From 9700e11c456e21c4b3cf992217b524e618f23b1d Mon Sep 17 00:00:00 2001 From: Pablo Barrio Date: Wed, 25 Aug 2021 15:23:52 +0100 Subject: [PATCH] [PAuthABI] Allow GNU program properties as a PAuth ABI marking schema A new program property GNU_PROPERTY_AARCH64_FEATURE_PAUTH is defined in section .note.gnu.property that can be used as an alternative method for signing PAuthABI-compatible ELF files.At least in the Bionic linker, this is easier to implement: the property (and the existing .note.gnu.property section) can be trivially extracted from a DSO, and is already happening for other properties (mainly GNU_PROPERTY_AARCH64_FEATURE_1_AND to check for BTI and PAC-ret). In contrast, a new section would require traversing all the sections in the ELF and checking for the section name, which is more complicated to implement and possibly slower. Unfortunately, .note.gnu.property is not guaranteed to be understood by all ELF-based platforms, so we still keep the new section .note.AARCH64-PAUTH-ABI-tag as the default marking schema. --- pauthabielf64/pauthabielf64.rst | 115 ++++++++++++++++++++++++-------- 1 file changed, 89 insertions(+), 26 deletions(-) diff --git a/pauthabielf64/pauthabielf64.rst b/pauthabielf64/pauthabielf64.rst index 568a9575..74b48ba6 100644 --- a/pauthabielf64/pauthabielf64.rst +++ b/pauthabielf64/pauthabielf64.rst @@ -14,7 +14,7 @@ .. _LSB: https://refspecs.linuxfoundation.org/LSB_1.2.0/gLSB/noteabitag.html .. _SCO-ELF: http://www.sco.com/developers/gabi/ .. _TLSDESC: http://www.fsfla.org/~lxoliva/writeups/TLS/paper-lk2006.pdf - +.. _LINUX_ABI: https://github.com/hjl-tools/linux-abi/wiki .. footer:: ###Page### @@ -254,6 +254,8 @@ This document refers to, or is referred to by, the following documents. +-----------------------------------------------------------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | `GABI_SHT_RELR `_ | ELF GABI Google Groups | Proposal for a new section type SHT_RELR | +-----------------------------------------------------------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ + | LINUX_ABI_ | https://github.com/hjl-tools/linux-abi/wiki | Linux Extensions to gABI | + +-----------------------------------------------------------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ Terms and Abbreviations ----------------------- @@ -832,10 +834,20 @@ language to signing schema is expected to evolve over time. Even if the low-level ELF extensions remain constant, a change to the high-level language mapping may result in incompatible ELF files. -Every relocatable object, executable and shared library that uses the -PAuth ABI ELF extensions must have a section named -``.note.AARCH64-PAUTH-ABI-tag`` of type ``SHT_NOTE``. This section is -structured as a note section as documented in SCO-ELF_. +This document defines a default ELF marking schema and a base +compatibility model. Platforms may define their own ELF marking and +compatibility model that replace or extend the default ones. `Appendix +Alternative ELF Marking Using GNU Program Properties`_ defines an +alternative marking schema for platforms that support the +``.note.gnu.property`` section. + +Default Marking Schema +---------------------- + +A new section named ``.note.AARCH64-PAUTH-ABI-tag`` of type +``SHT_NOTE`` is defined. This section is structured as a note section +as documented in SCO-ELF_, and its attribute flag ``SHF_ALLOC`` must +be set. The name field (``namesz`` / ``name``) contains the string "ARM". The type field shall be 1, and the ``descsz`` field must be at least 16. @@ -846,17 +858,25 @@ identified for the first word. When ``descsz`` is larger than 16 the remainder of the contents of desc are defined by the (platform id, version number). -This ABI does not determine the format of the platform identifier. Arm -reserves the platform id 0 for a bare-metal platform. +The following values of the platform id are reserved: -The (platform id, version number) of (0, 0) is reserved as an invalid -combination. The program cannot be run when pointer authentication is -enabled. + +-----------+-----------+ + | Platform | Hex value | + +===========+===========+ + | Invalid | 0x0 | + +-----------+-----------+ + | Baremetal | 0x1 | + +-----------+-----------+ -The version id in ``.note.AARCH64-PAUTH-ABI-tag`` is not directly +The version number in ``.note.AARCH64-PAUTH-ABI-tag`` is not directly related to the version number of this document. It is controlled by -the