In-kernel MTE (heap) tagging - CONFIG_KASAN_HW_TAGS
Hi, With kernel 5.11 we can enable MTE (heap) tagging, in-kernel support, with the following arm64 config update: ************************************************** @@ -11577,7 +11577,11 @@ CONFIG_CC_HAS_KASAN_GENERIC=y # CONFIG_CC_HAS_KASAN_SW_TAGS is not set CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y # CONFIG_KASAN is not set CONFIG_KASAN=y # CONFIG_KASAN_GENERIC is not set CONFIG_KASAN_HW_TAGS=y CONFIG_KASAN_STACK=1 # CONFIG_TEST_KASAN_MODULE is not set # end of Memory Debugging # CONFIG_DEBUG_SHIRQ is not set ************************************************** KASAN seems to be a good candidate for a debug kernel. But I noticed that KASAN is not enabled at all for kernels built in openSUSE Tumbleweed. Is it on purpose? I plan some testing of CONFIG_KASAN_HW_TAGS soon. Cheers, Guillaume
On 02. 03. 21, 17:40, Guillaume Gardet wrote:
Hi,
With kernel 5.11 we can enable MTE (heap) tagging, in-kernel support, with the following arm64 config update: ************************************************** @@ -11577,7 +11577,11 @@ CONFIG_CC_HAS_KASAN_GENERIC=y # CONFIG_CC_HAS_KASAN_SW_TAGS is not set CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y # CONFIG_KASAN is not set CONFIG_KASAN=y # CONFIG_KASAN_GENERIC is not set CONFIG_KASAN_HW_TAGS=y CONFIG_KASAN_STACK=1 # CONFIG_TEST_KASAN_MODULE is not set # end of Memory Debugging
# CONFIG_DEBUG_SHIRQ is not set **************************************************
KASAN seems to be a good candidate for a debug kernel. But I noticed that KASAN is not enabled at all for kernels built in openSUSE Tumbleweed. Is it on purpose?
KASAN is damn slow even for -debug. So that would likely be the reason. regards, -- js suse labs
On 03/03/2021 08:02, Jiri Slaby wrote:
On 02. 03. 21, 17:40, Guillaume Gardet wrote:
Hi,
With kernel 5.11 we can enable MTE (heap) tagging, in-kernel support, with the following arm64 config update: ************************************************** @@ -11577,7 +11577,11 @@ CONFIG_CC_HAS_KASAN_GENERIC=y # CONFIG_CC_HAS_KASAN_SW_TAGS is not set CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y # CONFIG_KASAN is not set CONFIG_KASAN=y # CONFIG_KASAN_GENERIC is not set CONFIG_KASAN_HW_TAGS=y CONFIG_KASAN_STACK=1 # CONFIG_TEST_KASAN_MODULE is not set # end of Memory Debugging
# CONFIG_DEBUG_SHIRQ is not set **************************************************
KASAN seems to be a good candidate for a debug kernel. But I noticed that KASAN is not enabled at all for kernels built in openSUSE Tumbleweed. Is it on purpose?
KASAN is damn slow even for -debug. So that would likely be the reason.
Beware that we are talking about hardware tag-based KASAN, which is only available on arm64 and intended for use in production. So it should mitigate the slowdown of generic and software tag-based KASAN. I propose to enable it for -debug to evaluate the performance impact and if the impact is, as expected, small, we should enable it for -default as well. Regards, Matthias
-----Original Message----- From: Matthias Brugger <mbrugger@suse.com> Sent: 03 March 2021 16:48 To: Jiri Slaby <jslaby@suse.cz>; Guillaume Gardet <Guillaume.Gardet@arm.com>; opensuse-kernel@opensuse.org Cc: nd <nd@arm.com> Subject: Re: In-kernel MTE (heap) tagging - CONFIG_KASAN_HW_TAGS
On 03/03/2021 08:02, Jiri Slaby wrote:
On 02. 03. 21, 17:40, Guillaume Gardet wrote:
Hi,
With kernel 5.11 we can enable MTE (heap) tagging, in-kernel support, with the following arm64 config update: ************************************************** @@ -11577,7 +11577,11 @@ CONFIG_CC_HAS_KASAN_GENERIC=y # CONFIG_CC_HAS_KASAN_SW_TAGS is not set CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y # CONFIG_KASAN is not set CONFIG_KASAN=y # CONFIG_KASAN_GENERIC is not set CONFIG_KASAN_HW_TAGS=y CONFIG_KASAN_STACK=1 # CONFIG_TEST_KASAN_MODULE is not set # end of Memory Debugging
# CONFIG_DEBUG_SHIRQ is not set **************************************************
KASAN seems to be a good candidate for a debug kernel. But I noticed that KASAN is not enabled at all for kernels built in openSUSE Tumbleweed. Is it on purpose?
KASAN is damn slow even for -debug. So that would likely be the reason.
Thanks for the quick feedback.
Beware that we are talking about hardware tag-based KASAN, which is only available on arm64 and intended for use in production. So it should mitigate the slowdown of generic and software tag-based KASAN.
That's indeed hardware based.
I propose to enable it for -debug to evaluate the performance impact and if the impact is, as expected, small, we should enable it for -default as well.
I am not sure yet about the impact, especially on Armv8.0 hardware, that's why I would like to test it before applying a patch, even on -debug. Thanks, Guillaume
Regards, Matthias
participants (3)
-
Guillaume Gardet -
Jiri Slaby -
Matthias Brugger