Commit 948e3253 authored by Andrey Konovalov's avatar Andrey Konovalov Committed by Linus Torvalds

kasan: add documentation for hardware tag-based mode

Add documentation for hardware tag-based KASAN mode and also add some
clarifications for software tag-based mode.

Link: https://lkml.kernel.org/r/20ed1d387685e89fc31be068f890f070ef9fd5d5.1606161801.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarVincenzo Frascino <vincenzo.frascino@arm.com>
Reviewed-by: default avatarMarco Elver <elver@google.com>
Reviewed-by: default avatarAlexander Potapenko <glider@google.com>
Tested-by: default avatarVincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Branislav Rankov <Branislav.Rankov@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Evgenii Stepanov <eugenis@google.com>
Cc: Kevin Brodsky <kevin.brodsky@arm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 94ab5b61
...@@ -5,12 +5,14 @@ Overview ...@@ -5,12 +5,14 @@ Overview
-------- --------
KernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to KernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to
find out-of-bound and use-after-free bugs. KASAN has two modes: generic KASAN find out-of-bound and use-after-free bugs. KASAN has three modes:
(similar to userspace ASan) and software tag-based KASAN (similar to userspace 1. generic KASAN (similar to userspace ASan),
HWASan). 2. software tag-based KASAN (similar to userspace HWASan),
3. hardware tag-based KASAN (based on hardware memory tagging).
KASAN uses compile-time instrumentation to insert validity checks before every Software KASAN modes (1 and 2) use compile-time instrumentation to insert
memory access, and therefore requires a compiler version that supports that. validity checks before every memory access, and therefore require a compiler
version that supports that.
Generic KASAN is supported in both GCC and Clang. With GCC it requires version Generic KASAN is supported in both GCC and Clang. With GCC it requires version
8.3.0 or later. Any supported Clang version is compatible, but detection of 8.3.0 or later. Any supported Clang version is compatible, but detection of
...@@ -19,7 +21,7 @@ out-of-bounds accesses for global variables is only supported since Clang 11. ...@@ -19,7 +21,7 @@ out-of-bounds accesses for global variables is only supported since Clang 11.
Tag-based KASAN is only supported in Clang. Tag-based KASAN is only supported in Clang.
Currently generic KASAN is supported for the x86_64, arm64, xtensa, s390 and Currently generic KASAN is supported for the x86_64, arm64, xtensa, s390 and
riscv architectures, and tag-based KASAN is supported only for arm64. and riscv architectures, and tag-based KASAN modes are supported only for arm64.
Usage Usage
----- -----
...@@ -28,14 +30,16 @@ To enable KASAN configure kernel with:: ...@@ -28,14 +30,16 @@ To enable KASAN configure kernel with::
CONFIG_KASAN = y CONFIG_KASAN = y
and choose between CONFIG_KASAN_GENERIC (to enable generic KASAN) and and choose between CONFIG_KASAN_GENERIC (to enable generic KASAN),
CONFIG_KASAN_SW_TAGS (to enable software tag-based KASAN). CONFIG_KASAN_SW_TAGS (to enable software tag-based KASAN), and
CONFIG_KASAN_HW_TAGS (to enable hardware tag-based KASAN).
You also need to choose between CONFIG_KASAN_OUTLINE and CONFIG_KASAN_INLINE. For software modes, you also need to choose between CONFIG_KASAN_OUTLINE and
Outline and inline are compiler instrumentation types. The former produces CONFIG_KASAN_INLINE. Outline and inline are compiler instrumentation types.
smaller binary while the latter is 1.1 - 2 times faster. The former produces smaller binary while the latter is 1.1 - 2 times faster.
Both KASAN modes work with both SLUB and SLAB memory allocators. Both software KASAN modes work with both SLUB and SLAB memory allocators,
hardware tag-based KASAN currently only support SLUB.
For better bug detection and nicer reporting, enable CONFIG_STACKTRACE. For better bug detection and nicer reporting, enable CONFIG_STACKTRACE.
To augment reports with last allocation and freeing stack of the physical page, To augment reports with last allocation and freeing stack of the physical page,
...@@ -197,17 +201,24 @@ call_rcu() and workqueue queuing. ...@@ -197,17 +201,24 @@ call_rcu() and workqueue queuing.
Software tag-based KASAN Software tag-based KASAN
~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~
