Documentation/arch/arm64/elf_hwcaps.rst | 3 +++ arch/arm64/include/asm/hwcap.h | 1 + arch/arm64/include/asm/processor.h | 2 ++ arch/arm64/include/uapi/asm/hwcap.h | 1 + arch/arm64/kernel/cpufeature.c | 9 +++++++++ arch/arm64/kernel/cpuinfo.c | 1 + arch/arm64/kernel/mte.c | 11 ++++++++++- arch/arm64/kernel/process.c | 6 +++++- arch/arm64/tools/cpucaps | 1 + include/uapi/linux/prctl.h | 2 ++ tools/testing/selftests/arm64/abi/hwcap.c | 6 ++++++ 11 files changed, 41 insertions(+), 2 deletions(-)
The FEAT_MTE_STORE_ONLY feature provides support for
tag check for store operation only. read operation is considered
as unchecked operation so it doesn't raise tag check fault.
NOTE:
This patches based on https://lore.kernel.org/linux-arm-kernel/20250403172758.67106-1-yeoreum.yun@arm.com/
Since v1:
- add doc to elf_hwcaps.rst
- add MTE_STORE_ONLY hwcap test
Yeoreum Yun (4):
arm64/feature: add MTE_STORE_ONLY feature
prtcl: introduce PR_MTE_STORE_ONLY
arm64/kernel: support store-only mte tag check
tools/kselftest: add MTE_STORE_ONLY feature hwcap test
Documentation/arch/arm64/elf_hwcaps.rst | 3 +++
arch/arm64/include/asm/hwcap.h | 1 +
arch/arm64/include/asm/processor.h | 2 ++
arch/arm64/include/uapi/asm/hwcap.h | 1 +
arch/arm64/kernel/cpufeature.c | 9 +++++++++
arch/arm64/kernel/cpuinfo.c | 1 +
arch/arm64/kernel/mte.c | 11 ++++++++++-
arch/arm64/kernel/process.c | 6 +++++-
arch/arm64/tools/cpucaps | 1 +
include/uapi/linux/prctl.h | 2 ++
tools/testing/selftests/arm64/abi/hwcap.c | 6 ++++++
11 files changed, 41 insertions(+), 2 deletions(-)
--
LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
On 03.04.25 19:46, Yeoreum Yun wrote: > The FEAT_MTE_STORE_ONLY feature provides support for > tag check for store operation only. read operation is considered > as unchecked operation so it doesn't raise tag check fault. Can you add/share more details of what the implications are, how it would be used, who would set it, etc. Just from staring at this short paragraph leaves me rather clueless. -- Cheers, David / dhildenb
Hi David. > On 03.04.25 19:46, Yeoreum Yun wrote: > > The FEAT_MTE_STORE_ONLY feature provides support for > > tag check for store operation only. read operation is considered > > as unchecked operation so it doesn't raise tag check fault. > > Can you add/share more details of what the implications are, how it would be > used, who would set it, etc. > > Just from staring at this short paragraph leaves me rather clueless. > Sorry for my bad. ARMv8.5 based processors introduce the Memory Tagging Extension (MTE) feature. MTE is built on top of the ARMv8.0 virtual address tagging TBI (Top Byte Ignore) feature and allows software to access a 4-bit allocation tag for each 16-byte granule in the physical address space. A logical tag is derived from bits 59-56 of the virtual address used for the memory access. A CPU with MTE enabled will compare the logical tag against the allocation tag and potentially raise an tag check fault on mismatch, subject to system registers configuration. Since ARMv8.9, FEAT_MTE_STORE_ONLY can be used to restrict raise of tag check fault on store operation only. For this, application can use PR_MTE_STORE_ONLY flag when it sets the MTE setting with prctl(). This would be useful for debugging purpose i.e) finding memory courruption point, use-after-free and etc. -- Sincerely, Yeoreum Yun
On 04.04.25 21:33, Yeoreum Yun wrote: > Hi David. > >> On 03.04.25 19:46, Yeoreum Yun wrote: >>> The FEAT_MTE_STORE_ONLY feature provides support for >>> tag check for store operation only. read operation is considered >>> as unchecked operation so it doesn't raise tag check fault. >> >> Can you add/share more details of what the implications are, how it would be >> used, who would set it, etc. >> >> Just from staring at this short paragraph leaves me rather clueless. >> > > Sorry for my bad. > > ARMv8.5 based processors introduce the Memory Tagging Extension (MTE) feature. > MTE is built on top of the ARMv8.0 virtual address tagging TBI > (Top Byte Ignore) feature and allows software to access a 4-bit > allocation tag for each 16-byte granule in the physical address space. > A logical tag is derived from bits 59-56 of the virtual > address used for the memory access. A CPU with MTE enabled will compare > the logical tag against the allocation tag and potentially raise an > tag check fault on mismatch, subject to system registers configuration. > > Since ARMv8.9, FEAT_MTE_STORE_ONLY can be used to restrict raise of tag > check fault on store operation only. Oh, so other operations (read/fetch) will not check the tag. > For this, application can use PR_MTE_STORE_ONLY flag > when it sets the MTE setting with prctl(). > > This would be useful for debugging purpose > i.e) finding memory courruption point, use-after-free and etc. So what's the benefit of this relaxation? I assume it's faster because less memory access has to perform tag checks, and the issues you mention here can still be mostly caught (not all cases of use-after-free, but at least the destructive ones). -- Cheers, David / dhildenb
Hi David, > On 04.04.25 21:33, Yeoreum Yun wrote: > > Hi David. > > > > > On 03.04.25 19:46, Yeoreum Yun wrote: > > > > The FEAT_MTE_STORE_ONLY feature provides support for > > > > tag check for store operation only. read operation is considered > > > > as unchecked operation so it doesn't raise tag check fault. > > > > > > Can you add/share more details of what the implications are, how it would be > > > used, who would set it, etc. > > > > > > Just from staring at this short paragraph leaves me rather clueless. > > > > > > > Sorry for my bad. > > > > ARMv8.5 based processors introduce the Memory Tagging Extension (MTE) feature. > > MTE is built on top of the ARMv8.0 virtual address tagging TBI > > (Top Byte Ignore) feature and allows software to access a 4-bit > > allocation tag for each 16-byte granule in the physical address space. > > A logical tag is derived from bits 59-56 of the virtual > > address used for the memory access. A CPU with MTE enabled will compare > > the logical tag against the allocation tag and potentially raise an > > tag check fault on mismatch, subject to system registers configuration. > > > > Since ARMv8.9, FEAT_MTE_STORE_ONLY can be used to restrict raise of tag > > check fault on store operation only. > > Oh, so other operations (read/fetch) will not check the tag. Yes it is. the read operation considered as uncheck, so it wouldn't check the tag. > > For this, application can use PR_MTE_STORE_ONLY flag > > when it sets the MTE setting with prctl(). > > > > This would be useful for debugging purpose > > i.e) finding memory courruption point, use-after-free and etc. > > So what's the benefit of this relaxation? I assume it's faster because less > memory access has to perform tag checks, and the issues you mention here can > still be mostly caught (not all cases of use-after-free, but at least the > destructive ones). Right. but as you mention, the to reduce overhead by omitting the tag check on read operation (sometime this overhead is too much than gain some benefit) [0] [0] https://www.usenix.org/conference/woot24/presentation/jacobs Thanks. -- Sincerely, Yeoreum Yun
© 2016 - 2026 Red Hat, Inc.