Details

Reviewers

markj
kib
scottph
manu
alc

Group Reviewers

arm64

Commits

rG1b9096cd1d2f: arm64: Set the Guarded Page flag in the kernel

Summary

Now the kernel and modules are built with branch protection we can
enablethe Guarded Page flag in the page tables. This causes indirect
branches to a location without a correct landing pad instruction to
raise an exception.

This should help mitigate some attacks where a function pointer is
changed to point somewhere other than the start of the function,
however it doesn't stop an attacker pointing it to an unintended
function.

Sponsored by: Arm Ltd
Sponsored by: The FreeBSD Foundation (earlier version)

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

andrew created this revision.Oct 4 2023, 3:23 PM

Herald added a reviewer: manu. · View Herald TranscriptOct 4 2023, 3:23 PM

Herald added subscribers: emaste, imp. · View Herald Transcript

andrew requested review of this revision.Oct 4 2023, 3:23 PM

andrew added a parent revision: D42079: arm64: Enable kernel branch protection.

Harbormaster completed remote builds in B53836: Diff 128232.Oct 4 2023, 3:24 PM

andrew mentioned this in D33337: Add support for BTI instructions in the kernel.Oct 4 2023, 3:24 PM

markj added a reviewer: alc.Oct 6 2023, 1:49 PM

Can you set this flag on intermediate translation table entries as well?

In D42080#960496, @markj wrote:

Can you set this flag on intermediate translation table entries as well?

No, it only exists in leaves.

For the most part, these changes are setting the guarded bit on mappings that are already no-execute. Is there a reason to do that? To be clear, I don't object to doing so. It just seems redundant.

This revision is now accepted and ready to land.Oct 8 2023, 7:43 PM

I put it on all entries as I though it would be safer. If we miss setting the *XN flags the kernel could still branch into data, however with the GP flag always set it's more difficult.

markj accepted this revision.Oct 9 2023, 1:46 PM

Looks good, my BTI capable machine continues booting with this applied.

Add pmap_bti_get and use it in functions that can create userspace mappings.
It will later be used to support userspace BTI.

This revision now requires review to proceed.Oct 17 2023, 11:17 AM

Harbormaster completed remote builds in B54030: Diff 128903.Oct 17 2023, 11:17 AM

Build & run fixes

Harbormaster completed remote builds in B54032: Diff 128905.Oct 17 2023, 12:56 PM

markj added inline comments.Oct 17 2023, 2:10 PM

sys/arm64/arm64/pmap.c
436	Please group this with other function prototypes below. Or, define the function together with `pmap_pte_prot()`, and then you don't need the forward declaration.
7854	Do you need a `__diagused` annotation for `va`?
7854	`pmap_pte_bti()` would be a better name in my opinion.