags the > > -allocated memory with this tag, and embeds this tag into the returned pointer. > > Software tag-based KASAN uses compile-time instrumentation to insert checks > > before each memory access. These checks make sure that tag of the memory that > > is being accessed is equal to tag of the pointer that is used to access this > > -memory. In case of a tag mismatch tag-based KASAN prints a bug report. > > +memory. In case of a tag mismatch software tag-based KASAN prints a bug report. > > > > Software tag-based KASAN also has two instrumentation modes (outline, that > > emits callbacks to check memory accesses; and inline, that performs the shadow > > @@ -215,9 +222,31 @@ simply printed from the function that performs the access check. With inline > > instrumentation a brk instruction is emitted by the compiler, and a dedicated > > brk handler is used to print bug reports. > > > > -A potential expansion of this mode is a hardware tag-based mode, which would > > -use hardware memory tagging support instead of compiler instrumentation and > > -manual shadow memory manipulation. > > +Software tag-based KASAN uses 0xFF as a match-all pointer tag (accesses aren't > > +checked). > > + > > +Software tag-based KASAN currently only supports tagging of slab memory. > > + > > +Hardware tag-based KASAN > > +~~~~~~~~~~~~~~~~~~~~~~~~ > > + > > +Hardware tag-based KASAN is similar to the software mode in concept, but uses > > +hardware memory tagging support instead of compiler instrumentation and > > +shadow memory. > > + > > +Hardware tag-based KASAN is based on both arm64 Memory Tagging Extension (MTE) > > +introduced in ARMv8.5 Instruction Set Architecture, and Top Byte Ignore (TBI). > > Is there anything inherently tying tag-based KASAN to arm64? Not really, the approach is generic and can be used by any arch that supports memory tagging. > I guess if > some other architecture supports MTE, they just have to touch arch/, > right? For the most part - yes, but maybe adjustments to the generic code will be required. No way to know before one tries to integrate another arch. > You could reword to say that "Hardware tag-based KASAN is currently only > supported on the ARM64 architecture. > > On the ARM64 architecture, tag-based KASAN is based on both ..." Will do in v2, thanks!
