POWER9 and tagged memory and why you care

Another excellent analysis by Hugo Landau (using findings from Jim Donoghue) on the presence — and accessibility — of hardware-supported tagged memory in the POWER9, even bare-metal POWER9s like ours. Operating systems like IBM i (formerly OS/400) use tagged pointers on every quadword for security purposes to mark pointers as valid, storing the tag data outside of the normal addressing space. If an invalid pointer is loaded, a trap instruction intercepts the fault. The instruction to set tags is undocumented and (apparently) privileged, and nothing other than IBM i currently uses it, but naturally that didn't stop these guys. Enabling tags active requires you set your POWER9 to big-endian and use the HPT MMU (i.e., the same configuration IBM i would run the CPU in). Hugo provides a detailed technical discussion on how they are accessed and stored, plus sample code (spoiler alert: the tag set instruction is 0x7c0103e6).