Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751437AbbEGULe (ORCPT ); Thu, 7 May 2015 16:11:34 -0400 Received: from 251.110.2.81.in-addr.arpa ([81.2.110.251]:44963 "EHLO lxorguk.ukuu.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751061AbbEGULd (ORCPT ); Thu, 7 May 2015 16:11:33 -0400 Date: Thu, 7 May 2015 21:11:18 +0100 From: One Thousand Gnomes To: Ingo Molnar Cc: Dave Hansen , linux-kernel@vger.kernel.org, x86@kernel.org Subject: Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys Message-ID: <20150507211118.5f765fc6@lxorguk.ukuu.org.uk> In-Reply-To: <20150507192619.GA23338@gmail.com> References: <20150507174132.34AF8FAF@viggo.jf.intel.com> <20150507175707.GA22172@gmail.com> <554BAA68.6000508@sr71.net> <20150507201843.0ccf0938@lxorguk.ukuu.org.uk> <20150507192619.GA23338@gmail.com> Organization: Intel Corporation X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2345 Lines: 61 On Thu, 7 May 2015 21:26:20 +0200 Ingo Molnar wrote: > > * One Thousand Gnomes wrote: > > > > We could keep heap metadata as R/O and only make it R/W inside of > > > malloc() itself to catch corruption more quickly. > > > > If you implement multiple malloc pools you can chop up lots of > > stuff. > > I'd say that a 64-bit address space is large enough to hide buffers in > from accidental corruption, without any runtime page protection > flipping overhead? I'd say no. And from actual real world demand for PK the answer is also no. It's already a problem with very large data sets. Worse still in many cases its a problem that nobody is actually measuring or doing much about (because mprotect on many gigabytes of data is expensive). > > In library land it isn't just stuff like malloc, you can use it as a > > debug weapon to protect library private data from naughty > > application code. > > > > There are some other debug uses when catching faults - fast ways to > > do range access breakpoints for example. > > I think libraries are happy enough to work without bugs - apps digging > around in library data are in a "you keep all the broken pieces" > situation, why would a library want to slow down every good citizen > down with extra protection flipping/unflipping accesses? For debugging, when the library maintained data is sensitive or something you don't want corupted, or because the user puts security first. Protection keys are an awful lot faster than mprotect. You've got no synchronization and shootdowns to do just a CPU register to load to indicate which mask of keys you are happy with. That really changes what it is useful for, because it's cheap. It means you can happily do stuff like while(data_blocks) { allow_key_and_source_access(); do_crypto_func(); revoke_key_and_source_access(); do_network_io(); /* Can't accidentally leak keys or input */ } > Also, will apps/libraries bother if it's not a standard API and if it > only runs on very fresh CPUs? In time I think yes. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/