DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E499E2175A
MIME-Version: 1.0
In-Reply-To: <20180110091102.GH14066@1wt.eu>
References: <1515502580-12261-1-git-send-email-w@1wt.eu> <1515502580-12261-7-git-send-email-w@1wt.eu>
 <20180110082207.GX29822@worktop.programming.kicks-ass.net> <20180110091102.GH14066@1wt.eu>
From: Andy Lutomirski <luto@kernel.org>
Date: Wed, 10 Jan 2018 11:21:15 -0800
Message-ID: <CALCETrXQFL2sJPJe_Z8XLEo11V_tLyZR0y4PTRxJzrhmpdsuJg@mail.gmail.com>
Subject: Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when
 pti_disable is set
To: Willy Tarreau <w@1wt.eu>
Cc: Peter Zijlstra <peterz@infradead.org>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Andy Lutomirski <luto@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Brian Gerst <brgerst@gmail.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org

On Wed, Jan 10, 2018 at 1:11 AM, Willy Tarreau <w@1wt.eu> wrote:
> On Wed, Jan 10, 2018 at 09:22:07AM +0100, Peter Zijlstra wrote:
>> On Tue, Jan 09, 2018 at 01:56:20PM +0100, Willy Tarreau wrote:
>> >   - use pti_disable instead of task flag
>> > ---
>> >  arch/x86/entry/calling.h | 5 +++++
>> >  1 file changed, 5 insertions(+)
>> >
>> > diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
>> > index 2c0d3b5..5361a10 100644
>> > --- a/arch/x86/entry/calling.h
>> > +++ b/arch/x86/entry/calling.h
>> > @@ -229,6 +229,11 @@
>> >
>> >  .macro SWITCH_TO_USER_CR3_NOSTACK scratch_reg:req scratch_reg2:req
>> >     ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_PTI
>> > +
>> > +   /* The "pti_disable" mm attribute is mirrored into this per-cpu var */
>> > +   cmpb    $0, PER_CPU_VAR(pti_disable)
>> > +   jne     .Lend_\@
>> > +
>> >     mov     %cr3, \scratch_reg
>>
>> So could you switch back to a task flag for this? That word is already
>> cache-hot on the exit path while your new variable is not.
>
> That's a good point. There's already been some demands for a per-thread
> setting.
>
> What I can propose then is to partially revert the changes to have this :
>
>   - arch_prctl() adjusts the task flag and not a per-mm variable anymore
>     (Linus, are you OK for this ?)
>
>   - arch_prctl() only accepts to perform the action if mm->mm_users == 1
>     so that we don't change the setting after having created threads ;
>     this way the task flag is replicated to all future threads ;
>
>   - later we may decide to permit re-enabling PTI per thread if it was
>     disabled.
>
> If we agree on this, I'd like to propose to have two flags :
>
>   - TIF_DISABLE_PTI_NOW : disable PTI for the current task, reset by execve()
>   - TIF_DISABLE_PTI_NEXT : disable PTI after execve(), reset by execve()

I really dislike state that isn't cleared on execve().  I'm assuming
that this is so you can run time pwn_me_without_pti whatever?  Surely
LD_PRELOAD can do this, too?