Linux on 64-bit ARM is most commonly used with 4k pages and 3-level page tables. This results in a 39-bit address space rather than the full 64-bit address space.
It's possible to use 4-level page tables and then you get a 48-bit address space like you typically have on x86_64.
Conversation
Linux also supports using 16k and 64k pages as the smallest unit. You lose compatibility with normal 32-bit ARM code and other advantages of 4k pages.
For security purposes, 4k pages are best for the most granular memory protection and reduced overhead for sparse memory usage.
2
6
It's nice to have the full 48-bit address for a lot of security features beyond just higher entropy ASLR. It's very useful for features based on shadow regions, quarantines, etc.
ARMv8.3 pointer authentication uses spare bits so there's a conflict between it and other features.
Replying to
GrapheneOS is going to be moving to using the full 48-bit address space via 4-level page tables for current generation ARMv8.2 devices.
There isn't really a future for the current hardened_malloc design with a 39-bit address space especially alongside CFI and other mappings.
2
1
11
ARMv8.4 brings memory tagging. It's another feature conflicting with pointer authentication, since it needs 4 bits for the pointer tags. It also needs address space.
Pointer authentication really seems like a mistake. They really should have done hardware shadow stacks instead.
1
6
Android is already using software shadow stacks (which work better on arm64 than x86_64) and type-based CFI. Memory tagging could be used to mimic hardware shadow stack support with a reserved tag. Primary use case for pointer authentication is better done in a deterministic way.
3
5
Deterministic protections are so much nicer than probabilistic ones prone to bypasses through leaks and side channels.
Nicest part of memory tagging is being able to reserve at least one tag for protected metadata and hardware canaries. Random tags are only a starting point.
1
4
I'd much rather have the CET shadow stacks on arm64 than pointer authentication. Stock Android also doesn't pay the cost needed to make traditional probabilistic mitigations work (grapheneos.org/usage#exec-spa). Doubt that's going to change for memory tagging + pointer authentication.
3