- Linux-kselftest-mirror - lists.linaro.org

[PATCH bpf-next v3 4/5] bpf: selftests: add MPTCP test base

by Nicolas Rybowski

This patch adds a base for MPTCP specific tests. It is currently limited to the is_mptcp field in case of plain TCP connection because for the moment there is no easy way to get the subflow sk from a msk in userspace. This implies that we cannot lookup the sk_storage attached to the subflow sk in the sockops program. Acked-by: Matthieu Baerts <matthieu.baerts(a)tessares.net> Acked-by: Song Liu <songliubraving(a)fb.com> Signed-off-by: Nicolas Rybowski <nicolas.rybowski(a)tessares.net> --- Notes: v2 -> v3: - remove useless close_client_fd label (Song) - remove error count increment (Song) v1 -> v2: - new patch: mandatory selftests (Alexei) tools/testing/selftests/bpf/config | 1 + tools/testing/selftests/bpf/network_helpers.c | 37 +++++- tools/testing/selftests/bpf/network_helpers.h | 3 + .../testing/selftests/bpf/prog_tests/mptcp.c | 118 ++++++++++++++++++ tools/testing/selftests/bpf/progs/mptcp.c | 48 +++++++ 5 files changed, 202 insertions(+), 5 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/mptcp.c create mode 100644 tools/testing/selftests/bpf/progs/mptcp.c diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config index 2118e23ac07a..8377836ea976 100644 --- a/tools/testing/selftests/bpf/config +++ b/tools/testing/selftests/bpf/config @@ -39,3 +39,4 @@ CONFIG_BPF_JIT=y CONFIG_BPF_LSM=y CONFIG_SECURITY=y CONFIG_LIRC=y +CONFIG_MPTCP=y diff --git a/tools/testing/selftests/bpf/network_helpers.c b/tools/testing/selftests/bpf/network_helpers.c index 12ee40284da0..85cbb683965c 100644 --- a/tools/testing/selftests/bpf/network_helpers.c +++ b/tools/testing/selftests/bpf/network_helpers.c @@ -14,6 +14,10 @@ #include "bpf_util.h" #include "network_helpers.h" +#ifndef IPPROTO_MPTCP +#define IPPROTO_MPTCP 262 +#endif + #define clean_errno() (errno == 0 ? "None" : strerror(errno)) #define log_err(MSG, ...) ({ \ int __save = errno; \ @@ -66,8 +70,8 @@ static int settimeo(int fd, int timeout_ms) #define save_errno_close(fd) ({ int __save = errno; close(fd); errno = __save; }) -int start_server(int family, int type, const char *addr_str, __u16 port, - int timeout_ms) +static int start_server_proto(int family, int type, int protocol, + const char *addr_str, __u16 port, int timeout_ms) { struct sockaddr_storage addr = {}; socklen_t len; @@ -76,7 +80,7 @@ int start_server(int family, int type, const char *addr_str, __u16 port, if (make_sockaddr(family, addr_str, port, &addr, &len)) return -1; - fd = socket(family, type, 0); + fd = socket(family, type, protocol); if (fd < 0) { log_err("Failed to create server socket"); return -1; @@ -104,6 +108,19 @@ int start_server(int family, int type, const char *addr_str, __u16 port, return -1; } +int start_server(int family, int type, const char *addr_str, __u16 port, + int timeout_ms) +{ + return start_server_proto(family, type, 0, addr_str, port, timeout_ms); +} + +int start_mptcp_server(int family, const char *addr_str, __u16 port, + int timeout_ms) +{ + return start_server_proto(family, SOCK_STREAM, IPPROTO_MPTCP, addr_str, + port, timeout_ms); +} + int fastopen_connect(int server_fd, const char *data, unsigned int data_len, int timeout_ms) { @@ -153,7 +170,7 @@ static int connect_fd_to_addr(int fd, return 0; } -int connect_to_fd(int server_fd, int timeout_ms) +static int connect_to_fd_proto(int server_fd, int protocol, int timeout_ms) { struct sockaddr_storage addr; struct sockaddr_in *addr_in; @@ -173,7 +190,7 @@ int connect_to_fd(int server_fd, int timeout_ms) } addr_in = (struct sockaddr_in *)&addr; - fd = socket(addr_in->sin_family, type, 0); + fd = socket(addr_in->sin_family, type, protocol); if (fd < 0) { log_err("Failed to create client socket"); return -1; @@ -192,6 +209,16 @@ int connect_to_fd(int server_fd, int timeout_ms) return -1; } +int connect_to_fd(int server_fd, int timeout_ms) +{ + return connect_to_fd_proto(server_fd, 0, timeout_ms); +} + +int connect_to_mptcp_fd(int server_fd, int timeout_ms) +{ + return connect_to_fd_proto(server_fd, IPPROTO_MPTCP, timeout_ms); +} + int connect_fd_to_fd(int client_fd, int server_fd, int timeout_ms) { struct sockaddr_storage addr; diff --git a/tools/testing/selftests/bpf/network_helpers.h b/tools/testing/selftests/bpf/network_helpers.h index 7205f8afdba1..336423a789e9 100644 --- a/tools/testing/selftests/bpf/network_helpers.h +++ b/tools/testing/selftests/bpf/network_helpers.h @@ -35,7 +35,10 @@ extern struct ipv6_packet pkt_v6; int start_server(int family, int type, const char *addr, __u16 port, int timeout_ms); +int start_mptcp_server(int family, const char *addr, __u16 port, + int timeout_ms); int connect_to_fd(int server_fd, int timeout_ms); +int connect_to_mptcp_fd(int server_fd, int timeout_ms); int connect_fd_to_fd(int client_fd, int server_fd, int timeout_ms); int fastopen_connect(int server_fd, const char *data, unsigned int data_len, int timeout_ms); diff --git a/tools/testing/selftests/bpf/prog_tests/mptcp.c b/tools/testing/selftests/bpf/prog_tests/mptcp.c new file mode 100644 index 000000000000..9accf2cfce36 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/mptcp.c @@ -0,0 +1,118 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <test_progs.h> +#include "cgroup_helpers.h" +#include "network_helpers.h" + +struct mptcp_storage { + __u32 invoked; + __u32 is_mptcp; +}; + +static int verify_sk(int map_fd, int client_fd, const char *msg, __u32 is_mptcp) +{ + int err = 0, cfd = client_fd; + struct mptcp_storage val; + + /* Currently there is no easy way to get back the subflow sk from the MPTCP + * sk, thus we cannot access here the sk_storage associated to the subflow + * sk. Also, there is no sk_storage associated with the MPTCP sk since it + * does not trigger sockops events. + * We silently pass this situation at the moment. + */ + if (is_mptcp == 1) + return 0; + + if (CHECK_FAIL(bpf_map_lookup_elem(map_fd, &cfd, &val) < 0)) { + perror("Failed to read socket storage"); + return -1; + } + + if (val.invoked != 1) { + log_err("%s: unexpected invoked count %d != %d", + msg, val.invoked, 1); + err++; + } + + if (val.is_mptcp != is_mptcp) { + log_err("%s: unexpected bpf_tcp_sock.is_mptcp %d != %d", + msg, val.is_mptcp, is_mptcp); + err++; + } + + return err; +} + +static int run_test(int cgroup_fd, int server_fd, bool is_mptcp) +{ + int client_fd, prog_fd, map_fd, err; + struct bpf_object *obj; + struct bpf_map *map; + + struct bpf_prog_load_attr attr = { + .prog_type = BPF_PROG_TYPE_SOCK_OPS, + .file = "./mptcp.o", + .expected_attach_type = BPF_CGROUP_SOCK_OPS, + }; + + err = bpf_prog_load_xattr(&attr, &obj, &prog_fd); + if (err) { + log_err("Failed to load BPF object"); + return -1; + } + + map = bpf_map__next(NULL, obj); + map_fd = bpf_map__fd(map); + + err = bpf_prog_attach(prog_fd, cgroup_fd, BPF_CGROUP_SOCK_OPS, 0); + if (err) { + log_err("Failed to attach BPF program"); + goto close_bpf_object; + } + + client_fd = is_mptcp ? connect_to_mptcp_fd(server_fd, 0) : + connect_to_fd(server_fd, 0); + if (client_fd < 0) { + err = -1; + goto close_bpf_object; + } + + err = is_mptcp ? verify_sk(map_fd, client_fd, "MPTCP subflow socket", 1) : + verify_sk(map_fd, client_fd, "plain TCP socket", 0); + + close(client_fd); + +close_bpf_object: + bpf_object__close(obj); + return err; +} + +void test_mptcp(void) +{ + int server_fd, cgroup_fd; + + cgroup_fd = test__join_cgroup("/mptcp"); + if (CHECK_FAIL(cgroup_fd < 0)) + return; + + /* without MPTCP */ + server_fd = start_server(AF_INET, SOCK_STREAM, NULL, 0, 0); + if (CHECK_FAIL(server_fd < 0)) + goto with_mptcp; + + CHECK_FAIL(run_test(cgroup_fd, server_fd, false)); + + close(server_fd); + +with_mptcp: + /* with MPTCP */ + server_fd = start_mptcp_server(AF_INET, NULL, 0, 0); + if (CHECK_FAIL(server_fd < 0)) + goto close_cgroup_fd; + + CHECK_FAIL(run_test(cgroup_fd, server_fd, true)); + + close(server_fd); + +close_cgroup_fd: + close(cgroup_fd); +} diff --git a/tools/testing/selftests/bpf/progs/mptcp.c b/tools/testing/selftests/bpf/progs/mptcp.c new file mode 100644 index 000000000000..be5ee8dac2b3 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/mptcp.c @@ -0,0 +1,48 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <linux/bpf.h> +#include <bpf/bpf_helpers.h> + +char _license[] SEC("license") = "GPL"; +__u32 _version SEC("version") = 1; + +struct mptcp_storage { + __u32 invoked; + __u32 is_mptcp; +}; + +struct { + __uint(type, BPF_MAP_TYPE_SK_STORAGE); + __uint(map_flags, BPF_F_NO_PREALLOC); + __type(key, int); + __type(value, struct mptcp_storage); +} socket_storage_map SEC(".maps"); + +SEC("sockops") +int _sockops(struct bpf_sock_ops *ctx) +{ + struct mptcp_storage *storage; + struct bpf_tcp_sock *tcp_sk; + int op = (int)ctx->op; + struct bpf_sock *sk; + + sk = ctx->sk; + if (!sk) + return 1; + + storage = bpf_sk_storage_get(&socket_storage_map, sk, 0, + BPF_SK_STORAGE_GET_F_CREATE); + if (!storage) + return 1; + + if (op != BPF_SOCK_OPS_TCP_CONNECT_CB) + return 1; + + tcp_sk = bpf_tcp_sock(sk); + if (!tcp_sk) + return 1; + + storage->invoked++; + storage->is_mptcp = tcp_sk->is_mptcp; + + return 1; +} -- 2.28.0

