Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1757286AbeAIEWR (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Mon, 8 Jan 2018 23:22:17 -0500
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:39053 "EHLO 1wt.eu"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752763AbeAIEWQ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Jan 2018 23:22:16 -0500
Date: Tue, 9 Jan 2018 05:22:01 +0100
From: Willy Tarreau <w@1wt.eu>
To: Andy Lutomirski <luto@kernel.org>
Cc: Dave Hansen <dave.hansen@intel.com>, linux-kernel@vger.kernel.org,
        x86@kernel.org, tglx@linutronix.de, gnomes@lxorguk.ukuu.org.uk,
        torvalds@linux-foundation.org, Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH RFC 3/4] x86/pti: don't mark the user PGD with _PAGE_NX.
Message-ID: <20180109042201.GA11519@1wt.eu>
References: <1515427939-10999-1-git-send-email-w@1wt.eu>
 <1515427939-10999-4-git-send-email-w@1wt.eu>
 <57039ac1-efe2-2f97-386f-dab0b90f64a5@intel.com>
 <c250e0f5-0d78-956a-d1a2-16a57b705889@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <c250e0f5-0d78-956a-d1a2-16a57b705889@kernel.org>
User-Agent: Mutt/1.6.1 (2016-04-27)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

Hi Andy,

On Mon, Jan 08, 2018 at 03:05:48PM -0800, Andy Lutomirski wrote:
> On 01/08/2018 09:03 AM, Dave Hansen wrote:
> > On 01/08/2018 08:12 AM, Willy Tarreau wrote:
> I vote per-thread.

The per-mm approach that Linus suggested doesn't look bad either and
makes quite some sense.

> Anyway, we can easily sync the NX-clearing: just catch the spurious page
> fault and clear the bit.  Avoiding infinite loops will need a bit of
> thought, but it's surely doable.

That's an excellent idea, eventhough I have no idea how to implement it :-)

> Or we set a per-mm flag saying "no NX", then do synchronize_sched() or
> similar if we were the first to set it (or take the pagetable lock), then
> clear all the NX bits.  Again, needs some care, but doable.
> 
> FWIW, the NX trick quite nicely emulates SMEP on non-SMEP hardware, which is
> fantastic for Spectre resistance and general hardening.

Yes I figured exactly this when I faced this protection!

> Turning it off totally defeats that, which hurts a bit.

I agree, that's why I'd like it to be conditional. Probably that with
your idea of catching the page fault and the per-mm flag it would work
quite well, but before being able to do this I still have a lot to
explore :-/

> Also, Kees should be CC'd here.

Yes I've added him and you (and a few others) in CC of all forthcoming
patches. Sorry for not adding you initially, I simply wanted to share
a quick experiment and initiate a discussion.

Willy