The Pixel 8 hardware (Tensor G3) supports the ARM Memory Tagging Extension (MTE), and software support is available both in Android userspace and the Linux kernel. This feature is a powerful defense against linear buffer overflows and many types of use-after-free flaws. I’m extremely happy to see this hardware finally available in the real world.
Turning it on for userspace is already wired up the Android UI: Settings / System / Developer options / Memory Tagging Extension / Enable MTE until you turn if off. Once enabled it will internally change an Android “system property” named “arm64.memtag.bootctl” by adding the option “memtag“.
Turning it on for the kernel is slightly more involved, but not difficult at all. This requires manually setting the “arm64.memtag.bootctl” property mentioned above to include “memtag-kernel” as well:
- Plug your phone into a system that can run the
adbtool - If not already installed, install
adb. For example on Debian/Ubuntu:sudo apt install adb - Turn on “USB Debugging” in the phone’s “Developer options” menu, and accept the debugging session confirmation that will pop up when you first run
adb - Verify the current setting:
adb shell getprop | grep memtag.bootctl - Enable kernel MTE:
adb shell setprop arm64.memtag.bootctl memtag,memtag-kernel - Check the results:
adb shell getprop | grep memtag.bootctl - Reboot your phone
[arm64.memtag.bootctl]: [memtag]
[arm64.memtag.bootctl]: [memtag,memtag-kernel]
To check that MTE is enabled for the kernel (which is implemented using Kernel Address Sanitizer’s Hardware Tagging mode), you can check the kernel command line after rebooting:
$ mkdir foo && cd foo $ adb bugreport ... $ mkdir unpacked && cd unpacked $ unzip ../bugreport*.zip ... $ grep kasan= bugreport*.txt ...: Command line: ... kasan=off ... kasan=on ...
The latter “kasan=on” overrides the earlier “kasan=off“.
Enjoy!
© 2023, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.