MTE Bootloader support

Android 13 introduces an ABI for user-space to communicate the requested MTE mode to the bootloader. This can be used to enable MTE on devices that have hardware support but do not ship with MTE enabled by default, or to disable MTE on devices that do ship with it.

Bootloader support

To support this ABI, your bootloader needs to read the misc_memtag_message (defined in bootloader_message.h) from the misc partition. If a valid misc_memtag_message is found (MISC_VIRTUAL_AB_MAGIC_HEADER matches, and the version number is supported), the bootloader computes

memtag = (default_memtag && !(misc.memtag_mode & MISC_MEMTAG_MODE_MEMTAG_OFF)) ||
      misc.memtag_mode & MISC_MEMTAG_MODE_MEMTAG ||
      misc.memtag_mode & MISC_MEMTAG_MODE_MEMTAG_ONCE

memtag_kernel = misc.memtag_mode & MISC_MEMTAG_MODE_MEMTAG_KERNEL ||
      misc.memtag_mode & MISC_MEMTAG_MODE_MEMTAG_KERNEL_ONCE

default_memtag is the default memtag on/off setting for the SKU. If memtag is true, the bootloader sets up MTE tag reservation, enables tag checks in the lower exception levels, and communicates the tag reserved region to the kernel via DT. If memtag is false, the bootloader appends arm64.nomte to the kernel command line.

If memtag_kernel is true, the bootloader appends kasan=on to the kernel command line.

Bootloader MUST clear MISC_MEMTAG_MODE_MEMTAG_ONCE and MISC_MEMTAG_MODE_MEMTAG_KERNEL_ONCE on every boot.

If the bootloader supports fastboot oem mte, then on sets MISC_MEMTAG_MODE_{MEMTAG, MEMTAG_ONLY, MEMTAG_OFF} to (1, 0, 0), and off to (0, 0, 1), while preserving the other flags.

You should configure your product to build the mtectrl binary for userspace support. Then, set the ro.arm64.memtag.bootctl_supported system property to indicate to the system that your bootloader supports the memtag message.

User interface

When the ro.arm64.memtag.bootctl_supported property is set, a button in the Developer Options menu allows the user to reboot once with MTE enabled. The target audience for this is app developers that want to test their apps with MTE. Screenshot of the MTE developer option.

System property

For advanced use, the system property arm64.memtag.bootctl can take a comma-separated list of the following values:

  • memtag: persistenly enable user-space MTE (set MISC_MEMTAG_MODE_MEMTAG)
  • memtag-once: enable user-space MTE once (set MISC_MEMTAG_MODE_MEMTAG_ONCE)
  • memtag-kernel: enable kernel-space MTE (set MISC_MEMTAG_MODE_MEMTAG_KERNEL)
  • memtag-kernel-once: enable kernel-space MTE once (MISC_MEMTAG_MODE_MEMTAG_KERNEL_ONCE)
  • memtag-off: disable MTE (set MISC_MEMTAG_MODE_MEMTAG_OFF)

The system has to be rebooted for the new setting to take effect (as it is applied by the bootloader).