4 years, 4 months

1
0
0 0

[PATCH] selftests/seccomp: fix ptrace tests on powerpc

by Thadeu Lima de Souza Cascardo

As pointed out by Michael Ellerman, the ptrace ABI on powerpc does not allow or require the return code to be set on syscall entry when skipping the syscall. It will always return ENOSYS and the return code must be set on syscall exit. This code does that, behaving more similarly to strace. It still sets the return code on entry, which is overridden on powerpc, and it will always repeat the same on exit. Also, on powerpc, the errno is not inverted, and depends on ccr.so being set. This has been tested on powerpc and amd64. Cc: Michael Ellerman <mpe(a)ellerman.id.au> Cc: Kees Cook <keescook(a)google.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> --- tools/testing/selftests/seccomp/seccomp_bpf.c | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c index 252140a52553..b90a9190ba88 100644 --- a/tools/testing/selftests/seccomp/seccomp_bpf.c +++ b/tools/testing/selftests/seccomp/seccomp_bpf.c @@ -1738,6 +1738,14 @@ void change_syscall(struct __test_metadata *_metadata, TH_LOG("Can't modify syscall return on this architecture"); #else regs.SYSCALL_RET = result; +# if defined(__powerpc__) + if (result < 0) { + regs.SYSCALL_RET = -result; + regs.ccr |= 0x10000000; + } else { + regs.ccr &= ~0x10000000; + } +# endif #endif #ifdef HAVE_GETREGS @@ -1796,6 +1804,7 @@ void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, int ret, nr; unsigned long msg; static bool entry; + int *syscall_nr = args; /* * The traditional way to tell PTRACE_SYSCALL entry/exit @@ -1809,10 +1818,15 @@ void tracer_ptrace(struct __test_metadata *_metadata, pid_t tracee, EXPECT_EQ(entry ? PTRACE_EVENTMSG_SYSCALL_ENTRY : PTRACE_EVENTMSG_SYSCALL_EXIT, msg); - if (!entry) + if (!entry && !syscall_nr) return; - nr = get_syscall(_metadata, tracee); + if (entry) + nr = get_syscall(_metadata, tracee); + else + nr = *syscall_nr; + if (syscall_nr) + *syscall_nr = nr; if (nr == __NR_getpid) change_syscall(_metadata, tracee, __NR_getppid, 0); @@ -1889,9 +1903,10 @@ TEST_F(TRACE_syscall, ptrace_syscall_redirected) TEST_F(TRACE_syscall, ptrace_syscall_errno) { + int syscall_nr = -1; /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ teardown_trace_fixture(_metadata, self->tracer); - self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, &syscall_nr, true); /* Tracer should skip the open syscall, resulting in ESRCH. */ @@ -1900,9 +1915,10 @@ TEST_F(TRACE_syscall, ptrace_syscall_errno) TEST_F(TRACE_syscall, ptrace_syscall_faked) { + int syscall_nr = -1; /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */ teardown_trace_fixture(_metadata, self->tracer); - self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL, + self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, &syscall_nr, true); /* Tracer should skip the gettid syscall, resulting fake pid. */ -- 2.25.1

4 years, 4 months

3
6
0 0

[PATCH net-next] selftests: mptcp: interpret \n as a new line

by Matthieu Baerts

In case of errors, this message was printed: (...) # read: Resource temporarily unavailable # client exit code 0, server 3 # \nnetns ns1-0-BJlt5D socket stat for 10003: (...) Obviously, the idea was to add a new line before the socket stat and not print "\nnetns". Fixes: b08fbf241064 ("selftests: add test-cases for MPTCP MP_JOIN") Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp") Signed-off-by: Matthieu Baerts <matthieu.baerts(a)tessares.net> --- Notes: This commit improves the output in selftests in case of errors, mostly seen when modifying MPTCP code. The selftests behaviour is not changed. That's why this patch is proposed only for net-next. tools/testing/selftests/net/mptcp/mptcp_connect.sh | 4 ++-- tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.sh b/tools/testing/selftests/net/mptcp/mptcp_connect.sh index e4df9ba64824..2cfd87d94db8 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh @@ -443,9 +443,9 @@ do_transfer() duration=$(printf "(duration %05sms)" $duration) if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then echo "$duration [ FAIL ] client exit code $retc, server $rets" 1>&2 - echo "\nnetns ${listener_ns} socket stat for $port:" 1>&2 + echo -e "\nnetns ${listener_ns} socket stat for ${port}:" 1>&2 ip netns exec ${listener_ns} ss -nita 1>&2 -o "sport = :$port" - echo "\nnetns ${connector_ns} socket stat for $port:" 1>&2 + echo -e "\nnetns ${connector_ns} socket stat for ${port}:" 1>&2 ip netns exec ${connector_ns} ss -nita 1>&2 -o "dport = :$port" cat "$capout" diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index f39c1129ce5f..c2943e4dfcfe 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -176,9 +176,9 @@ do_transfer() if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then echo " client exit code $retc, server $rets" 1>&2 - echo "\nnetns ${listener_ns} socket stat for $port:" 1>&2 + echo -e "\nnetns ${listener_ns} socket stat for ${port}:" 1>&2 ip netns exec ${listener_ns} ss -nita 1>&2 -o "sport = :$port" - echo "\nnetns ${connector_ns} socket stat for $port:" 1>&2 + echo -e "\nnetns ${connector_ns} socket stat for ${port}:" 1>&2 ip netns exec ${connector_ns} ss -nita 1>&2 -o "dport = :$port" cat "$capout" -- 2.27.0

