mte/kasan: Implementing KASAN memory protection for ARM64 hardware MTE

[W-M-R]

Note: Please adhere to Contributing Guidelines.

Summary

mte/kasan: Implementing KASAN memory protection for ARM64 hardware MTE

1. Add mte_tags.c, which will call arm64_mte to implement tagging of memory blocks by operating registers
2. please use arm64/mte, it default enable MM_KASAN_MTE_TAGS, run log:

    ➜  NX git:(mm) ✗ qemu-system-aarch64 -cpu max -nographic \
            -machine virt,virtualization=on,gic-version=3,mte=on \
            -chardev stdio,id=con,mux=on, -serial chardev:con \
            -mon chardev=con,mode=readline  -kernel ./nuttx/nuttx -s
    - Ready to Boot Primary CPU
    - Boot from EL2
    - Boot from EL1
    - Boot to C runtime for OS Initialize
    mm_initialize: Heap: name=Umem, start=0x403f2000 size=130080768
    mm_addregion: [Umem] Region 1: base=0x403f23a0 size=130079840
    mm_malloc: Allocated 0xf8000000403f23e0, size 144
    mm_malloc: Allocated 0xfe000000403f2470, size 80
    mm_malloc: Allocated 0xfe000000403f24c0, size 64
    mm_malloc: Allocated 0xfe000000403f2500, size 96
    mm_malloc: Allocated 0xff000000403f2560, size 96
    mm_malloc: Allocated 0xf7000000403f25c0, size 96
    mm_malloc: Allocated 0xff000000403f2620, size 96
    mm_malloc: Allocated 0xfe000000403f2680, size 96
    mm_malloc: Allocated 0xfe000000403f26e0, size 64
    mm_malloc: Allocated 0xf1000000403f2720, size 64
    mm_malloc: Allocated 0xf9000000403f2760, size 336
    mm_malloc: Allocated 0xf6000000403f28b0, size 8208
    mm_malloc: Allocated 0xf4000000403f48c0, size 1584
    mm_malloc: Allocated 0xfa000000403f4ef0, size 64
    mm_malloc: Allocated 0xf8000000403f4f30, size 64
    mm_malloc: Allocated 0xfe000000403f4f70, size 8208
    mm_malloc: Allocated 0xfe000000403f6f80, size 80
    mm_malloc: Allocated 0xfe000000403f6fd0, size 96
    mm_malloc: Allocated 0xf7000000403f7030, size 96
    mm_malloc: Allocated 0xf7000000403f7090, size 336
    mm_malloc: Allocated 0xfc000000403f71e0, size 96
    mm_malloc: Allocated 0xfd000000403f7240, size 912
    
