Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

arch/arm64: Migrate hardware-assisted CFI protections to libukcfi #1519

Open
wants to merge 3 commits into
base: staging
Choose a base branch
from
Open

arch/arm64: Migrate hardware-assisted CFI protections to libukcfi #1519

wants to merge 3 commits into from

Conversation

michpappas
Copy link
Member

Prerequisite checklist

  • Read the contribution guidelines regarding submitting new changes to the project;
  • Tested your changes against relevant architectures and platforms;
  • Ran the checkpatch.uk on your commit series before opening this PR;
  • Updated relevant documentation.

Base target

  • Architecture(s): [arm64]
  • Platform(s): [N/A]
  • Application(s): [N/A]

Additional configuration

Description of changes

Migrate arm64 hardware-assisted mitigations against CFI attacks (PAuth / BTI) to a newly introduced library, libukcfi. This library should eventually collect additional CFI protections, like shadow-stack.

Depends-on: #1496

@michpappas
lib/ukrandom: PR unikraft#1496
f7e929e 
Introduce driver for CPU-generated entropy + misc. fixes

Signed-off-by: Michalis Pappas <[email protected]>
@michpappas
lib: Introduce libukcfi
07af09b 
Introduce libukcfi for control-flow integity features and migrate
the implementation of arm64 PAuth and BTI to the new library.

Initialize pointer authentication at early init, as soon as
libukrandom is available.

Signed-off-by: Michalis Pappas <[email protected]>
@michpappas
lib/ukboot: Add __no_pauth attribute to early_init()
8ae15aa 
The caller of pauth_init() needs to be compiled with the __no_pauth
attribute to prevent PAC check failure on return.

Signed-off-by: Michalis Pappas <[email protected]>
@github-actions github-actions bot added arch/arm arch/arm64 arch/x86_64 area/arch Unikraft Architecture area/include Part of include/uk area/kconfig Part of the Unikraft KConfig option system area/lib Internal Unikraft Microlibrary area/plat Unikraft Patform arm/smcc lang/c Issues or PRs to do with C/C++ lib/ukboot lib/ukrandom plat/common Common to all platforms plat/kvm Unikraft for KVM plat/xen Unikraft for Xen labels Oct 8, 2024
michpappas added a commit to michpappas/unikraft that referenced this pull request Oct 8, 2024
@michpappas
lib/ukcfi: PR unikraft#1519
3091570 
Introduce libukcfi

Signed-off-by: Michalis Pappas <[email protected]>
@nderjung nderjung added new/library This PR or Issue intends to add a new library to Unikraft topic/security Issue or PR is related to security. labels Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andreistan26 andreistan26 Awaiting requested review from andreistan26

@StefanJum StefanJum Awaiting requested review from StefanJum

@mariasfiraiala mariasfiraiala Awaiting requested review from mariasfiraiala

Assignees

@mogasergiu mogasergiu

Labels
arch/arm arch/arm64 arch/x86_64 area/arch Unikraft Architecture area/include Part of include/uk area/kconfig Part of the Unikraft KConfig option system area/lib Internal Unikraft Microlibrary area/plat Unikraft Patform arm/smcc lang/c Issues or PRs to do with C/C++ lib/ukboot lib/ukrandom new/library This PR or Issue intends to add a new library to Unikraft plat/common Common to all platforms plat/kvm Unikraft for KVM plat/xen Unikraft for Xen topic/security Issue or PR is related to security.
Projects
Release - Next
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michpappas @nderjung @mogasergiu