[00/17] target/arm: Implement ARMv8.5-MemTag

Message ID	20190114011122.5995-1-richard.henderson@linaro.org
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; From: Richard Henderson <richard.henderson@linaro.org> To: qemu-devel@nongnu.org Date: Mon, 14 Jan 2019 12:11:05 +1100 Message-Id: <20190114011122.5995-1-richard.henderson@linaro.org> Subject: [Qemu-devel] [PATCH 00/17] target/arm: Implement ARMv8.5-MemTag Precedence: list Cc: mark.rutland@arm.com, peter.maydell@linaro.org, szabolcs.nagy@arm.com, catalin.marinas@arm.com, Will Deacon <will.deacon@arm.com>, qemu-arm@nongnu.org, Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>, dave.martin@arm.com Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Series	target/arm: Implement ARMv8.5-MemTag \| expand [00/17] target/arm: Implement ARMv8.5-MemTag [01/17] target/arm: Add MTE_ACTIVE to tb_flags [02/17] target/arm: Extract TCMA with ARMVAParameters [03/17] target/arm: Add MTE system registers [04/17] target/arm: Fill in helper_mte_check [05/17] target/arm: Suppress tag check for sp+offset [06/17] target/arm: Implement the IRG instruction [07/17] target/arm: Implement ADDG, SUBG instructions [08/17] target/arm: Implement the GMI instruction [09/17] target/arm: Implement the SUBP instruction [10/17] target/arm: Implement LDG, STG, ST2G instructions [11/17] target/arm: Implement the STGP instruction [12/17] target/arm: Implement the LDGV and STGV instructions [13/17] target/arm: Set PSTATE.TCO on exception entry [14/17] tcg: Introduce target-specific page data for user-only [15/17] target/arm: Add allocation tag storage for user-only [16/17] target/arm: Enable MTE [17/17] tests/tcg/aarch64: Add mte smoke tests

Message ID

20190114011122.5995-1-richard.henderson@linaro.org

Headers

Received-SPF: pass (google.com: domain of
	qemu-devel-bounces+patch=linaro.org@nongnu.org designates
	209.51.188.17 as permitted sender) client-ip=209.51.188.17; 
From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Date: Mon, 14 Jan 2019 12:11:05 +1100
Message-Id: <20190114011122.5995-1-richard.henderson@linaro.org>
Subject: [Qemu-devel] [PATCH 00/17] target/arm: Implement ARMv8.5-MemTag
Precedence: list
Cc: mark.rutland@arm.com, peter.maydell@linaro.org, szabolcs.nagy@arm.com,
	catalin.marinas@arm.com, Will Deacon <will.deacon@arm.com>,
	qemu-arm@nongnu.org,
	Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>, dave.martin@arm.com
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>

Series

target/arm: Implement ARMv8.5-MemTag | expand

Message

Richard Henderson Jan. 14, 2019, 1:11 a.m. UTC

Based-on: 20190110124951.15473-1-richard.henderson@linaro.org
aka the TBID patch set, which itself is based on the BTI patch set.

The full tree is available at

  https://github.org/rth7680/qemu.git tgt-arm-mte

This extension isl also spelled MTE in the ARM.

This patch set only attempts to implement linux-user emulation.
For system emulation, I still miss the new cache flushing insns (easy)
and the out-of-band physical memory for the allocation tags (harder).

From a few mis-steps in writing the test cases for the extension,
I might suggest that some future kernel's userland ABI for this have
TCR.TCMA0 = 1, so that legacy code that is *not* MTE aware can use
a frame pointer without accidentally tripping left over stack tags.
(As seen in patch 5, SP+OFF is unchecked per the ISA but FP+OFF is not.)

