Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751348AbeAEAGe (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Thu, 4 Jan 2018 19:06:34 -0500
Received: from mail-vk0-f65.google.com ([209.85.213.65]:40673 "EHLO
        mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751166AbeAEAGd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 4 Jan 2018 19:06:33 -0500
X-Google-Smtp-Source: ACJfBos76xrbBUfXSiiLEcvOcQXPt+f8uQpmKhwPpM3qEJtxPYvVPcHN2njDLR+L6d4+R2HDFJN0G7K0TID0elWVE7g=
MIME-Version: 1.0
In-Reply-To: <20180104205458.6E55ED20@viggo.jf.intel.com>
References: <20180104205458.6E55ED20@viggo.jf.intel.com>
From: Kees Cook <keescook@google.com>
Date: Thu, 4 Jan 2018 16:06:30 -0800
Message-ID: <CAGXu5jKF089SKyWfMpSqV1M=uhS9j2_kOD+hUekhcX78xEEjPw@mail.gmail.com>
Subject: Re: [PATCH] x86/doc: add PTI description
To: Dave Hansen <dave.hansen@linux.intel.com>
Cc: LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        moritz.lipp@iaik.tugraz.at,
        Daniel Gruss <daniel.gruss@iaik.tugraz.at>,
        michael.schwarz@iaik.tugraz.at, richard.fellner@student.tugraz.at,
        Andy Lutomirski <luto@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Hugh Dickins <hughd@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Thu, Jan 4, 2018 at 12:54 PM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
> [...]
> +For new userspace mappings, the kernel makes the entries in its
> +page tables like normal.  The only difference is when the kernel
> +makes entries in the top (PGD) level.  In addition to setting the
> +entry in the main kernel PGD, a copy of the entry is made in the
> +userspace page tables' PGD.

It might be worth noting that NX is set in the kernel's view of the
userspace page tables.

> [...]
> +1. Increased Memory Use
> +  a. Each process now needs an order-1 PGD instead of order-0.
> +     (Consumes 4k per process).

"Consumes an additional 4k per process" ?

> [...]
> +  d. Process Context IDentifiers (PCID) is a CPU feature that
> +     allows us to skip flushing the entire TLB when switching page
> +     tables.  This makes switching the page tables (at context
> +     switch, or kernel entry/exit) cheaper.  But, on systems with
> +     PCID support, the context switch code must flush both the user
> +     and kernel entries out of the TLB.  The user PCID TLB flush is
> +     deferred until the exit to userspace, minimizing the cost.

Does this mean it's possible to bypass the NX on userspace pages?

> [...]
> +  g. On systems without PCID support, each CR3 write flushes
> +     the entire TLB.  That means that each syscall, interrupt
> +     or exception flushes the TLB.

Is it worth clarifying this for hardware support of PCID vs INVPCID?

Otherwise, looks good!

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

-- 
Kees Cook
Pixel Security