4 years, 4 months

3
2
0 0

Re: [REGRESSION] kselftest: next-20200915

by Shuah Khan

On 9/15/20 11:52 AM, Justin Cook wrote: > Hello, > > Linaro had previously been sending out a report based on our testing of > the linux kernel using kselftest. We paused sending that report to fix a > few issues. We are now continuing the process, starting with this report. > > If you have any questions, comments, feedback, or concerns please email > lkft(a)linaro.org <mailto:lkft@linaro.org>. > > Thanks, > > Justin > Hi Justin, Thanks for the report. It would be nice to see the reports. However, it is hard for me to determine which tests failed and why. > On Tue, 15 Sep 2020 at 12:44, LKFT <lkft(a)linaro.org > <mailto:lkft@linaro.org>> wrote: > > ## Kernel > * kernel: 5.9.0-rc5 > * git repo: > ['https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git', > 'https://gitlab.com/Linaro/lkft/mirrors/next/linux-next'] > * git branch: master > * git commit: 6b02addb1d1748d21dd1261e46029b264be4e5a0 > * git describe: next-20200915 > * Test details: > https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20200915 > > ## Regressions (compared to build next-20200914) > > juno-r2: > kselftest: > * memfd_memfd_test > > x86: > kselftest-vsyscall-mode-native: > * kvm_vmx_preemption_timer_test I looked for the above two failures to start with since these are regressions and couldn't find them. Are the regressions tied to new commits in linux-next from the mm and kvm trees? thanks, -- Shuah