object-producer based on the signing schema that have been used -for pointers. +the object-producer based on the signing schema that has been used for +pointers. + +If a file contains a section named ``.note.AARCH64-PAUTH-ABI-tag``, +it must observe the entirety of the rules in this default marking +schema. Generating such section with a platform-specific schema is +forbidden. Base Compatibility Model ------------------------ @@ -868,24 +888,36 @@ compatibility. information on how pointers are signed is available for this ELF file. -* The presence of a ``.note.AARCH64-PAUTH-ABI-tag`` means that the - pointers were signed in a compatible way with the default signing - rules for tuple (platform id, version number). +* The presence of a ``.note.AARCH64-PAUTH-ABI-tag`` means that, if the + file contains pointers, they were signed in a compatible way with + the default signing rules for tuple (platform id, version number). + +* The result of a successful combination of + ``.note.AArch64-PAUTH-ABI-tag`` sections is a single + ``.note.AArch64-PAUTH-ABI-tag`` section containing the (platform id, + version number) tuple. The result of an unsuccesful combination must + be either a single ``.note.AArch64-PAUTH-ABI-tag`` section containing + a platform id with value Invalid, or no ``.note.AArch64-PAUTH-ABI-tag`` + section written to the output file. * The static linker may fault the combination of relocatable objects that contain ``.note.AARCH64-PAUTH-ABI-tag`` sections with - incompatible (platform id, version number) tuples. If an ELF file is - produced, the output ``.note.AARCH64-PAUTH-ABI-tag`` must have the - invalid (platform id, version number) of (0, 0). + incompatible (platform id, version number) tuples. + +* A dynamic loader may disable pointer authentication, or fault the + program with an error message, in case it encounters an incompatible + ELF file. A file is incompatible with the loader in any of the + following cases: + + * If section ``.note.AARCH64-PAUTH-ABI-tag`` is missing. -* The combination of relocatable objects with - ``.note.AARCH64-PAUTH-ABI-tag`` and relocatable objects without a - ``.note.AARCH64-PAUTH-ABI-tag`` is not defined by this ABI. + * If the (platform id, version number) tuple is not recognized. -* A dynamic loader that encounters a (platform id, version number) - that it does not recognize, or if the (platform id, version number) - is (0,0), it must disable pointer authentication for the process or - give an error message. + * If the platform id is Invalid. + +The combination of relocatable objects with +``.note.AARCH64-PAUTH-ABI-tag`` and relocatable objects without a +``.note.AARCH64-PAUTH-ABI-tag`` is not defined by this ABI. Platforms may replace the base compatibility model with a platform-specific model. @@ -1196,3 +1228,34 @@ Some observations: * When not dynamic linking a static linker may choose to encode the pointer signing information in a custom encoding understood by the start-up code used. + +Appendix Alternative ELF Marking Using GNU Program Properties +============================================================= + +If a platform supports section ``.note.gnu.property``, this can be used +as the base for an alternative schema. The format of this section is +defined in LINUX_ABI_. + +The following processor-specific program property types are defined: + + +----------------------------------------+------------+ + | Name | Value | + +========================================+============+ + | GNU\_PROPERTY\_AARCH64\_FEATURE\_PAUTH | 0xc0000001 | + +----------------------------------------+------------+ + +The format of the data in ``pr_data`` is at least two 64-bit words, +the first being a platform identifier, and the second being a version +number specific to the platform identified in the first word. +Consequently, the ``pr_datasz`` field must be at least 16. When +``pr_datasz`` is larger than 16, the remainder of the contents of +``pr_data`` are specific to the (platform id, version number). If +``pr_datasz`` is not a multiple of 8, ``pr_padding`` must be added so +that PR_DATASZ + PR_PADDING is a multiple of 8 and the property +remains 8-byte aligned. + +The rules for the fields are the same as for the default marking +schema: this ABI does not define the exact format of the platform and +version identifiers, but reserves the combination of (platform, +version) equal to (0,0) to represent an ELF file incompatible with +this ABI.