Re: [PATCH 2/2] docs/cpu-features: Update "PAuth" (Pointer Authenticatio

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] docs/cpu-features: Update "PAuth" (Pointer Authenticatio

From:	Marc Zyngier
Subject:	Re: [PATCH 2/2] docs/cpu-features: Update "PAuth" (Pointer Authentication) details
Date:	Sat, 18 Jan 2025 10:04:37 +0000
User-agent:	Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/29.4 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)

On Fri, 17 Jan 2025 19:11:06 +0000,
Kashyap Chamarthy <kchamart@redhat.com> wrote:
> 
> PAuth (Pointer Authentication), a security feature in software, is
> relevant for both KVM and QEMU.  Relect this fact into the docs:
> 
>   - For KVM, `pauth` is a binary, "on" vs "off" option.  The host CPU
>     will choose the cryptographic algorithm.
> 
>   - For TCG, however, along with `pauth`, a couple of properties can be
>     controlled -- they're are related to cryptographic algorithm choice.
> 
> Thanks to Peter Maydell and Marc Zyngier for explaining more about PAuth
> on IRC (#qemu, OFTC).
> 
> Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
> ---
>  docs/system/arm/cpu-features.rst | 23 +++++++++++++++++++----
>  1 file changed, 19 insertions(+), 4 deletions(-)
> 
> diff --git a/docs/system/arm/cpu-features.rst 
> b/docs/system/arm/cpu-features.rst
> index 78f18c87a81..7f99f7614b4 100644
> --- a/docs/system/arm/cpu-features.rst
> +++ b/docs/system/arm/cpu-features.rst
> @@ -204,11 +204,26 @@ the list of KVM vCPU features and their descriptions.
>    the guest scheduler behavior and/or be exposed to the guest
>    userspace.
>  
> -TCG vCPU Features
> -=================
> +"PAuth" (Pointer Authentication)
> +================================
> +
> +PAuth (Pointer Authentication) is a security feature in software that
> +was introduced in Armv8.3-A and Armv9.0-A.  It aims to protect against

nit: given that ARMv9.0 is congruent to ARMv8.5 and therefore has all
the ARMv8.5 features, mentioning ARMv8.3 should be enough (but I don't
feel strongly about this). I feel much strongly about the use of
capital letters, but I live in a distant past... ;-)

> +ROP (return-oriented programming) attacks.
> +
> +KVM
> +---
> +
> +``pauth``
> +
> +  Enable or disable ``FEAT_Pauth``.  The host silicon will choose the
> +  cryptographic algorithm.  No other properties can be controlled.

nit: "choose" is a an odd choice of word. The host implementation
defines, or even imposes the signature algorithm, as well as the level
of PAuth support (PAuth, EPAC, PAuth2, FPAC, FPACCOMBINE, ...), some
of which are mutually exclusive (EPAC and PAuth2 are incompatible).

Maybe it would be worth capturing some of these details, as this has a
direct influence on the ability to migrate a VM.

Thanks,

        M.

-- 
Without deviation from the norm, progress is not possible.

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/2] docs: A couple of small changes to system/arm/cpu-features, Kashyap Chamarthy, 2025/01/17
- [PATCH 1/2] docs/cpu-features: Consistently use vCPU instead of VCPU, Kashyap Chamarthy, 2025/01/17
- [PATCH 2/2] docs/cpu-features: Update "PAuth" (Pointer Authentication) details, Kashyap Chamarthy, 2025/01/17
  - Re: [PATCH 2/2] docs/cpu-features: Update "PAuth" (Pointer Authentication) details, Marc Zyngier <=

Prev by Date: Re: [PATCH v3 0/4] qtest/libqos/pci: pci and msix fixes
Next by Date: Re: [PATCH v2] checkpatch: Check .m, .build, .hx, .json and .plist
Previous by thread: [PATCH 2/2] docs/cpu-features: Update "PAuth" (Pointer Authentication) details
Next by thread: [PATCH] hw/i386/pc: Fix crash that occurs when introspecting TYPE_PC_MACHINE machines
Index(es):
- Date
- Thread