4 years, 4 months

2
2
0 0

[REGRESSION] kselftest: next-20200916

by LKFT

## Kernel * kernel: 5.9.0-rc5 * git repo: ['https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git', 'https://gitlab.com/Linaro/lkft/mirrors/next/linux-next'] * git branch: master * git commit: 5fa35f247b563a7893f3f68f19d00ace2ccf3dff * git describe: next-20200916 * Test details: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20200916 ## Regressions (compared to build next-20200915) x86: kselftest-vsyscall-mode-none: * kvm_vmx_preemption_timer_test kselftest: * kvm_vmx_preemption_timer_test ## Fixes (compared to build next-20200915) x86: kselftest-vsyscall-mode-native: * cgroup_test_freezer * kvm_vmx_preemption_timer_test ## Summary ### i386, kselftest * total: 294 * pass: 123 * fail: 133 * skip: 38 * xfail: 0 ### x86, kselftest * total: 312 * pass: 167 * fail: 112 * skip: 33 * xfail: 0 ### x86, kselftest-vsyscall-mode-native * total: 313 * pass: 165 * fail: 115 * skip: 33 * xfail: 0 ### x86, kselftest-vsyscall-mode-none * total: 310 * pass: 166 * fail: 111 * skip: 33 * xfail: 0 ## Environments * dragonboard-410c * hi6220-hikey * i386 * juno-r2 * juno-r2-compat * juno-r2-kasan * nxp-ls2088 * qemu_arm * qemu_arm64 * qemu_i386 * qemu_x86_64 * x15 * x86 * x86-kasan ## Suites * kselftest * kselftest-vsyscall-mode-native * kselftest-vsyscall-mode-none ## Failures ### i386, kselftest * bpf_test_progs * bpf_test_dev_cgroup * bpf_test_tcpbpf_user * bpf_get_cgroup_id_user * bpf_test_socket_cookie * bpf_test_tcpnotify_user * bpf_test_sock_fields * bpf_test_sysctl * bpf_test_progs-no_alu32 * bpf_test_sock_addr.sh * bpf_test_tunnel.sh * bpf_test_lwt_seg6local.sh * bpf_test_flow_dissector.sh * bpf_test_lwt_ip_encap.sh * bpf_test_tc_tunnel.sh * bpf_test_tc_edt.sh * bpf_test_xdping.sh * bpf_test_bpftool.sh * clone3_clone3_clear_sighand * clone3_clone3_cap_checkpoint_restore * core_close_range_test * firmware_fw_run_tests.sh * ftrace_ftracetest * intel_pstate_run.sh * kvm_cr4_cpuid_sync_test * kvm_evmcs_test * kvm_hyperv_cpuid * kvm_mmio_warning_test * kvm_platform_info_test * kvm_set_sregs_test * kvm_smm_test * kvm_state_test * kvm_vmx_preemption_timer_test * kvm_svm_vmcall_test * kvm_sync_regs_test * kvm_vmx_close_while_nested_test * kvm_vmx_dirty_log_test * kvm_vmx_set_nested_state_test * kvm_vmx_tsc_adjust_test * kvm_xss_msr_test * kvm_debug_regs * kvm_clear_dirty_log_test * kvm_demand_paging_test * kvm_dirty_log_test * kvm_kvm_create_max_vcpus * kvm_set_memory_region_test * kvm_steal_time * lkdtm_BUG.sh * lkdtm_WARNING.sh * lkdtm_WARNING_MESSAGE.sh * lkdtm_EXCEPTION.sh * lkdtm_CORRUPT_LIST_ADD.sh * lkdtm_CORRUPT_LIST_DEL.sh * lkdtm_STACK_GUARD_PAGE_LEADING.sh * lkdtm_STACK_GUARD_PAGE_TRAILING.sh * lkdtm_UNSET_SMEP.sh * lkdtm_DOUBLE_FAULT.sh * lkdtm_CORRUPT_PAC.sh * lkdtm_UNALIGNED_LOAD_STORE_WRITE.sh * lkdtm_READ_AFTER_FREE.sh * lkdtm_READ_BUDDY_AFTER_FREE.sh * lkdtm_SLAB_FREE_DOUBLE.sh * lkdtm_SLAB_FREE_CROSS.sh * lkdtm_SLAB_FREE_PAGE.sh * lkdtm_EXEC_DATA.sh * lkdtm_EXEC_STACK.sh * lkdtm_EXEC_KMALLOC.sh * lkdtm_EXEC_VMALLOC.sh * lkdtm_EXEC_RODATA.sh * lkdtm_EXEC_USERSPACE.sh * lkdtm_EXEC_NULL.sh * lkdtm_ACCESS_USERSPACE.sh * lkdtm_ACCESS_NULL.sh * lkdtm_WRITE_RO.sh * lkdtm_WRITE_RO_AFTER_INIT.sh * lkdtm_WRITE_KERN.sh * lkdtm_REFCOUNT_INC_OVERFLOW.sh * lkdtm_REFCOUNT_ADD_OVERFLOW.sh * lkdtm_REFCOUNT_INC_NOT_ZERO_OVERFLOW.sh * lkdtm_REFCOUNT_ADD_NOT_ZERO_OVERFLOW.sh * lkdtm_REFCOUNT_DEC_ZERO.sh * lkdtm_REFCOUNT_DEC_NEGATIVE.sh * lkdtm_REFCOUNT_DEC_AND_TEST_NEGATIVE.sh * lkdtm_REFCOUNT_SUB_AND_TEST_NEGATIVE.sh * lkdtm_REFCOUNT_INC_ZERO.sh * lkdtm_REFCOUNT_ADD_ZERO.sh * lkdtm_REFCOUNT_INC_SATURATED.sh * lkdtm_REFCOUNT_DEC_SATURATED.sh * lkdtm_REFCOUNT_ADD_SATURATED.sh * lkdtm_REFCOUNT_INC_NOT_ZERO_SATURATED.sh * lkdtm_REFCOUNT_ADD_NOT_ZERO_SATURATED.sh * lkdtm_REFCOUNT_DEC_AND_TEST_SATURATED.sh * lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED.sh * lkdtm_USERCOPY_HEAP_SIZE_TO.sh * lkdtm_USERCOPY_HEAP_SIZE_FROM.sh * lkdtm_USERCOPY_HEAP_WHITELIST_TO.sh * lkdtm_USERCOPY_HEAP_WHITELIST_FROM.sh * lkdtm_USERCOPY_STACK_FRAME_TO.sh * lkdtm_USERCOPY_STACK_FRAME_FROM.sh * lkdtm_USERCOPY_STACK_BEYOND.sh * lkdtm_USERCOPY_KERNEL.sh * lkdtm_STACKLEAK_ERASING.sh * lkdtm_CFI_FORWARD_PROTO.sh * mincore_mincore_selftest * mqueue_mq_perf_tests * net_fib_tests.sh * net_fib-onlink-tests.sh * net_pmtu.sh * net_udpgso_bench.sh * net_psock_snd.sh * net_test_vxlan_under_vrf.sh * net_l2tp.sh * net_traceroute.sh * net_altnames.sh * net_icmp_redirect.sh * net_txtimestamp.sh * net_vrf-xfrm-tests.sh * net_devlink_port_split.py * netfilter_nft_concat_range.sh * netfilter_nft_queue.sh * pidfd_pidfd_open_test * pidfd_pidfd_poll_test * proc_proc-self-syscall * proc_proc-fsconfig-hidepid * pstore_pstore_tests * ptrace_vmaccess * openat2_openat2_test * openat2_resolve_test * openat2_rename_attack_test * rtc_rtctest * seccomp_seccomp_bpf * seccomp_seccomp_benchmark * splice_short_splice_read.sh ### x86, kselftest * bpf_test_progs * bpf_test_dev_cgroup * bpf_test_tcpbpf_user * bpf_get_cgroup_id_user * bpf_test_socket_cookie * bpf_test_netcnt * bpf_test_tcpnotify_user * bpf_test_sock_fields * bpf_test_sysctl * bpf_test_progs-no_alu32 * bpf_test_sock_addr.sh * bpf_test_tunnel.sh * bpf_test_lwt_seg6local.sh * bpf_test_flow_dissector.sh * bpf_test_lwt_ip_encap.sh * bpf_test_tc_tunnel.sh * bpf_test_tc_edt.sh * bpf_test_xdping.sh * bpf_test_bpftool.sh * clone3_clone3_cap_checkpoint_restore * core_close_range_test * firmware_fw_run_tests.sh * ftrace_ftracetest * intel_pstate_run.sh * kvm_debug_regs * lkdtm_BUG.sh * lkdtm_WARNING.sh * lkdtm_WARNING_MESSAGE.sh * lkdtm_EXCEPTION.sh * lkdtm_CORRUPT_LIST_ADD.sh * lkdtm_CORRUPT_LIST_DEL.sh * lkdtm_STACK_GUARD_PAGE_LEADING.sh * lkdtm_STACK_GUARD_PAGE_TRAILING.sh * lkdtm_UNSET_SMEP.sh * lkdtm_CORRUPT_PAC.sh * lkdtm_UNALIGNED_LOAD_STORE_WRITE.sh * lkdtm_READ_AFTER_FREE.sh * lkdtm_READ_BUDDY_AFTER_FREE.sh * lkdtm_SLAB_FREE_DOUBLE.sh * lkdtm_SLAB_FREE_CROSS.sh * lkdtm_SLAB_FREE_PAGE.sh * lkdtm_EXEC_DATA.sh * lkdtm_EXEC_STACK.sh * lkdtm_EXEC_KMALLOC.sh * lkdtm_EXEC_VMALLOC.sh * lkdtm_EXEC_RODATA.sh * lkdtm_EXEC_USERSPACE.sh * lkdtm_EXEC_NULL.sh * lkdtm_ACCESS_USERSPACE.sh * lkdtm_ACCESS_NULL.sh * lkdtm_WRITE_RO.sh * lkdtm_WRITE_RO_AFTER_INIT.sh * lkdtm_WRITE_KERN.sh * lkdtm_REFCOUNT_INC_OVERFLOW.sh * lkdtm_REFCOUNT_ADD_OVERFLOW.sh * lkdtm_REFCOUNT_INC_NOT_ZERO_OVERFLOW.sh * lkdtm_REFCOUNT_ADD_NOT_ZERO_OVERFLOW.sh * lkdtm_REFCOUNT_DEC_ZERO.sh * lkdtm_REFCOUNT_DEC_NEGATIVE.sh * lkdtm_REFCOUNT_DEC_AND_TEST_NEGATIVE.sh * lkdtm_REFCOUNT_SUB_AND_TEST_NEGATIVE.sh * lkdtm_REFCOUNT_INC_ZERO.sh * lkdtm_REFCOUNT_ADD_ZERO.sh * lkdtm_REFCOUNT_INC_SATURATED.sh * lkdtm_REFCOUNT_DEC_SATURATED.sh * lkdtm_REFCOUNT_ADD_SATURATED.sh * lkdtm_REFCOUNT_INC_NOT_ZERO_SATURATED.sh * lkdtm_REFCOUNT_ADD_NOT_ZERO_SATURATED.sh * lkdtm_REFCOUNT_DEC_AND_TEST_SATURATED.sh * lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED.sh * lkdtm_USERCOPY_HEAP_SIZE_TO.sh * lkdtm_USERCOPY_HEAP_SIZE_FROM.sh * lkdtm_USERCOPY_HEAP_WHITELIST_TO.sh * lkdtm_USERCOPY_HEAP_WHITELIST_FROM.sh * lkdtm_USERCOPY_STACK_FRAME_TO.sh * lkdtm_USERCOPY_STACK_FRAME_FROM.sh * lkdtm_USERCOPY_STACK_BEYOND.sh * lkdtm_USERCOPY_KERNEL.sh * lkdtm_STACKLEAK_ERASING.sh * lkdtm_CFI_FORWARD_PROTO.sh * mincore_mincore_selftest * mqueue_mq_perf_tests * net_xfrm_policy.sh * net_fib_tests.sh * net_fib-onlink-tests.sh * net_pmtu.sh * net_udpgso_bench.sh * net_psock_snd.sh * net_test_vxlan_under_vrf.sh * net_l2tp.sh * net_traceroute.sh * net_altnames.sh * net_icmp_redirect.sh * net_txtimestamp.sh * net_vrf-xfrm-tests.sh * net_devlink_port_split.py * netfilter_nft_concat_range.sh * netfilter_nft_queue.sh * pidfd_pidfd_open_test * pidfd_pidfd_poll_test * proc_proc-fsconfig-hidepid * pstore_pstore_tests * ptrace_vmaccess * openat2_openat2_test * openat2_resolve_test * openat2_rename_attack_test * rtc_rtctest * seccomp_seccomp_bpf * seccomp_seccomp_benchmark * splice_short_splice_read.sh * vm_run_vmtests * x86_syscall_numbering_64 ### x86, kselftest-vsyscall-mode-native * bpf_test_progs * bpf_test_dev_cgroup * bpf_test_tcpbpf_user * bpf_get_cgroup_id_user * bpf_test_socket_cookie * bpf_test_netcnt * bpf_test_tcpnotify_user * bpf_test_sock_fields * bpf_test_sysctl * bpf_test_progs-no_alu32 * bpf_test_sock_addr.sh * bpf_test_tunnel.sh * bpf_test_lwt_seg6local.sh * bpf_test_flow_dissector.sh * bpf_test_lwt_ip_encap.sh * bpf_test_tc_tunnel.sh * bpf_test_tc_edt.sh * bpf_test_xdping.sh * bpf_test_bpftool.sh * cgroup_test_freezer * clone3_clone3_cap_checkpoint_restore * core_close_range_test * firmware_fw_run_tests.sh * ftrace_ftracetest * intel_pstate_run.sh * kvm_vmx_preemption_timer_test * kvm_debug_regs * lkdtm_BUG.sh * lkdtm_WARNING.sh * lkdtm_WARNING_MESSAGE.sh * lkdtm_EXCEPTION.sh * lkdtm_CORRUPT_LIST_ADD.sh * lkdtm_CORRUPT_LIST_DEL.sh * lkdtm_STACK_GUARD_PAGE_LEADING.sh * lkdtm_STACK_GUARD_PAGE_TRAILING.sh * lkdtm_UNSET_SMEP.sh * lkdtm_CORRUPT_PAC.sh * lkdtm_UNALIGNED_LOAD_STORE_WRITE.sh * lkdtm_READ_AFTER_FREE.sh * lkdtm_READ_BUDDY_AFTER_FREE.sh * lkdtm_SLAB_FREE_DOUBLE.sh * lkdtm_SLAB_FREE_CROSS.sh * lkdtm_SLAB_FREE_PAGE.sh * lkdtm_EXEC_DATA.sh * lkdtm_EXEC_STACK.sh * lkdtm_EXEC_KMALLOC.sh * lkdtm_EXEC_VMALLOC.sh * lkdtm_EXEC_RODATA.sh * lkdtm_EXEC_USERSPACE.sh * lkdtm_EXEC_NULL.sh * lkdtm_ACCESS_USERSPACE.sh * lkdtm_ACCESS_NULL.sh * lkdtm_WRITE_RO.sh * lkdtm_WRITE_RO_AFTER_INIT.sh * lkdtm_WRITE_KERN.sh * lkdtm_REFCOUNT_INC_OVERFLOW.sh * lkdtm_REFCOUNT_ADD_OVERFLOW.sh * lkdtm_REFCOUNT_INC_NOT_ZERO_OVERFLOW.sh * lkdtm_REFCOUNT_ADD_NOT_ZERO_OVERFLOW.sh * lkdtm_REFCOUNT_DEC_ZERO.sh * lkdtm_REFCOUNT_DEC_NEGATIVE.sh * lkdtm_REFCOUNT_DEC_AND_TEST_NEGATIVE.sh * lkdtm_REFCOUNT_SUB_AND_TEST_NEGATIVE.sh * lkdtm_REFCOUNT_INC_ZERO.sh * lkdtm_REFCOUNT_ADD_ZERO.sh * lkdtm_REFCOUNT_INC_SATURATED.sh * lkdtm_REFCOUNT_DEC_SATURATED.sh * lkdtm_REFCOUNT_ADD_SATURATED.sh * lkdtm_REFCOUNT_INC_NOT_ZERO_SATURATED.sh * lkdtm_REFCOUNT_ADD_NOT_ZERO_SATURATED.sh * lkdtm_REFCOUNT_DEC_AND_TEST_SATURATED.sh * lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED.sh * lkdtm_USERCOPY_HEAP_SIZE_TO.sh * lkdtm_USERCOPY_HEAP_SIZE_FROM.sh * lkdtm_USERCOPY_HEAP_WHITELIST_TO.sh * lkdtm_USERCOPY_HEAP_WHITELIST_FROM.sh * lkdtm_USERCOPY_STACK_FRAME_TO.sh * lkdtm_USERCOPY_STACK_FRAME_FROM.sh * lkdtm_USERCOPY_STACK_BEYOND.sh * lkdtm_USERCOPY_KERNEL.sh * lkdtm_STACKLEAK_ERASING.sh * lkdtm_CFI_FORWARD_PROTO.sh * mincore_mincore_selftest * mqueue_mq_perf_tests * net_run_netsocktests * net_xfrm_policy.sh * net_fib_tests.sh * net_fib-onlink-tests.sh * net_pmtu.sh * net_udpgso_bench.sh * net_psock_snd.sh * net_test_vxlan_under_vrf.sh * net_l2tp.sh * net_traceroute.sh * net_altnames.sh * net_icmp_redirect.sh * net_txtimestamp.sh * net_vrf-xfrm-tests.sh * net_devlink_port_split.py * netfilter_nft_concat_range.sh * netfilter_nft_queue.sh * pidfd_pidfd_open_test * pidfd_pidfd_poll_test * proc_proc-fsconfig-hidepid * pstore_pstore_tests * ptrace_vmaccess * openat2_openat2_test * openat2_resolve_test * openat2_rename_attack_test * rtc_rtctest * seccomp_seccomp_bpf * seccomp_seccomp_benchmark * splice_short_splice_read.sh * vm_run_vmtests * x86_syscall_numbering_64 ### x86, kselftest-vsyscall-mode-none * bpf_test_progs * bpf_test_dev_cgroup * bpf_test_tcpbpf_user * bpf_get_cgroup_id_user * bpf_test_socket_cookie * bpf_test_netcnt * bpf_test_tcpnotify_user * bpf_test_sock_fields * bpf_test_sysctl * bpf_test_progs-no_alu32 * bpf_test_sock_addr.sh * bpf_test_tunnel.sh * bpf_test_lwt_seg6local.sh * bpf_test_flow_dissector.sh * bpf_test_lwt_ip_encap.sh * bpf_test_tc_tunnel.sh * bpf_test_tc_edt.sh * bpf_test_xdping.sh * bpf_test_bpftool.sh * clone3_clone3_cap_checkpoint_restore * core_close_range_test * firmware_fw_run_tests.sh * ftrace_ftracetest * intel_pstate_run.sh * kvm_debug_regs * lkdtm_BUG.sh * lkdtm_WARNING.sh * lkdtm_WARNING_MESSAGE.sh * lkdtm_EXCEPTION.sh * lkdtm_CORRUPT_LIST_ADD.sh * lkdtm_CORRUPT_LIST_DEL.sh * lkdtm_STACK_GUARD_PAGE_LEADING.sh * lkdtm_STACK_GUARD_PAGE_TRAILING.sh * lkdtm_UNSET_SMEP.sh * lkdtm_CORRUPT_PAC.sh * lkdtm_UNALIGNED_LOAD_STORE_WRITE.sh * lkdtm_READ_AFTER_FREE.sh * lkdtm_READ_BUDDY_AFTER_FREE.sh * lkdtm_SLAB_FREE_DOUBLE.sh * lkdtm_SLAB_FREE_CROSS.sh * lkdtm_SLAB_FREE_PAGE.sh * lkdtm_EXEC_DATA.sh * lkdtm_EXEC_STACK.sh * lkdtm_EXEC_KMALLOC.sh * lkdtm_EXEC_VMALLOC.sh * lkdtm_EXEC_RODATA.sh * lkdtm_EXEC_USERSPACE.sh * lkdtm_EXEC_NULL.sh * lkdtm_ACCESS_USERSPACE.sh * lkdtm_ACCESS_NULL.sh * lkdtm_WRITE_RO.sh * lkdtm_WRITE_RO_AFTER_INIT.sh * lkdtm_WRITE_KERN.sh * lkdtm_REFCOUNT_INC_OVERFLOW.sh * lkdtm_REFCOUNT_ADD_OVERFLOW.sh * lkdtm_REFCOUNT_INC_NOT_ZERO_OVERFLOW.sh * lkdtm_REFCOUNT_ADD_NOT_ZERO_OVERFLOW.sh * lkdtm_REFCOUNT_DEC_ZERO.sh * lkdtm_REFCOUNT_DEC_NEGATIVE.sh * lkdtm_REFCOUNT_DEC_AND_TEST_NEGATIVE.sh * lkdtm_REFCOUNT_SUB_AND_TEST_NEGATIVE.sh * lkdtm_REFCOUNT_INC_ZERO.sh * lkdtm_REFCOUNT_ADD_ZERO.sh * lkdtm_REFCOUNT_INC_SATURATED.sh * lkdtm_REFCOUNT_DEC_SATURATED.sh * lkdtm_REFCOUNT_ADD_SATURATED.sh * lkdtm_REFCOUNT_INC_NOT_ZERO_SATURATED.sh * lkdtm_REFCOUNT_ADD_NOT_ZERO_SATURATED.sh * lkdtm_REFCOUNT_DEC_AND_TEST_SATURATED.sh * lkdtm_REFCOUNT_SUB_AND_TEST_SATURATED.sh * lkdtm_USERCOPY_HEAP_SIZE_TO.sh * lkdtm_USERCOPY_HEAP_SIZE_FROM.sh * lkdtm_USERCOPY_HEAP_WHITELIST_TO.sh * lkdtm_USERCOPY_HEAP_WHITELIST_FROM.sh * lkdtm_USERCOPY_STACK_FRAME_TO.sh * lkdtm_USERCOPY_STACK_FRAME_FROM.sh * lkdtm_USERCOPY_STACK_BEYOND.sh * lkdtm_USERCOPY_KERNEL.sh * lkdtm_STACKLEAK_ERASING.sh * lkdtm_CFI_FORWARD_PROTO.sh * mincore_mincore_selftest * mqueue_mq_perf_tests * net_run_netsocktests * net_xfrm_policy.sh * net_fib_tests.sh * net_fib-onlink-tests.sh * net_pmtu.sh * net_udpgso_bench.sh * net_test_vxlan_under_vrf.sh * net_l2tp.sh * net_traceroute.sh * net_altnames.sh * net_icmp_redirect.sh * net_txtimestamp.sh * net_vrf-xfrm-tests.sh * net_devlink_port_split.py * netfilter_nft_concat_range.sh * netfilter_nft_queue.sh * pidfd_pidfd_open_test * pidfd_pidfd_poll_test * proc_proc-fsconfig-hidepid * pstore_pstore_tests * ptrace_vmaccess * openat2_openat2_test * openat2_resolve_test * openat2_rename_attack_test * seccomp_seccomp_bpf * seccomp_seccomp_benchmark * splice_short_splice_read.sh * vm_run_vmtests * x86_syscall_numbering_64 ## Skips ### i386, kselftest * bpf_test_xdp_veth.sh * cgroup_test_memcontrol * cgroup_test_kmem * cgroup_test_core * cgroup_test_stress.sh * efivarfs_efivarfs.sh * fpu_run_test_fpu.sh * ir_ir_loopback.sh * kexec_test_kexec_load.sh * kexec_test_kexec_file_load.sh * livepatch_test-livepatch.sh * livepatch_test-callbacks.sh * livepatch_test-shadow-vars.sh * livepatch_test-state.sh * livepatch_test-ftrace.sh * lkdtm_PANIC.sh * lkdtm_LOOP.sh * lkdtm_EXHAUST_STACK.sh * lkdtm_CORRUPT_STACK.sh * lkdtm_CORRUPT_STACK_STRONG.sh * lkdtm_OVERWRITE_ALLOCATION.sh * lkdtm_WRITE_AFTER_FREE.sh * lkdtm_WRITE_BUDDY_AFTER_FREE.sh * lkdtm_SOFTLOCKUP.sh * lkdtm_HARDLOCKUP.sh * lkdtm_SPINLOCKUP.sh * lkdtm_HUNG_TASK.sh * lkdtm_REFCOUNT_TIMING.sh * lkdtm_ATOMIC_TIMING.sh * memory-hotplug_mem-on-off-test.sh * net_reuseport_bpf_numa * netfilter_ipvs.sh * netfilter_nft_conntrack_helper.sh * netfilter_nft_meta.sh * proc_proc-pid-vm * pstore_pstore_post_reboot_tests * tpm2_test_smoke.sh * tpm2_test_space.sh ### x86, kselftest * bpf_test_xdp_veth.sh * cgroup_test_memcontrol * cgroup_test_kmem * cgroup_test_core * cgroup_test_stress.sh * efivarfs_efivarfs.sh * fpu_run_test_fpu.sh * ir_ir_loopback.sh * kexec_test_kexec_load.sh * kexec_test_kexec_file_load.sh * kvm_mmio_warning_test * kvm_svm_vmcall_test * lkdtm_PANIC.sh * lkdtm_LOOP.sh * lkdtm_EXHAUST_STACK.sh * lkdtm_CORRUPT_STACK.sh * lkdtm_CORRUPT_STACK_STRONG.sh * lkdtm_DOUBLE_FAULT.sh * lkdtm_OVERWRITE_ALLOCATION.sh * lkdtm_WRITE_AFTER_FREE.sh * lkdtm_WRITE_BUDDY_AFTER_FREE.sh * lkdtm_SOFTLOCKUP.sh * lkdtm_HARDLOCKUP.sh * lkdtm_SPINLOCKUP.sh * lkdtm_HUNG_TASK.sh * lkdtm_REFCOUNT_TIMING.sh * lkdtm_ATOMIC_TIMING.sh * netfilter_ipvs.sh * netfilter_nft_conntrack_helper.sh * netfilter_nft_meta.sh * pstore_pstore_post_reboot_tests * tpm2_test_smoke.sh * tpm2_test_space.sh ### x86, kselftest-vsyscall-mode-native * bpf_test_xdp_veth.sh * cgroup_test_memcontrol * cgroup_test_kmem * cgroup_test_core * cgroup_test_stress.sh * efivarfs_efivarfs.sh * fpu_run_test_fpu.sh * ir_ir_loopback.sh * kexec_test_kexec_load.sh * kexec_test_kexec_file_load.sh * kvm_mmio_warning_test * kvm_svm_vmcall_test * lkdtm_PANIC.sh * lkdtm_LOOP.sh * lkdtm_EXHAUST_STACK.sh * lkdtm_CORRUPT_STACK.sh * lkdtm_CORRUPT_STACK_STRONG.sh * lkdtm_DOUBLE_FAULT.sh * lkdtm_OVERWRITE_ALLOCATION.sh * lkdtm_WRITE_AFTER_FREE.sh * lkdtm_WRITE_BUDDY_AFTER_FREE.sh * lkdtm_SOFTLOCKUP.sh * lkdtm_HARDLOCKUP.sh * lkdtm_SPINLOCKUP.sh * lkdtm_HUNG_TASK.sh * lkdtm_REFCOUNT_TIMING.sh * lkdtm_ATOMIC_TIMING.sh * netfilter_ipvs.sh * netfilter_nft_conntrack_helper.sh * netfilter_nft_meta.sh * pstore_pstore_post_reboot_tests * tpm2_test_smoke.sh * tpm2_test_space.sh ### x86, kselftest-vsyscall-mode-none * bpf_test_xdp_veth.sh * cgroup_test_memcontrol * cgroup_test_kmem * cgroup_test_core * cgroup_test_stress.sh * efivarfs_efivarfs.sh * fpu_run_test_fpu.sh * ir_ir_loopback.sh * kexec_test_kexec_load.sh * kexec_test_kexec_file_load.sh * kvm_mmio_warning_test * kvm_svm_vmcall_test * lkdtm_PANIC.sh * lkdtm_LOOP.sh * lkdtm_EXHAUST_STACK.sh * lkdtm_CORRUPT_STACK.sh * lkdtm_CORRUPT_STACK_STRONG.sh * lkdtm_DOUBLE_FAULT.sh * lkdtm_OVERWRITE_ALLOCATION.sh * lkdtm_WRITE_AFTER_FREE.sh * lkdtm_WRITE_BUDDY_AFTER_FREE.sh * lkdtm_SOFTLOCKUP.sh * lkdtm_HARDLOCKUP.sh * lkdtm_SPINLOCKUP.sh * lkdtm_HUNG_TASK.sh * lkdtm_REFCOUNT_TIMING.sh * lkdtm_ATOMIC_TIMING.sh * netfilter_ipvs.sh * netfilter_nft_conntrack_helper.sh * netfilter_nft_meta.sh * pstore_pstore_post_reboot_tests * tpm2_test_smoke.sh * tpm2_test_space.sh -- Linaro LKFT https://lkft.linaro.org

