Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752501AbeAIV1U (ORCPT + 1 other); Tue, 9 Jan 2018 16:27:20 -0500 Received: from mail.kernel.org ([198.145.29.99]:59058 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751397AbeAIV1T (ORCPT ); Tue, 9 Jan 2018 16:27:19 -0500 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A46C621749 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org X-Google-Smtp-Source: ACJfBotRK5m/DjeXjWAISM1Vm/J3Hl2TGeY40pAfxa7Aaha6cuaJMaKGJ8y5YF/9l2M+4b42aRUvIOc/gHfge6x90Ik= MIME-Version: 1.0 In-Reply-To: <20180109145422.GD12976@1wt.eu> References: <1515502580-12261-1-git-send-email-w@1wt.eu> <1515502580-12261-3-git-send-email-w@1wt.eu> <20180109141713.ngqrf6weyiy2q3in@pd.tnic> <20180109143653.GA12976@1wt.eu> <20180109145157.5ltqbz4o5sqkcggb@pd.tnic> <20180109145422.GD12976@1wt.eu> From: Andy Lutomirski Date: Tue, 9 Jan 2018 13:26:57 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI To: Willy Tarreau Cc: Borislav Petkov , LKML , X86 ML , Andy Lutomirski , Brian Gerst , Dave Hansen , Ingo Molnar , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Josh Poimboeuf , "H. Peter Anvin" , Kees Cook Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Tue, Jan 9, 2018 at 6:54 AM, Willy Tarreau wrote: > On Tue, Jan 09, 2018 at 03:51:57PM +0100, Borislav Petkov wrote: >> On Tue, Jan 09, 2018 at 03:36:53PM +0100, Willy Tarreau wrote: >> > I see and am not particularly against this, but what use case do you >> > have in mind precisely ? I doubt it's just saving a few tens of bytes, >> > so probably you're more concerned about the potential risks this opens ? >> > But given we only allow this for CAP_SYS_RAWIO and these ones already >> > have access to /dev/mem and many other things, don't you think there >> > are much easier ways to dump kernel memory in this case than trying to >> > inject some meltdown code into the victim process ? Or maybe you have >> > other cases in mind that I'm not seeing. >> >> I'd like this to be config-controllable so that distros can make the >> decision whether/if they want to support the whole per-mm thing. > > OK. > >> Also, if CAP_SYS_RAWIO is going to protect, please make the >> ARCH_GET_NOPTI variant check it too. > > Interestingly I removed the check consecutive to the discussions. But > I think I'll simply remove the whole ARCH_GET_NOPTI as it has no real > value beyond initial development. > I've thought about this a bit more. Here are my thoughts: 1. I don't like it being per-mm. I think it should be a per-thread control so that a program can have a thread with PTI that runs less-trusted JavaScript and other network threads with PTI off. Obviously we lose NX protection mm-wide if any threads have PTI off. I think the way to implement this is: Have this in struct mm_context: bool has_non_pti_thread; To turn PTI off on a thread: Take pagetable_lock. if (!has_non_pti_thread) { context.has_non_pti_thread = true; clear the NX bits; } drop pagetable_lock; set the TI flag; Fork clears the per-mm flag in the new mm. Exec clears it, too. I think that's all that's needed. Newly created threads always have PTI on. To turn PTI back on, just clear the TI flag. 2.Turning off PTI is, in general, a terrible idea. It totally breaks any semblance of a security model on a Meltdown-affected CPU. So I think we should require CAP_SYS_RAWIO *and* that the system is booted with pti=allow_optout or something like that. --Andy