This patch adds support for memory protection keys on AArch64 systems with
enabled Stage 1 permission overlays feature introduced in Armv8.9 / 9.4
(FEAT_S1POE) [1].
1. Internal functions "pkey_read" and "pkey_write" to access data
associated with memory protection keys.
2. Implementation of API functions "pkey_get" and "pkey_set" for
the AArch64 target.
3. AArch64-specific PKEY flags for READ and EXECUTE (see below).
4. New target-specific test that checks behaviour of pkeys on
AArch64 targets.
5. This patch also extends existing generic test for pkeys.
6. HWCAP constant for Permission Overlay Extension feature.
To support more accurate mapping of underlying permissions to the
PKEY flags, we introduce additional AArch64-specific flags. The full
list of flags is:
- PKEY_UNRESTRICTED: 0x0 (for completeness)
- PKEY_DISABLE_ACCESS: 0x1 (existing flag)
- PKEY_DISABLE_WRITE: 0x2 (existing flag)
- PKEY_DISABLE_EXECUTE: 0x4 (new flag, AArch64 specific)
- PKEY_DISABLE_READ: 0x8 (new flag, AArch64 specific)
The problem here is that PKEY_DISABLE_ACCESS has unusual semantics as
it overlaps with existing PKEY_DISABLE_WRITE and new PKEY_DISABLE_READ.
For this reason mapping between permission bits RWX and "restrictions"
bits awxr (a for disable access, etc) becomes complicated:
- PKEY_DISABLE_ACCESS disables both R and W
- PKEY_DISABLE_{WRITE,READ} disables W and R respectively
- PKEY_DISABLE_EXECUTE disables X
Combinations like the one below are accepted although they are redundant:
- PKEY_DISABLE_ACCESS | PKEY_DISABLE_READ | PKEY_DISABLE_WRITE
Reverse mapping tries to retain backward compatibility and ORs
PKEY_DISABLE_ACCESS whenever both flags PKEY_DISABLE_READ and
PKEY_DISABLE_WRITE would be present.
This will break code that compares pkey_get output with == instead
of using bitwise operations. The latter is more correct since PKEY_*
constants are essentially bit flags.
It should be noted that PKEY_DISABLE_ACCESS does not prevent execution.
[1] https://developer.arm.com/documentation/ddi0487/ka/ section D8.4.1.4
Co-authored-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 7061 files FOO.
I then removed trailing white space from math/tgmath.h,
support/tst-support-open-dev-null-range.c, and
sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following
obscure pre-commit check failure diagnostics from Savannah. I don't
know why I run into these diagnostics whereas others evidently do not.
remote: *** 912-#endif
remote: *** 913:
remote: *** 914-
remote: *** error: lines with trailing whitespace found
...
remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
I used these shell commands:
../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright
(cd ../glibc && git commit -am"[this commit message]")
and then ignored the output, which consisted lines saying "FOO: warning:
copyright statement not found" for each of 6694 files FOO.
I then removed trailing white space from benchtests/bench-pthread-locks.c
and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this
diagnostic from Savannah:
remote: *** pre-commit check failed ...
remote: *** error: lines with trailing whitespace found
remote: error: hook declined to update refs/heads/master
Add various defines and stubs for enabling MTE on AArch64 sysv-like
systems such as Linux. The HWCAP feature bit is copied over in the
same way as other feature bits. Similarly we add a new wrapper header
for mman.h to define the PROT_MTE flag that can be used with mmap and
related functions.
We add a new field to struct cpu_features that can be used, for
example, to check whether or not certain ifunc'd routines should be
bound to MTE-safe versions.
Finally, if we detect that MTE should be enabled (ie via the glibc
tunable); we enable MTE during startup as required.
Support in the Linux kernel was added in version 5.10.
Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
Binaries can opt-in to using BTI via an ELF object file marking.
The dynamic linker has to then mprotect the executable segments
with PROT_BTI. In case of static linked executables or in case
of the dynamic linker itself, PROT_BTI protection is done by the
operating system.
On AArch64 glibc uses PT_GNU_PROPERTY instead of PT_NOTE to check
the properties of a binary because PT_NOTE can be unreliable with
old linkers (old linkers just append the notes of input objects
together and add them to the output without checking them for
consistency which means multiple incompatible GNU property notes
can be present in PT_NOTE).
BTI property is handled in the loader even if glibc is not built
with BTI support, so in theory user code can be BTI protected
independently of glibc. In practice though user binaries are not
marked with the BTI property if glibc has no support because the
static linked libc objects (crt files, libc_nonshared.a) are
unmarked.