4 years, 4 months

1
0
0 0

[PATCH v2 0/4] kselftests/arm64: add PAuth tests

by Boyan Karatotev

Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3. It introduces instructions to sign addresses and later check for potential corruption using a second modifier value and one of a set of keys. The signature, in the form of the Pointer Authentication Code (PAC), is stored in some of the top unused bits of the virtual address (e.g. [54: 49] if TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of controls are present to enable/disable groups of instructions (which use certain keys) for compatibility with libraries that do not utilize the feature. PAuth is used to verify the integrity of return addresses on the stack with less memory than the stack canary. This patchset adds kselftests to verify the kernel's configuration of the feature and its runtime behaviour. There are 7 tests which verify that: * an authentication failure leads to a SIGSEGV * the data/instruction instruction groups are enabled * the generic instructions are enabled * all 5 keys are unique for a single thread * exec() changes all keys to new unique ones * context switching preserves the 4 data/instruction keys * context switching preserves the generic keys The tests have been verified to work on qemu without a working PAUTH Implementation and on ARM's FVP with a full or partial PAuth implementation. Changes in v2: * remove extra lines at end of files * Patch 1: "kselftests: add a basic arm64 Pointer Authentication test" * add checks for a compatible compiler in Makefile * Patch 4: "kselftests: add PAuth tests for single threaded consistency and key uniqueness" * rephrase comment for clarity in pac.c Cc: Shuah Khan <shuah(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Reviewed-by: Vincenzo Frascino <Vincenzo.Frascino(a)arm.com> Reviewed-by: Amit Daniel Kachhap <amit.kachhap(a)arm.com> Signed-off-by: Boyan Karatotev <boyan.karatotev(a)arm.com> Boyan Karatotev (4): kselftests/arm64: add a basic Pointer Authentication test kselftests/arm64: add nop checks for PAuth tests kselftests/arm64: add PAuth test for whether exec() changes keys kselftests/arm64: add PAuth tests for single threaded consistency and key uniqueness tools/testing/selftests/arm64/Makefile | 2 +- .../testing/selftests/arm64/pauth/.gitignore | 2 + tools/testing/selftests/arm64/pauth/Makefile | 39 ++ .../selftests/arm64/pauth/exec_target.c | 35 ++ tools/testing/selftests/arm64/pauth/helper.c | 40 ++ tools/testing/selftests/arm64/pauth/helper.h | 29 ++ tools/testing/selftests/arm64/pauth/pac.c | 348 ++++++++++++++++++ .../selftests/arm64/pauth/pac_corruptor.S | 35 ++ 8 files changed, 529 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/arm64/pauth/.gitignore create mode 100644 tools/testing/selftests/arm64/pauth/Makefile create mode 100644 tools/testing/selftests/arm64/pauth/exec_target.c create mode 100644 tools/testing/selftests/arm64/pauth/helper.c create mode 100644 tools/testing/selftests/arm64/pauth/helper.h create mode 100644 tools/testing/selftests/arm64/pauth/pac.c create mode 100644 tools/testing/selftests/arm64/pauth/pac_corruptor.S -- 2.17.1

4 years, 4 months

7
12
0 0

Re: [patch 00/13] preempt: Make preempt count unconditional

by Matthew Wilcox

On Mon, Sep 14, 2020 at 11:55:24PM +0200, Thomas Gleixner wrote: > But just look at any check which uses preemptible(), especially those > which check !preemptible(): hmm. +++ b/include/linux/preempt.h @@ -180,7 +180,9 @@ do { \ #define preempt_enable_no_resched() sched_preempt_enable_no_resched() +#ifndef MODULE #define preemptible() (preempt_count() == 0 && !irqs_disabled()) +#endif #ifdef CONFIG_PREEMPTION #define preempt_enable() \ $ git grep -w preemptible drivers (slightly trimmed by hand to remove, eg, comments) drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); drivers/firmware/arm_sdei.c: WARN_ON(preemptible()); drivers/firmware/efi/efi-pstore.c: preemptible(), record->size, record->psi->buf); drivers/irqchip/irq-gic-v4.c: WARN_ON(preemptible()); drivers/irqchip/irq-gic-v4.c: WARN_ON(preemptible()); drivers/scsi/hisi_sas/hisi_sas_main.c: if (!preemptible()) drivers/xen/time.c: BUG_ON(preemptible()); That only looks like two drivers that need more than WARNectomies. Although maybe rcu_read_load_sched_held() or rcu_read_lock_any_held() might get called from a module ...

4 years, 4 months

2
1
0 0

[PATCH 0/4] kselftests/arm64: add PAuth tests

by Boyan Karatotev

Pointer Authentication (PAuth) is a security feature introduced in ARMv8.3. It introduces instructions to sign addresses and later check for potential corruption using a second modifier value and one of a set of keys. The signature, in the form of the Pointer Authentication Code (PAC), is stored in some of the top unused bits of the virtual address (e.g. [54: 49] if TBID0 is enabled and TnSZ is set to use a 48 bit VA space). A set of controls are present to enable/disable groups of instructions (which use certain keys) for compatibility with libraries that do not utilize the feature. PAuth is used to verify the integrity of return addresses on the stack with less memory than the stack canary. This patchset adds kselftests to verify the kernel's configuration of the feature and its runtime behaviour. There are 7 tests which verify that: * an authentication failure leads to a SIGSEGV * the data/instruction instruction groups are enabled * the generic instructions are enabled * all 5 keys are unique for a single thread * exec() changes all keys to new unique ones * context switching preserves the 4 data/instruction keys * context switching preserves the generic keys The tests have been verified to work on qemu without a working PAUTH Implementation and on ARM's FVP with a full or partial PAuth implementation. Note: This patchset is only verified for ARMv8.3 and there will be some changes required for ARMv8.6. More details can be found here [1]. Once ARMv8.6 PAuth is merged the first test in this series will required to be updated. [1] https://lore.kernel.org/linux-arm-kernel/1597734671-23407-1-git-send-email-… Cc: Shuah Khan <shuah(a)kernel.org> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Signed-off-by: Boyan Karatotev <boyan.karatotev(a)arm.com> Boyan Karatotev (4): kselftests/arm64: add a basic Pointer Authentication test kselftests/arm64: add nop checks for PAuth tests kselftests/arm64: add PAuth test for whether exec() changes keys kselftests/arm64: add PAuth tests for single threaded consistency and key uniqueness tools/testing/selftests/arm64/Makefile | 2 +- .../testing/selftests/arm64/pauth/.gitignore | 2 + tools/testing/selftests/arm64/pauth/Makefile | 29 ++ .../selftests/arm64/pauth/exec_target.c | 35 ++ tools/testing/selftests/arm64/pauth/helper.c | 41 +++ tools/testing/selftests/arm64/pauth/helper.h | 30 ++ tools/testing/selftests/arm64/pauth/pac.c | 347 ++++++++++++++++++ .../selftests/arm64/pauth/pac_corruptor.S | 36 ++ 8 files changed, 521 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/arm64/pauth/.gitignore create mode 100644 tools/testing/selftests/arm64/pauth/Makefile create mode 100644 tools/testing/selftests/arm64/pauth/exec_target.c create mode 100644 tools/testing/selftests/arm64/pauth/helper.c create mode 100644 tools/testing/selftests/arm64/pauth/helper.h create mode 100644 tools/testing/selftests/arm64/pauth/pac.c create mode 100644 tools/testing/selftests/arm64/pauth/pac_corruptor.S -- 2.17.1