    NuttShell (NSH)
    nsh>
    nsh> mtetest
mm_malloc: Allocated 0xfd000000403ea5d0, size 1584
mm_malloc: Allocated 0xf9000000403eac00, size 64
mm_malloc: Allocated 0xf9000000403eac40, size 64
mm_malloc: Allocated 0xf6000000403eac80, size 8208
Spawning process for test: mtetest1
mm_malloc: Allocated 0xfc000000403ecc90, size 1584
mm_malloc: Allocated 0xfa000000403ed2c0, size 64
mm_malloc: Allocated 0xfd000000403ed300, size 64
mm_malloc: Allocated 0xfe000000403ed340, size 8208
Running test: mtetest1
mm_free: Freeing 0xfd000000403ed300
mm_free: Freeing 0xfa000000403ed2c0
mm_free: Freeing 0xfe000000403ed340
mm_free: Freeing 0xfc000000403ecc90
Test 'mtetest1' completed
Spawning process for test: mtetest2
mm_malloc: Allocated 0xf7000000403ecc90, size 1584
mm_malloc: Allocated 0xf7000000403ed2c0, size 64
mm_malloc: Allocated 0xf7000000403ed300, size 64
mm_malloc: Allocated 0xf7000000403ed340, size 8208
Running test: mtetest2
mm_free: Freeing 0xf7000000403ed300
mm_free: Freeing 0xf7000000403ed2c0
mm_free: Freeing 0xf7000000403ed340
mm_free: Freeing 0xf7000000403ecc90
Test 'mtetest2' completed
Spawning process for test: mtetest3
mm_malloc: Allocated 0xfb000000403ecc90, size 1584
mm_malloc: Allocated 0xf8000000403ed2c0, size 64
mm_malloc: Allocated 0xfb000000403ed300, size 64
mm_malloc: Allocated 0xf7000000403ed340, size 8208
Running test: mtetest3
mm_free: Freeing 0xfb000000403ed300
mm_free: Freeing 0xf8000000403ed2c0
mm_free: Freeing 0xf7000000403ed340
mm_free: Freeing 0xfb000000403ecc90
Test 'mtetest3' completed
Spawning process for test: mtetest4
mm_malloc: Allocated 0xf1000000403ecc90, size 1584
mm_malloc: Allocated 0xfc000000403ed2c0, size 64
mm_malloc: Allocated 0xf4000000403ed300, size 64
mm_malloc: Allocated 0xf7000000403ed340, size 8208
Running test: mtetest4
mm_free: Freeing 0xf4000000403ed300
mm_free: Freeing 0xfc000000403ed2c0
mm_free: Freeing 0xf7000000403ed340
mm_free: Freeing 0xf1000000403ecc90
Test 'mtetest4' completed
Spawning process for test: mtetest5
mm_malloc: Allocated 0xf2000000403ecc90, size 1584
mm_malloc: Allocated 0xf6000000403ed2c0, size 64
mm_malloc: Allocated 0xf8000000403ed300, size 64
mm_malloc: Allocated 0xf9000000403ed340, size 8208
Running test: mtetest5
mm_free: Freeing 0xf8000000403ed300
mm_free: Freeing 0xf6000000403ed2c0
mm_free: Freeing 0xf9000000403ed340
mm_free: Freeing 0xf2000000403ecc90
Test 'mtetest5' completed
Spawning process for test: Thread switch MTE test
mm_malloc: Allocated 0xf6000000403ecc90, size 1584
mm_malloc: Allocated 0xfe000000403ed2c0, size 64
mm_malloc: Allocated 0xfb000000403ed300, size 64
mm_malloc: Allocated 0xf3000000403ed340, size 8208
Running test: Thread switch MTE test
mm_malloc: Allocated 0xfe000000403ef350, size 352
mm_malloc: Allocated 0xf6000000403ef4b0, size 8208
mm_malloc: Allocated 0xfc000000403f14c0, size 352
mm_malloc: Allocated 0xfc000000403f1620, size 8208
Process 1 holding lock
Process 2 holding lock
Process 1 holding lock again
default_fatal_handler: (IFSC/DFSC) for Data/Instruction aborts: synchronous tag check fault
arm64_exception_handler: CurrentEL: MODE_EL1
arm64_exception_handler: ESR_ELn: 0x96000011
arm64_exception_handler: FAR_ELn: 0x1000000403e1430
arm64_exception_handler: ELR_ELn: 0x402a93f8
print_ec_cause: DABT (current EL)
print_ec_cause: Data Abort taken without a change in Exception level
dump_assert_info: Current Version: NuttX  0.0.0 a3fd5888b4-dirty Jan  8 2025 11:54:02 arm64
dump_assert_info: Assertion failed panic: at file: common/arm64_fatal.c:573 task: mtetest process: mtetest 0x402a9360
up_dump_register: stack = 0xf6000000403f1328
up_dump_register: x0:   0x200               x1:   0x100
up_dump_register: x2:   0x1000000403e1330   x3:   0x9000000
up_dump_register: x4:   0x0                 x5:   0x1
up_dump_register: x6:   0x403d0638          x7:   0x1
up_dump_register: x8:   0xa                 x9:   0x0
up_dump_register: x10:  0x0                 x11:  0x0
up_dump_register: x12:  0x0                 x13:  0x0
up_dump_register: x14:  0x0                 x15:  0x0
up_dump_register: x16:  0x0                 x17:  0x0
up_dump_register: x18:  0x0                 x19:  0xf3000000403ef270
up_dump_register: x20:  0xf3000000403ef288  x21:  0x403c13df
up_dump_register: x22:  0x403c13f6          x23:  0x0
up_dump_register: x24:  0x0                 x25:  0x0
up_dump_register: x26:  0x0                 x27:  0x0
up_dump_register: x28:  0x0                 x29:  0xf6000000403f1450
up_dump_register: x30:  0x402a93c0        
up_dump_register: 
up_dump_register: STATUS Registers:
up_dump_register: SPSR:      0x20000005        
up_dump_register: ELR:       0x402a93f8        
up_dump_register: SP_EL0:    0xf6000000403f1388
up_dump_register: SP_ELX:    0xf6000000403f1450
up_dump_register: EXE_DEPTH: 0xfffffffffffffffc
dump_tasks:    PID GROUP PRI POLICY   TYPE    NPX STATE   EVENT      SIGMASK          STACKBASE  STACKSIZE      USED   FILLED    COMMAND
dump_tasks:   ----   --- --- -------- ------- --- ------- ---------- ---------------- 0x403e2000      4096       336     8.2%    irq
dump_task:       0     0   0 FIFO     Kthread -   Ready              0000000000000000 0x403e3010      8176      1728    21.1%    Idle_Task
dump_task:       1     0 192 RR       Kthread -   Waiting Semaphore  0000000000000000 0xfc000000403e5900      8112       488     6.0%    hpwork 0x403d04b8 0x403d0500
dump_task:       2     2 100 RR       Task    -   Waiting Semaphore  0000000000000000 0xfe000000403e7fa0      8144      2672    32.8%    nsh_main
dump_task:       3     3 101 RR       Task    -   Waiting Semaphore  0000000000000000 0xf6000000403eacb0      8144      1744    21.4%    mtetest
dump_task:       9     9 101 RR       Task    -   Waiting Semaphore  0000000000000000 0xf3000000403ed390      8112      1784    21.9%    mtetest Thread switch MTE test
dump_task:      10     9 101 RR       pthread -   Running            0000000000000000 0xf6000000403ef4c0      8176      2072    25.3%    mtetest 0x402a9360 0xf3000000403ef270
dump_task:      11     9 101 RR       pthread -   Waiting Signal     0000000000000000 0xfc000000403f1630      8176       808     9.8%    mtetest 0x402a92e8 0xf3000000403ef270

