Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755583AbeAJQCv (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Wed, 10 Jan 2018 11:02:51 -0500
Received: from Galois.linutronix.de ([146.0.238.70]:56214 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755413AbeAJQCt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 10 Jan 2018 11:02:49 -0500
Date: Wed, 10 Jan 2018 17:02:32 +0100 (CET)
From: Thomas Gleixner <tglx@linutronix.de>
To: Dave Hansen <dave.hansen@intel.com>
cc: Andrea Arcangeli <aarcange@redhat.com>,
        Jon Masters <jcm@redhat.com>,
        "Woodhouse, David" <dwmw@amazon.co.uk>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andi Kleen <andi@firstfloor.org>,
        Greg Kroah-Hartman <gregkh@linux-foundation.org>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Jeff Law <law@redhat.com>, Nick Clifton <nickc@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>
Subject: Re: Avoid speculative indirect calls in kernel
In-Reply-To: <24e30389-00a5-b4ee-9610-fa70ebf1cea6@intel.com>
Message-ID: <alpine.DEB.2.20.1801101701070.1919@nanos>
References: <20180104015920.1ad7b9d3@alans-desktop> <e3a0fa73-1328-aa42-13ea-c670c8d4ac87@redhat.com> <1515054014.12987.75.camel@amazon.co.uk> <403e65be-cfd1-fd08-0401-2e26470b63d4@redhat.com> <4dde456c-fd15-e768-8876-5844c8b7c455@redhat.com>
 <alpine.DEB.2.20.1801050153290.2127@nanos> <9976a670-a023-ea1f-3f13-ee5253092533@redhat.com> <alpine.DEB.2.20.1801051045120.1724@nanos> <20180108102805.GK25546@redhat.com> <alpine.DEB.2.20.1801082152200.2253@nanos> <20180108213223.GF4703@redhat.com>
 <alpine.DEB.2.20.1801100144330.2200@nanos> <24e30389-00a5-b4ee-9610-fa70ebf1cea6@intel.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Tue, 9 Jan 2018, Dave Hansen wrote:
> On 01/09/2018 04:45 PM, Thomas Gleixner wrote:
> > On Mon, 8 Jan 2018, Andrea Arcangeli wrote:
> >> On Mon, Jan 08, 2018 at 09:53:02PM +0100, Thomas Gleixner wrote:
> >> Did my best to do the cleanest patch for tip, but I now figured Dave's
> >> original comment was spot on: a _PAGE_NX clear then becomes necessary
> >> also after pud_alloc not only after p4d_alloc.
> >>
> >> pmd_alloc would run into the same with x86 32bit non-PAE too.
> 
> non-PAE doesn't have an NX bit. :)
> 
> But we #define _PAGE_NX down to 0 there so it's harmless.
> 
> >> So there are two choices, either going back to one single _PAGE_NX
> >> clear from the original Dave's original patch as below, or to add
> >> multiple clear after each level which was my objective and is more
> >> robust, but it may be overkill in this case. As long as it was one
> >> line it looked a clear improvement.
> >>
> >> Considering the caller in both cases is going to abort I guess we can
> >> use the one liner approach as Dave and Jiri did originally.
> > 
> > Dave ?
> 
> I agree with Andrea.  The patch in -tip potentially misses the pgd
> clearing if pud_alloc() sets a PGD.  It would also be nice to have that
> comment back.
> 
> Note that the -tip commit probably works in *practice* because for two
> adjacent calls to map_tboot_page() that share a PGD entry, the first
> will clear NX, *then* allocate and set the PGD (without NX clear).  The
> second call will *not* allocate but will clear the NX bit.
> 
> The patch I think we want is attached.

Color me confused. I have queued the one below in tip. It lacks the comment
and does the !NX at a different place.

Thanks,

	tglx

8<-----------------	

commit 262b6b30087246abf09d6275eb0c0dc421bcbe38
Author: Dave Hansen <dave.hansen@linux.intel.com>
Date:   Sat Jan 6 18:41:14 2018 +0100

    x86/tboot: Unbreak tboot with PTI enabled
    
    This is another case similar to what EFI does: create a new set of
    page tables, map some code at a low address, and jump to it.  PTI
    mistakes this low address for userspace and mistakenly marks it
    non-executable in an effort to make it unusable for userspace.
    
    Undo the poison to allow execution.
    
    Fixes: 385ce0ea4c07 ("x86/mm/pti: Add Kconfig")
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
    Cc: Tim Chen <tim.c.chen@linux.intel.com>
    Cc: Jon Masters <jcm@redhat.com>
    Cc: Dave Hansen <dave.hansen@intel.com>
    Cc: Andi Kleen <andi@firstfloor.org>
    Cc: Jeff Law <law@redhat.com>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
    Cc: David" <dwmw@amazon.co.uk>
    Cc: Nick Clifton <nickc@redhat.com>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20180108102805.GK25546@redhat.com

diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
index a4eb27918ceb..75869a4b6c41 100644
--- a/arch/x86/kernel/tboot.c
+++ b/arch/x86/kernel/tboot.c
@@ -127,6 +127,7 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
 	p4d = p4d_alloc(&tboot_mm, pgd, vaddr);
 	if (!p4d)
 		return -1;
+	pgd->pgd &= ~_PAGE_NX;
 	pud = pud_alloc(&tboot_mm, p4d, vaddr);
 	if (!pud)
 		return -1;