4 years, 4 months

5
23
0 0

[PATCH v20 00/12] Landlock LSM

by Mickaël Salaün

Hi, This new patch series mainly replace the landlock(2) command multiplexor with 4 new dedicated syscalls: * landlock_get_features(2) * landlock_create_ruleset(2) * landlock_add_rule(2) * landlock_enforce_ruleset(2) The SLOC count is 1264 for security/landlock/ and 1712 for tools/testing/selftest/landlock/ . Test coverage for security/landlock/ is 93.6% of lines. The code not covered only deals with internal kernel errors (e.g. memory allocation) and race conditions. The compiled documentation is available here: https://landlock.io/linux-doc/landlock-v20/security/landlock/index.html This series can be applied on top of v5.8-rc4 . This can be tested with CONFIG_SECURITY_LANDLOCK and CONFIG_SAMPLE_LANDLOCK. This patch series can be found in a Git repository here: https://github.com/landlock-lsm/linux/commits/landlock-v20 I would really appreciate constructive comments on this patch series. # Landlock LSM The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM [1], it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves. Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can restrict the use of kernel objects like file hierarchies, according to the kernel semantic. Landlock also takes inspiration from other OS sandbox mechanisms: XNU Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil. In this current form, Landlock misses some access-control features. This enables to minimize this patch series and ease review. This series still addresses multiple use cases, especially with the combined use of seccomp-bpf: applications with built-in sandboxing, init systems, security sandbox tools and security-oriented APIs [2]. Previous version: https://lore.kernel.org/lkml/20200707180955.53024-1-mic@digikod.net/ [1] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler… [2] https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.n… Casey Schaufler (1): LSM: Infrastructure management of the superblock Mickaël Salaün (11): landlock: Add object management landlock: Add ruleset and domain management landlock: Set up the security framework and manage credentials landlock: Add ptrace restrictions fs,security: Add sb_delete hook landlock: Support filesystem access-control landlock: Add syscall implementations arch: Wire up Landlock syscalls selftests/landlock: Add initial tests samples/landlock: Add a sandbox manager example landlock: Add user and kernel documentation Documentation/security/index.rst | 1 + Documentation/security/landlock/index.rst | 18 + Documentation/security/landlock/kernel.rst | 69 + Documentation/security/landlock/user.rst | 271 +++ MAINTAINERS | 11 + arch/Kconfig | 7 + arch/alpha/kernel/syscalls/syscall.tbl | 4 + arch/arm/tools/syscall.tbl | 4 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 8 + arch/ia64/kernel/syscalls/syscall.tbl | 4 + arch/m68k/kernel/syscalls/syscall.tbl | 4 + arch/microblaze/kernel/syscalls/syscall.tbl | 4 + arch/mips/kernel/syscalls/syscall_n32.tbl | 4 + arch/mips/kernel/syscalls/syscall_n64.tbl | 4 + arch/mips/kernel/syscalls/syscall_o32.tbl | 4 + arch/parisc/kernel/syscalls/syscall.tbl | 4 + arch/powerpc/kernel/syscalls/syscall.tbl | 4 + arch/s390/kernel/syscalls/syscall.tbl | 4 + arch/sh/kernel/syscalls/syscall.tbl | 4 + arch/sparc/kernel/syscalls/syscall.tbl | 4 + arch/um/Kconfig | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 4 + arch/x86/entry/syscalls/syscall_64.tbl | 4 + arch/xtensa/kernel/syscalls/syscall.tbl | 4 + fs/super.c | 1 + include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 3 + include/linux/security.h | 4 + include/linux/syscalls.h | 8 + include/uapi/asm-generic/unistd.h | 10 +- include/uapi/linux/landlock.h | 209 ++ kernel/sys_ni.c | 6 + samples/Kconfig | 7 + samples/Makefile | 1 + samples/landlock/.gitignore | 1 + samples/landlock/Makefile | 15 + samples/landlock/sandboxer.c | 248 +++ security/Kconfig | 11 +- security/Makefile | 2 + security/landlock/Kconfig | 18 + security/landlock/Makefile | 4 + security/landlock/common.h | 20 + security/landlock/cred.c | 46 + security/landlock/cred.h | 58 + security/landlock/fs.c | 609 ++++++ security/landlock/fs.h | 60 + security/landlock/object.c | 66 + security/landlock/object.h | 91 + security/landlock/ptrace.c | 120 ++ security/landlock/ptrace.h | 14 + security/landlock/ruleset.c | 342 ++++ security/landlock/ruleset.h | 157 ++ security/landlock/setup.c | 40 + security/landlock/setup.h | 18 + security/landlock/syscall.c | 571 ++++++ security/security.c | 51 +- security/selinux/hooks.c | 58 +- security/selinux/include/objsec.h | 6 + security/selinux/ss/services.c | 3 +- security/smack/smack.h | 6 + security/smack/smack_lsm.c | 35 +- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/landlock/.gitignore | 2 + tools/testing/selftests/landlock/Makefile | 29 + tools/testing/selftests/landlock/base_test.c | 154 ++ tools/testing/selftests/landlock/common.h | 122 ++ tools/testing/selftests/landlock/config | 5 + tools/testing/selftests/landlock/fs_test.c | 1698 +++++++++++++++++ .../testing/selftests/landlock/ptrace_test.c | 310 +++ tools/testing/selftests/landlock/true.c | 5 + 71 files changed, 5621 insertions(+), 77 deletions(-) create mode 100644 Documentation/security/landlock/index.rst create mode 100644 Documentation/security/landlock/kernel.rst create mode 100644 Documentation/security/landlock/user.rst create mode 100644 include/uapi/linux/landlock.h create mode 100644 samples/landlock/.gitignore create mode 100644 samples/landlock/Makefile create mode 100644 samples/landlock/sandboxer.c create mode 100644 security/landlock/Kconfig create mode 100644 security/landlock/Makefile create mode 100644 security/landlock/common.h create mode 100644 security/landlock/cred.c create mode 100644 security/landlock/cred.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h create mode 100644 security/landlock/object.c create mode 100644 security/landlock/object.h create mode 100644 security/landlock/ptrace.c create mode 100644 security/landlock/ptrace.h create mode 100644 security/landlock/ruleset.c create mode 100644 security/landlock/ruleset.h create mode 100644 security/landlock/setup.c create mode 100644 security/landlock/setup.h create mode 100644 security/landlock/syscall.c create mode 100644 tools/testing/selftests/landlock/.gitignore create mode 100644 tools/testing/selftests/landlock/Makefile create mode 100644 tools/testing/selftests/landlock/base_test.c create mode 100644 tools/testing/selftests/landlock/common.h create mode 100644 tools/testing/selftests/landlock/config create mode 100644 tools/testing/selftests/landlock/fs_test.c create mode 100644 tools/testing/selftests/landlock/ptrace_test.c create mode 100644 tools/testing/selftests/landlock/true.c -- 2.28.0.rc2

4 years, 4 months

3
18
0 0

Re: [patch 08/13] sched: Clenaup PREEMPT_COUNT leftovers

by Valentin Schneider

On 14/09/20 21:42, Thomas Gleixner wrote: > CONFIG_PREEMPT_COUNT is now unconditionally enabled and will be > removed. Cleanup the leftovers before doing so. > > Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> > Cc: Ingo Molnar <mingo(a)redhat.com> > Cc: Peter Zijlstra <peterz(a)infradead.org> > Cc: Juri Lelli <juri.lelli(a)redhat.com> > Cc: Vincent Guittot <vincent.guittot(a)linaro.org> > Cc: Dietmar Eggemann <dietmar.eggemann(a)arm.com> > Cc: Steven Rostedt <rostedt(a)goodmis.org> > Cc: Ben Segall <bsegall(a)google.com> > Cc: Mel Gorman <mgorman(a)suse.de> > Cc: Daniel Bristot de Oliveira <bristot(a)redhat.com> Small nit below; Reviewed-by: Valentin Schneider <valentin.schneider(a)arm.com> > --- > kernel/sched/core.c | 6 +----- > lib/Kconfig.debug | 1 - > 2 files changed, 1 insertion(+), 6 deletions(-) > > --- a/kernel/sched/core.c > +++ b/kernel/sched/core.c > @@ -3706,8 +3706,7 @@ asmlinkage __visible void schedule_tail( > * finish_task_switch() for details. > * > * finish_task_switch() will drop rq->lock() and lower preempt_count > - * and the preempt_enable() will end up enabling preemption (on > - * PREEMPT_COUNT kernels). I suppose this wanted to be s/PREEMPT_COUNT/PREEMPT/ in the first place, which ought to be still relevant. > + * and the preempt_enable() will end up enabling preemption. > */ > > rq = finish_task_switch(prev);

4 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror