Skip to content
  • Andrey Konovalov's avatar
    kasan: drop unnecessary GPL text from comment headers · b2f1c165
    Andrey Konovalov authored
    Patch series "kasan: add hardware tag-based mode for arm64", v11.
    This patchset adds a new hardware tag-based mode to KASAN [1].  The new
    mode is similar to the existing software tag-based KASAN, but relies on
    arm64 Memory Tagging Extension (MTE) [2] to perform memory and pointer
    tagging (instead of shadow memory and compiler instrumentation).
    This patchset is co-developed and tested by
    Vincenzo Frascino <>.
    This patchset is available here:
    For testing in QEMU hardware tag-based KASAN requires:
    1. QEMU built from master [4] (use "-machine virt,mte=on -cpu max" arguments
       to run).
    2. GCC version 10.
    [3] git:// for-next/mte
    ====== Overview
    The underlying ideas of the approach used by hardware tag-based KASAN are:
    1. By relying on the Top Byte Ignore (TBI) arm64 CPU feature, pointer tags
       are stored in the top byte of each kernel pointer.
    2. With the Memory Tagging Extension (MTE) arm64 CPU feature, memory tags
       for kernel memory allocations are stored in a dedicated memory not
       accessible via normal instuctions.
    3. On each memory allocation, a random tag is generated, embedded it into
       the returned pointer, and the corresponding memory is tagged with the
       same tag value.
    4. With MTE the CPU performs a check on each memory access to make sure
       that the pointer tag matches the memory tag.
    5. On a tag mismatch the CPU generates a tag fault, and a KASAN report is
    Same as other KASAN modes, hardware tag-based KASAN is intended as a
    debugging feature at this point.
    ====== Rationale
    There are two main reasons for this new hardware tag-based mode:
    1. Previously implemented software tag-based KASAN is being successfully
       used on dogfood testing devices due to its low memory overhead (as
       initially planned). The new hardware mode keeps the same low memory
       overhead, and is expected to have significantly lower performance
       impact, due to the tag checks being performed by the hardware.
       Therefore the new mode can be used as a better alternative in dogfood
       testing for hardware that supports MTE.
    2. The new mode lays the groundwork for the planned in-kernel MTE-based
       memory corruption mitigation to be used in production.
    ====== Technical details
    Considering the implementation perspective, hardware tag-based KASAN is
    almost identical to the software mode.  The key difference is using MTE
    for assigning and checking tags.
    Compared to the software mode, the hardware mode uses 4 bits per tag, as
    dictated by MTE.  Pointer tags are stored in bits [56:60), the top 4 bits
    have the normal value 0xF.  Having less distict tags increases the
    probablity of false negatives (from ~1/256 to ~1/16) in certain cases.
    Only synchronous exceptions are set up and used by hardware tag-based KASAN.
    ====== Benchmarks
    Note: all measurements have been performed with software emulation of Memory
    Tagging Extension, performance numbers for hardware tag-based KASAN on the
    actual hardware are expected to be better.
    Boot time [1]:
    * 2.8 sec for clean kernel
    * 5.7 sec for hardware tag-based KASAN
    * 11.8 sec for software tag-based KASAN
    * 11.6 sec for generic KASAN
    Slab memory usage after boot [2]:
    * 7.0 kb for clean kernel
    * 9.7 kb for hardware tag-based KASAN
    * 9.7 kb for software tag-based KASAN
    * 41.3 kb for generic KASAN
    Measurements have been performed with:
    * defconfig-based configs
    * Manually built QEMU master
    * QEMU arguments: -machine virt,mte=on -cpu max
    * clang-10 as the compiler and gcc-10 as the assembler
    [1] Time before the ext4 driver is initialized.
    [2] Measured as `cat /proc/meminfo | grep Slab`.
    ====== Notes
    The cover letter for software tag-based KASAN patchset can be found here:
    ===== Tags
    Tested-by: default avatarVincenzo Frascino <>
    This patch (of 42):
    Don't mention "GNU General Public License version 2" text explicitly, as
    it's already covered by the SPDX-License-Identifier.
    Signed-off-by: default avatarAndrey Konovalov <>
    Signed-off-by: default avatarVincenzo Frascino <>
    Reviewed-by: default avatarMarco Elver <>
    Reviewed-by: default avatarAlexander Potapenko <>
    Tested-by: default avatarVincenzo Frascino <>
    Cc: Catalin Marinas <>
    Cc: Will Deacon <>
    Cc: Dmitry Vyukov <>
    Cc: Andrey Ryabinin <>
    Cc: Evgenii Stepanov <>
    Cc: Branislav Rankov <>
    Cc: Kevin Brodsky <>
    Cc: Vasily Gorbik <>
    Signed-off-by: default avatarAndrew Morton <>
    Signed-off-by: default avatarStephen Rothwell <>