This patch relies on Linux userspace API that is not yet in a
linux release but in v5.8-rc1 so scheduled to be in Linux 5.8.
Co-authored-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Many bits/mman.h headers for Linux architectures have exactly the same
contents, up to whitespace, comments and the number of leading 0s on
constants. Specifically, this applies to architectures that, in the
Linux kernel, either have no uapi/asm/mman.h, or have one that
includes asm-generic/mman.h without any changes or additions relevant
to glibc (this last case is the one that applies to Arm).
It's not useful to have to duplicate the set of MAP_* constants in
glibc for all such architectures and any new architectures with that
property. Thus, this patch creates a generic
sysdeps/unix/sysv/linux/bits/mman.h and removes all the
architecture-specific versions that become unnecessary.
Further unification remains possible after this patch. For example,
the new bits/mman.h could become bits/mman-map-flags-generic.h so that
it could also be used by architecture-specific bits/mman.h headers on
architectures that use the generic flags but add architecture-specific
ones to them. That would allow this common set of MAP_* definitions
to be used on ia64 and x86 as well (architectures that include
asm-generic/mman.h from their own uapi/asm/mman.h but define
additional MAP_* values of their own).
Tested with build-many-glibcs.py.
* sysdeps/unix/sysv/linux/bits/mman.h: New file.
* sysdeps/unix/sysv/linux/aarch64/bits/mman.h: Remove.
* sysdeps/unix/sysv/linux/arm/bits/mman.h: Likewise.
* sysdeps/unix/sysv/linux/m68k/bits/mman.h: Likewise.
* sysdeps/unix/sysv/linux/microblaze/bits/mman.h: Likewise.
* sysdeps/unix/sysv/linux/nios2/bits/mman.h: Likewise.
* sysdeps/unix/sysv/linux/riscv/bits/mman.h: Likewise.
* sysdeps/unix/sysv/linux/s390/bits/mman.h: Likewise.
* sysdeps/unix/sysv/linux/sh/bits/mman.h: Likewise.
This patch adds the MAP_SYNC macro from Linux 4.15 to various
bits/mman.h headers. Note that this is *not* added to all
architectures: in Linux 4.15, this macro is only in
asm-generic/mman.h, and only some architectures' asm/mman.h include
the asm-generic file - the architectures not using the asm-generic
file will need their own values of MAP_SYNC allocated to support this
functionality (some of them also already have conflicting mmap flags
so the value there will have to be different from the generic
0x80000). Specifically, for glibc architectures, alpha hppa mips
powerpc sparc tile lack allocations of values for MAP_SYNC.
Tested for x86_64.
* sysdeps/unix/sysv/linux/aarch64/bits/mman.h [__USE_MISC]
(MAP_SYNC): New macro.
* sysdeps/unix/sysv/linux/arm/bits/mman.h [__USE_MISC] (MAP_SYNC):
Likewise.
* sysdeps/unix/sysv/linux/ia64/bits/mman.h [__USE_MISC]
(MAP_SYNC): Likewise.
* sysdeps/unix/sysv/linux/m68k/bits/mman.h [__USE_MISC]
(MAP_SYNC): Likewise.
* sysdeps/unix/sysv/linux/microblaze/bits/mman.h [__USE_MISC]
(MAP_SYNC): Likewise.
* sysdeps/unix/sysv/linux/nios2/bits/mman.h [__USE_MISC]
(MAP_SYNC): Likewise.
* sysdeps/unix/sysv/linux/riscv/bits/mman.h [__USE_MISC]
(MAP_SYNC): Likewise.
* sysdeps/unix/sysv/linux/s390/bits/mman.h [__USE_MISC]
(MAP_SYNC): Likewise.
* sysdeps/unix/sysv/linux/sh/bits/mman.h [__USE_MISC] (MAP_SYNC):
Likewise.
* sysdeps/unix/sysv/linux/x86/bits/mman.h [__USE_MISC] (MAP_SYNC):
Likewise.
This patch moves the AArch64 port to the main sysdeps hierarchy. The
move is essentially:
git mv ports/sysdeps/aarch64 sysdeps/aarch64
git mv ports/sysdeps/unix/sysv/linux/aarch64 sysdeps/unix/sysv/linux/aarch64
The README is updated and I've updated ChangeLog.aarch64 along the
lines of the ARM move. The AArch64 build has been tested to confirm
that there were no changes in objdump -dr output or the shared
objects.
