Page MenuHomeFreeBSD
Differential D42328

arm64: Add BTI support to pmap
ClosedPublic
Actions

Authored by andrew on Oct 23 2023, 2:38 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Mar 25, 2:29 AM
Unknown Object (File)
Tue, Mar 24, 11:01 PM
Unknown Object (File)
Fri, Mar 20, 12:26 AM
Unknown Object (File)
Wed, Mar 18, 3:32 AM
Unknown Object (File)
Sun, Mar 15, 4:34 PM
Unknown Object (File)
Fri, Mar 13, 1:33 PM
Unknown Object (File)
Fri, Mar 13, 12:14 PM
Unknown Object (File)
Sat, Mar 7, 12:46 AM
View All Files
Subscribers
emaste
imp

Details

Reviewers
alc
kib
markj
manu
Group Reviewers
arm64
Commits
rGd3eae160b21f: arm64: Add BTI support to pmap
Summary

Add a rangeset to the arm64 pmap to describe which address space needs
the Branch Target Identification (BTI) Guard Page flag set in the page
table.

On hardware that supports BTI the Guard Page flag tells the hardware
to raise an exception if the target of a BR* and BLR* instruction is
not an appropriate landing pad instruction.

To support this in userspace we need to know which address space
should be guarded. For this add a rangeset to the arm64 pmap when the
hardware supports BTI. The kernel can then use pmap_bti_set and
pmap_bti_clear mark and unmark which address space is guarded.

Sponsored by: Arm Ltd
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

andrew created this revision.Oct 23 2023, 2:38 PM
Herald added a reviewer: manu. · View Herald TranscriptOct 23 2023, 2:38 PM
Herald added subscribers: emaste, imp. · View Herald Transcript
andrew requested review of this revision.Oct 23 2023, 2:38 PM
Harbormaster completed remote builds in B54128: Diff 129242.Oct 23 2023, 2:38 PM
andrew mentioned this in D39453: Add a BTI sysarch.Oct 23 2023, 2:54 PM
andrew added a child revision: D39453: Add a BTI sysarch.Oct 23 2023, 2:57 PM
andrew added a parent revision: D42080: arm64: Set the Guarded Page flag in the kernel.
andrew added a child revision: D42441: arm64: Enable BTI in the kernel ELF loader.Nov 2 2023, 10:49 AM
markj added inline comments.Nov 2 2023, 2:24 PM
sys/arm64/arm64/pmap.c
436

Please add a comment explaining what this flag does.

2369

I think it would be better to embed pm_bti into the pmap, like we do with the rangeset for PKRU. Or perhaps just use malloc(). A dedicated zone for one allocation per pmap is overkill IMO.

3680

Hmm, do we want to call pmap_bti_on_remove() even when pm_stats.resident_count == 0? If so, I think PKRU has the same problem.

5549

The case where pm_stage is not equal seems like it should be an error.

7538

We should really just reuse the zone created in rs_rangeset_init(). That could be a followup change though.

8055

I think we want to add a rangeset_lookup_ge(), i.e., find the next range at or above the specified place, instead of looking up each page. That should be easy to implement, the underlying pctrie implementation provides it.

8068

Why "on_remove" instead of "remove"?

8072

Isn't it sufficient to just check pm_bti != NULL?

8102

Why not perform these checks in pmap_bti_check_args()?

andrew added inline comments.Nov 7 2023, 4:20 PM
sys/arm64/arm64/pmap.c
2369

I did it this way to break the KBI so it could be MFCd to 14, I could change to malloc.

3680

It should be called if the address space could be reused. If there is a guarantee that the address space will not be reused when pm_stats.resident_count == 0 then we can add a check.

8068

That's how it's named on amd64

markj added inline comments.Nov 9 2023, 3:48 PM
sys/arm64/arm64/pmap.c
2369

Why is it a problem to add fields to the end of struct pmap? vm_pmap is the last field of struct vmspace, so growing it shouldn't break any important KBI.

3680

I don't believe there is any particular guarantee that resident_count == 0 implies that the address space won't be reused. A process may be completely swapped out. In practice, I suspect the VDSO page would keep the resident count positive, but that's not a guarantee.

andrew updated this revision to Diff 130014.Nov 13 2023, 3:37 PM
  • Add a comment above pmap_bti_support
  • Remove pmap_bti_ranges_root_zone and switch to malloc for pm_bti
  • Remove pmap_bti_clear and pmap_bti_deassign, they are unused
  • Move the pmap_bti_check_uargs checks to pmap_bti_set
  • Remove unneeded PM_STAGE1 checks
Harbormaster completed remote builds in B54386: Diff 130014.Nov 13 2023, 3:37 PM
markj added inline comments.Nov 13 2023, 3:55 PM
sys/arm64/arm64/pmap.c
2369

I still don't see why the rangeset can't be embedded.

andrew added inline comments.Nov 30 2023, 5:12 PM
sys/arm64/arm64/pmap.c
2369

I can see a use for a rangeset for 2 or 3 other features. As these are unimplemented on most current CPUs I'd prefer to not add too much bloat to struct pmap if it's not used on most currently shipping devices.

3680

In that case we need to call pmap_bti_on_remove even when resident_count == 0. We need to remove the bti flag as the address space may be reused by code that doesn't understand BTI.

This revision was not accepted when it landed; it landed in state Needs Review.Feb 22 2024, 4:28 PM
Closed by commit rGd3eae160b21f: arm64: Add BTI support to pmap (authored by andrew). · Explain Why
This revision was automatically updated to reflect the committed changes.
andrew added a commit: rGd3eae160b21f: arm64: Add BTI support to pmap.

Revision Contents
Changeset List

PathSize
sys/
arm64/
arm64/
270 lines
include/
13 lines

Diff 134841

View Options

sys/arm64/arm64/pmap.c

Loading...
View Options

sys/arm64/include/pmap.h

Loading...