Tag-based KASAN uses the Top Byte Ignore (TBI) feature of modern arm64 CPUs to Software tag-based KASAN requires software memory tagging support in the form
store a pointer tag in the top byte of kernel pointers. Like generic KASAN it of HWASan-like compiler instrumentation (see HWASan documentation for details).
uses shadow memory to store memory tags associated with each 16-byte memory
Software tag-based KASAN is currently only implemented for arm64 architecture.
Software tag-based KASAN uses the Top Byte Ignore (TBI) feature of arm64 CPUs
to store a pointer tag in the top byte of kernel pointers. Like generic KASAN
it uses shadow memory to store memory tags associated with each 16-byte memory
cell (therefore it dedicates 1/16th of the kernel memory for shadow memory). cell (therefore it dedicates 1/16th of the kernel memory for shadow memory).
On each memory allocation tag-based KASAN generates a random tag, tags the On each memory allocation software tag-based KASAN generates a random tag, tags
allocated memory with this tag, and embeds this tag into the returned pointer. the allocated memory with this tag, and embeds this tag into the returned
pointer.
Software tag-based KASAN uses compile-time instrumentation to insert checks Software tag-based KASAN uses compile-time instrumentation to insert checks
before each memory access. These checks make sure that tag of the memory that before each memory access. These checks make sure that tag of the memory that
is being accessed is equal to tag of the pointer that is used to access this is being accessed is equal to tag of the pointer that is used to access this
memory. In case of a tag mismatch tag-based KASAN prints a bug report. memory. In case of a tag mismatch software tag-based KASAN prints a bug report.
Software tag-based KASAN also has two instrumentation modes (outline, that Software tag-based KASAN also has two instrumentation modes (outline, that
emits callbacks to check memory accesses; and inline, that performs the shadow emits callbacks to check memory accesses; and inline, that performs the shadow
...@@ -216,9 +227,36 @@ simply printed from the function that performs the access check. With inline ...@@ -216,9 +227,36 @@ simply printed from the function that performs the access check. With inline
instrumentation a brk instruction is emitted by the compiler, and a dedicated instrumentation a brk instruction is emitted by the compiler, and a dedicated
brk handler is used to print bug reports. brk handler is used to print bug reports.
A potential expansion of this mode is a hardware tag-based mode, which would Software tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
use hardware memory tagging support instead of compiler instrumentation and pointers with 0xFF pointer tag aren't checked). The value 0xFE is currently
manual shadow memory manipulation. reserved to tag freed memory regions.
Software tag-based KASAN currently only supports tagging of
kmem_cache_alloc/kmalloc and page_alloc memory.
Hardware tag-based KASAN
~~~~~~~~~~~~~~~~~~~~~~~~
Hardware tag-based KASAN is similar to the software mode in concept, but uses
hardware memory tagging support instead of compiler instrumentation and
shadow memory.
Hardware tag-based KASAN is currently only implemented for arm64 architecture
and based on both arm64 Memory Tagging Extension (MTE) introduced in ARMv8.5
Instruction Set Architecture, and Top Byte Ignore (TBI).
Special arm64 instructions are used to assign memory tags for each allocation.
Same tags are assigned to pointers to those allocations. On every memory
access, hardware makes sure that tag of the memory that is being accessed is
equal to tag of the pointer that is used to access this memory. In case of a
tag mismatch a fault is generated and a report is printed.
Hardware tag-based KASAN uses 0xFF as a match-all pointer tag (accesses through
pointers with 0xFF pointer tag aren't checked). The value 0xFE is currently
reserved to tag freed memory regions.
Hardware tag-based KASAN currently only supports tagging of
kmem_cache_alloc/kmalloc and page_alloc memory.
What memory accesses are sanitised by KASAN? What memory accesses are sanitised by KASAN?
-------------------------------------------- --------------------------------------------
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment