Page MenuHomeFreeBSD

arm64: Set the Guarded Page flag in the kernel
ClosedPublic

Authored by andrew on Oct 4 2023, 3:23 PM.
Tags
None
Referenced Files
F86569807: D42080.diff
Sat, Jun 22, 8:54 AM
Unknown Object (File)
Fri, Jun 7, 10:11 AM
Unknown Object (File)
Fri, Jun 7, 10:10 AM
Unknown Object (File)
Fri, Jun 7, 10:09 AM
Unknown Object (File)
Mon, Jun 3, 3:51 PM
Unknown Object (File)
Mon, Jun 3, 1:07 PM
Unknown Object (File)
Mon, Jun 3, 12:43 PM
Unknown Object (File)
May 21 2024, 7:41 PM
Subscribers

Details

Summary

Now the kernel and modules are built with branch protection we can
enablethe Guarded Page flag in the page tables. This causes indirect
branches to a location without a correct landing pad instruction to
raise an exception.

This should help mitigate some attacks where a function pointer is
changed to point somewhere other than the start of the function,
however it doesn't stop an attacker pointing it to an unintended
function.

Sponsored by: Arm Ltd
Sponsored by: The FreeBSD Foundation (earlier version)

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 54032
Build 50922: arc lint + arc unit

Event Timeline

Can you set this flag on intermediate translation table entries as well?

Can you set this flag on intermediate translation table entries as well?

No, it only exists in leaves.

For the most part, these changes are setting the guarded bit on mappings that are already no-execute. Is there a reason to do that? To be clear, I don't object to doing so. It just seems redundant.

This revision is now accepted and ready to land.Oct 8 2023, 7:43 PM

I put it on all entries as I though it would be safer. If we miss setting the *XN flags the kernel could still branch into data, however with the GP flag always set it's more difficult.

Looks good, my BTI capable machine continues booting with this applied.

Add pmap_bti_get and use it in functions that can create userspace mappings.
It will later be used to support userspace BTI.

This revision now requires review to proceed.Oct 17 2023, 11:17 AM
sys/arm64/arm64/pmap.c
436

Please group this with other function prototypes below. Or, define the function together with pmap_pte_prot(), and then you don't need the forward declaration.

7856

Do you need a __diagused annotation for va?

7856

pmap_pte_bti() would be a better name in my opinion.

sys/arm64/arm64/pmap.c
7856

I agree. It's consistent with similar functions.

  • Rename pmap_bti_get to pmap_pte_bti
  • Move the pmap_pte_bti definition
  • Check and use pmap_pte_bti while locked to reduce the userspace support diff
  • Make the virtual address as __diagused
This revision is now accepted and ready to land.Nov 2 2023, 1:47 PM