Home > Android > Enable MTE on Pixel 8

Enable MTE on Pixel 8

Android 1 Comment

The Pixel 8 hardware (Tensor G3) supports the ARM Memory Tagging Extension (MTE), and software support is available both in Android userspace and the Linux kernel. This feature is a powerful defense against linear buffer overflows and many types of use-after-free flaws. I’m extremely happy to see this hardware finally available in the real world.

You can enable this feature in both Android and the kernel, as the post explains. Sadly, the post does not explain if there’s any downsides to enabling this extension, and I’m certainly not the right person to investigate that. Does anyone in our audience know?

About The Author

Thom Holwerda

Follow me on Mastodon @[email protected]

One Response

  1. 2023-11-05 12:51 am
    sukru Silver Supporter

    The original article explains it well enough.

    At runtime the CPU checks that the pointer and the metadata tags match on each load and store.

    So, basically this is implemented as additional metadata on pointers, which can be checked by the CPU when asked for it. Obviously this will have an overhead in every new memory access.

    They then provide this guidence:

    We strongly recommend using SYNC mode during bring-up, development and testing. This option should be enabled globally for all processes using the environment variable or with the build system. In this mode, bugs are detected early in the development process, the codebase is stabilized quicker and the cost of detecting bugs later in production is avoided.

    This is very reasonable, as many build systems already integrate some kind of “memory jail” (remember valgrind)?. Especially for unit tests, and also for dev runs this gives early feedback that something is wrong.

    We strongly recommend using ASYNC mode in production. This provides a low overhead tool for detecting the presence of memory safety bugs in a process as well as further defense-in-depth. Once a bug is detected, the developer can leverage the runtime APIs to switch to SYNC mode and get an accurate stack trace from a sampled set of users.

    This is interesting. Basically, there is another mode which continues to check in the background, but apparently will not block the memory access, but rather fail later on. Again, once you detect bugs, you can do a deeper dive.

    Overall, I agree that these recommendations make sense. A strict mode for development, and permissive checks for runtime.