[PAuthABI] Use a program property to mark PAuth compatibility #105
Conversation
pbarrio
force-pushed
the
PAuthABIMarking
branch
2 times, most recently
from
df8b343 to
343edfe
Compare
pauthabielf64/pauthabielf64.rst
Outdated
| to the platform identified in the first word. Consequently, the | ||
| ``pr_datasz`` field must be at least 16. When ``pr_datasz`` is larger | ||
| than 16, the remainder of the contents of ``pr_data`` are specific | ||
| to the (platform id, version number). | ||
|
|
||
| This ABI does not determine the format of the platform identifier. Arm | ||
| reserves the platform id 0 for a bare-metal platform. |
There was a problem hiding this comment.
@smithp35 would it be reasonable to specify some format, or at least add the values in a table so that platforms can add their identifiers here as they get allocated? I.e.
|| Platform || ID ||
| Baremetal | 0 |
| <Platform 1> | <ID 1> |
| ... | ... |
Keeping the allocations clearly in one place might help platforms avoid stepping on each other's toes.
There was a problem hiding this comment.
I was expecting the majority of holders to use short null terminated strings such as "Arm\0" as there is 64-bits to play with. This would limit the possibility of clashes. However no objections to introducing a table. With the ABI in Github it should be easy to submit pull requests to update the table.
(On holiday today, so will be a bit slow responding)
There was a problem hiding this comment.
Peter, thank you for the review. Feel free to respond after you are back from holidays :)
How about a table like this:
|| Platform || ID (hex) || ID (human-readable) ||
| Baremetal | 0x0 | 0 |
| Platform 1 | 0x506c617431000000 | "Plat1" |
Then we can define in this ABI the rule by which two platforms are different. For example:
-
The rule is that the full 64 bytes must be the same. "Arm\0\0\0\0\0" != "Arm\0Leg\0". I prefer this rule as it allows platforms to decide on the human-readable representation (string, integer, whatever) as long as the hex value is different to the rest of the platforms.
-
The rule is that the field represents a null-terminated string. "Arm\0\0\0\0\0" and "Arm\0Leg\0" are the same vendor.
Defining the rule in this ABI would make it easier for tools to implement the comparison consistently for all platforms.
WDYT?
|
Hi Pablo, your suggestion to use a new program property GNU_PROPERTY_AARCH64_FEATURE_PAUTH is good, and aligns with how BTI feature is handled too. |
|
Use of GNU properties in the generic Arm ABI is not appropriate, IMO. It's too specific to one platform. |
@rearnsha, thank you for the comment. What is too platform-specific, 1) using GNU properties in the generic Arm ABI or 2) the specific property I am proposing? We already use GNU properties in the generic Arm ABI, e.g. https://github.com/ARM-software/abi-aa/blob/main/aaelf64/aaelf64.rst#special-sections. Do you see a difference between the new property and, say, GNU_PROPERTY_AARCH64_FEATURE_1_AND? |
|
We should not be using any GNU properties in the the platform-agnostic parts of the ABI. If they're needed in platform-specific executables for Linux, that's OK. But another solution needs to be found in object files. |
|
Just come back from holiday. Will have a think about what the alternatives are. Off the top of my head:
|
pbarrio
force-pushed
the
PAuthABIMarking
branch
3 times, most recently
from
dac78c5 to
19621f9
Compare
|
I just updated a new proposal, which is a bit of a mix between the original approach (a separate PAuth note section) and my later proposal (use the existing .note.gnu.property). The changes are:
This means it is possible for a platform A to use .note.gnu.property and platform B to use .note.AARCH64-PAUTH-ABI-tag. Then, if we build an object for platform A and try to link it into an executable for platform B, the linker may assume that the object was built without PAuth, which is incorrect. Therefore, should we harden this patch to mandate the use of .note.AARCH64-PAUTH-ABI-tag in relocatable objects? This way, at least for relocatable objects, there would be only one way to look for PAuth ABI information, at the cost that a single platform may have to implement two different approaches, one for relocatable objects and one for the rest. IMVHO, trying to build an object for one platform and linking it for another one with a different ABI is looking for trouble anyways, but I'd really like to know other people's views. |
pbarrio
force-pushed
the
PAuthABIMarking
branch
from
19621f9 to
0ff2e7b
Compare
|
Thank you Peter, that was very useful! All changes made now. Please have a look at the second change you proposed: I've structured it a bit differently and you may have other ideas. The rest of the changes I've made almost verbatim. |
pbarrio
force-pushed
the
PAuthABIMarking
branch
from
0ff2e7b to
c7fa642
Compare
|
Ok one more update after I received some questions elsewhere, which I'm posting here for visibility:
Addressed with a clarification of alignment requirements when using GNU program properties and the use of
Added a table with the platform IDs currently in use. Platforms are expected to start adding their choice of IDs to that table in order to prevent clashes. I've also moved the baremetal platform from 0x0 to 0x1 in order to use 0x0 to represent an invalid platform. I have some uneasy feeling about using a valid platform ID (0x0 representing baremetal) in a tuple (0x0, 0x0) that means "invalid file". @smithp35 feel free to contradict! I also though (but haven't added to the patch) that, when using 0x0 as platform ID, we could use the second field of the tuple (version number) to contain a "reason for failure" so that consumers of the file could figure out why the file is invalid and provide good diagnostics at a minimum. |
A new program property GNU_PROPERTY_AARCH64_FEATURE_PAUTH is defined in section .note.gnu.property that can be used as an alternative method for signing PAuthABI-compatible ELF files.At least in the Bionic linker, this is easier to implement: the property (and the existing .note.gnu.property section) can be trivially extracted from a DSO, and is already happening for other properties (mainly GNU_PROPERTY_AARCH64_FEATURE_1_AND to check for BTI and PAC-ret). In contrast, a new section would require traversing all the sections in the ELF and checking for the section name, which is more complicated to implement and possibly slower. Unfortunately, .note.gnu.property is not guaranteed to be understood by all ELF-based platforms, so we still keep the new section .note.AARCH64-PAUTH-ABI-tag as the default marking schema.
pbarrio
force-pushed
the
PAuthABIMarking
branch
from
c7fa642 to
efbeb2c
Compare
|
Ok last change I hope.
Let me know if you have any comments on these changes. I'll ask the ABI owner to merge the patch later next week. Thanks everyone for all the reviews! |
|
@stuij, could you merge this request? |
A new program property GNU_PROPERTY_AARCH64_FEATURE_PAUTH in
section .note.gnu.property replaces the previous proposal of a
full section .note.AARCH64-PAUTH-ABI-tag. This is easier
to implement, at least in the Bionic dynamic linker: the property
(and the existing .note.gnu.property section) can be trivially
extracted from a DSO, and is already happening for other properties
(mainly GNU_PROPERTY_AARCH64_FEATURE_1_AND to check for BTI and
PAC-ret). In contrast, a new section would require traversing all
the sections in the ELF and checking for the section name, which is
more complicated to implement and possibly slower.