MTE As Implemented, Part 3: The Kernel

This Project Zero analysis examines the effectiveness of ARM Memory Tagging Extensions (MTE) for kernel mitigations, identifying two classes of bypasses (known-tag and unknown-tag) and kernel-specific problems that weaken MTE protections—such as tag confidentiality loss via speculative side-channels, permissive TCR_ELx.TCMA1 allowing dereference of tag 0b1111, potential clearing of async tag-fault flags via TFSR_EL1, DMA and coprocessor interactions, kernel pointer leaks (kcmp and pointer-keys), and design areas like TYPESAFE_BY_RCU and kasan disablement that limit or negate coverage.