Impact

depends on #15437, #15397

Testing

build arm64/mte config, and nsh run mtetest.

[nuttxpr]

[Experimental Bot, please feedback here]

This PR summary does not adequately meet the NuttX requirements. Here's a breakdown and suggestions for improvement:

Weaknesses:

• Summary is too brief and technical. It assumes the reader understands KASAN and MTE. It doesn't explain why this change is necessary. What problem does it solve? What benefits does it bring? What are the goals?
• Functional change description is unclear. "call arm64_mte to implement tagging" is vague. What does tagging mean in this context? How does it work at a high level?
• Log dump is excessive and unhelpful. The massive log dump doesn't highlight the relevant changes. It shows a crash, which isn't a good demonstration of functionality. It should show specific examples of KASAN catching memory errors.
• Impact section is insufficient. Simply referencing other PRs doesn't explain the impact of this PR. Each PR should stand on its own. The impact on users, build, hardware, documentation, security, and compatibility should be explicitly stated.
• Testing section lacks detail on the host system. It only mentions the target. What OS, compiler version, and tools were used on the host build machine?
• No "before" and "after" comparison. The testing logs are all "after." There's no demonstration of how behavior changed due to the PR. Ideally, the logs should show a memory error being detected that wasn't detected before.

Suggestions for Improvement:

• Expand the Summary:
  • Explain the purpose of KASAN and MTE in simple terms. Why is memory protection important?
  • State the specific goal of this PR. Is it to enable KASAN support? To improve existing KASAN functionality?
  • Summarize the implementation approach at a high level.
• Clarify the Functional Change:
  • Describe how mte_tags.c interacts with arm64_mte.
  • Explain the tagging mechanism. What gets tagged, and how are tags used for error detection?
• Improve the Testing Section and Logs:
  • Provide host build details (OS, compiler, etc.).
  • Show "before" logs where a memory error goes undetected (if possible).
  • Show "after" logs where the same error is caught by KASAN.
  • Focus on the relevant log entries. Trim the excessive output.
  • Add a test case specifically designed to trigger and catch a memory error.
• Complete the Impact Section:
  • Explain the impact independently of other PRs. Even if it depends on other changes, describe how this PR affects the system.
  • Address all the impact points explicitly (user, build, hardware, documentation, security, compatibility). Use "NO" or "YES" followed by a brief explanation. Don't leave them blank.

Example of an Improved Summary:

This PR implements KASAN (Kernel Address Sanitizer) memory protection for ARM64 hardware using Memory Tagging Extension (MTE). KASAN helps detect memory errors like out-of-bounds accesses and use-after-free bugs. MTE provides hardware support for tagging memory allocations, enabling efficient error detection.

This implementation adds mte_tags.c, which utilizes the arm64_mte functions to tag memory blocks during allocation and deallocation. When a memory access occurs, the hardware compares the access tag with the memory tag. A mismatch indicates a memory error, triggering a fault. This PR enables KASAN by default when MM_KASAN_MTE_TAGS is defined for ARM64 MTE-enabled platforms.

By making these improvements, the PR will be much clearer, easier to review, and more likely to be accepted. Remember to follow the contributing guidelines and provide a concise yet comprehensive description of your changes.

[xiaoxiang781216]

please fix the conflict @W-M-R