OTOH, depending on the application, that does make it easier for an
attack vector to clean the tag off the top of a pointer to bypass
store checking.  So, tricky.


r~


Cc: Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: dave.martin@arm.com
Cc: szabolcs.nagy@arm.com
Cc: catalin.marinas@arm.com
Cc: mark.rutland@arm.com

Richard Henderson (17):
  target/arm: Add MTE_ACTIVE to tb_flags
  target/arm: Extract TCMA with ARMVAParameters
  target/arm: Add MTE system registers
  target/arm: Fill in helper_mte_check
  target/arm: Suppress tag check for sp+offset
  target/arm: Implement the IRG instruction
  target/arm: Implement ADDG, SUBG instructions
  target/arm: Implement the GMI instruction
  target/arm: Implement the SUBP instruction
  target/arm: Implement LDG, STG, ST2G instructions
  target/arm: Implement the STGP instruction
  target/arm: Implement the LDGV and STGV instructions
  target/arm: Set PSTATE.TCO on exception entry
  tcg: Introduce target-specific page data for user-only
  target/arm: Add allocation tag storage for user-only
  target/arm: Enable MTE
  tests/tcg/aarch64: Add mte smoke tests

 include/exec/cpu-all.h            |  10 +-
 target/arm/cpu.h                  |  18 ++
 target/arm/helper-a64.h           |  11 +
 target/arm/internals.h            |  22 ++
 target/arm/translate.h            |  13 ++
 accel/tcg/translate-all.c         |  28 +++
 linux-user/mmap.c                 |  10 +-
 linux-user/syscall.c              |   4 +-
 target/arm/cpu.c                  |  10 +
 target/arm/cpu64.c                |   1 +
 target/arm/helper.c               |  99 ++++++--
 target/arm/mte_helper.c           | 369 ++++++++++++++++++++++++++++++
 target/arm/translate-a64.c        | 305 ++++++++++++++++++++----
 tests/tcg/aarch64/mte-1.c         |  27 +++
 tests/tcg/aarch64/mte-2.c         |  39 ++++
 target/arm/Makefile.objs          |   2 +-
 tests/tcg/aarch64/Makefile.target |   4 +
 17 files changed, 907 insertions(+), 65 deletions(-)
 create mode 100644 target/arm/mte_helper.c
 create mode 100644 tests/tcg/aarch64/mte-1.c
 create mode 100644 tests/tcg/aarch64/mte-2.c

-- 
2.17.2

Comments

Peter Maydell Feb. 5, 2019, 7:42 p.m. UTC | #1

On Mon, 14 Jan 2019 at 01:11, Richard Henderson
<richard.henderson@linaro.org> wrote:
>

> Based-on: 20190110124951.15473-1-richard.henderson@linaro.org

> aka the TBID patch set, which itself is based on the BTI patch set.

>

> The full tree is available at

>

>   https://github.org/rth7680/qemu.git tgt-arm-mte

>

> This extension isl also spelled MTE in the ARM.

>

> This patch set only attempts to implement linux-user emulation.

> For system emulation, I still miss the new cache flushing insns (easy)

> and the out-of-band physical memory for the allocation tags (harder).

>

> From a few mis-steps in writing the test cases for the extension,

> I might suggest that some future kernel's userland ABI for this have

> TCR.TCMA0 = 1, so that legacy code that is *not* MTE aware can use

> a frame pointer without accidentally tripping left over stack tags.

> (As seen in patch 5, SP+OFF is unchecked per the ISA but FP+OFF is not.)

>

> OTOH, depending on the application, that does make it easier for an

> attack vector to clean the tag off the top of a pointer to bypass

> store checking.  So, tricky.


I'm working through review of this, but feel free to rebase on
current master (which has now got a pile of your other patches
in it, since I've just merged target-arm.next) without waiting
for me to finish going through it.

thanks
-- PMM

Peter Maydell Feb. 7, 2019, 5:53 p.m. UTC | #2

On Tue, 5 Feb 2019 at 19:42, Peter Maydell <peter.maydell@linaro.org> wrote:
> I'm working through review of this, but feel free to rebase on

> current master (which has now got a pile of your other patches

> in it, since I've just merged target-arm.next) without waiting

> for me to finish going through it.

OK, I've now finished review of it. I haven't looked at the
last few patches which are linux-user, because it doesn't
seem worth doing much review on them until we have at least
a proposed Linux userspace ABI for MemTag to compare them
against. (If we do want to do an implementation that precedes
the ABI being nailed down, we need to hide it behind a
defaults-to-off x-property.)

thanks
-- PMM