Multiple PAC keys support for Linux kernel

According to the Linux document (www.kernel.org/.../pointer-authentication.html),

"The extension provides five separate keys to generate PACs - two for instruction addresses (APIAKey, APIBKey), two for data addresses (APDAKey, APDBKey), and one for generic authentication (APGAKey)."

Looking to the latest Linux kernel source code, however, while all the five keys are supported for userspace, it seems only one key, apia, is supported in case of kernel space.

/*
 * We give each process its own keys, which are shared by all threads. The keys
 * are inherited upon fork(), and reinitialised upon exec*().
 */
struct ptrauth_keys_user {
	struct ptrauth_key apia;
	struct ptrauth_key apib;
	struct ptrauth_key apda;
	struct ptrauth_key apdb;
	struct ptrauth_key apga;
};

#define __ptrauth_key_install_nosync(k, v)			\
do {								\
	struct ptrauth_key __pki_v = (v);			\
	write_sysreg_s(__pki_v.lo, SYS_ ## k ## KEYLO_EL1);	\
	write_sysreg_s(__pki_v.hi, SYS_ ## k ## KEYHI_EL1);	\
} while (0)

#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL

struct ptrauth_keys_kernel {
	struct ptrauth_key apia;
};

I'd like to ask if it is correct that only one key, apia, is currently supported in case of kernel.

If it is, I wonder if there is any plan for the other four keys to be also added for kernel space.

Please kindly give me any answers or information on my question.

Thank you.

  • Hi,

    Linux kernel questions are best asked on the kernel mailing list, but I've asked about and got some expert answers:

    The kernel only uses the APIA key (for protecting the return address), and doesn't make use of the other keys, so there's no reason to save/restore those in kernel context.

    KVM temporarily uses the APGA key as part of simulating ERET for nested virtualization.

    There are no current plans to make use of the other keys within the kernel, and hence there are no plans to save/restore them in kernel context.

    In general using pointer authentication throughout the kernel would require the use of instructions outside of the HINT space, which cannot run on hardware without pointer authentication, and goes against the usual goal of a single kernel image that works everywhere. Switching more keys would come with additional cost.