Received: by 10.223.176.46 with SMTP id f43csp262143wra; Thu, 18 Jan 2018 17:01:42 -0800 (PST) X-Google-Smtp-Source: ACJfBouSeHpIAqBtdS8Eiq0ydmnK8gwYcmx2SllDcB0s9i1QNPdUORkZs/Uk5m74+g9GOkiJrrPm X-Received: by 10.99.156.26 with SMTP id f26mr6490548pge.65.1516323702464; Thu, 18 Jan 2018 17:01:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516323702; cv=none; d=google.com; s=arc-20160816; b=G3KhGkzPNXgbTGypKp7hHhmNBOSjS2vlP3ejkZvBdpwrkXSxgikQD9FbUrYKOhdOVS LUZGrClLbu7anT449OBbUOwkH1TK30jb18JmaiD0GExAaDkwQUKheHbZBqE+hNyqlaHh VbuzfOd7CIWTnpsPqbHShs9EYxnXxPII8uZ1Kw7mWiAIPX3v1fSzMi/AgNpso/aUZnc+ vCYLICBf5tT0/QFau3SvNfDGrNrnCubtRsNxWFpOMh7KHAALLHo0hoSGXCy1Op8klHvG 2TnEjonc0Vjp7mMJvJsb3MqBAcu5vPAM68dSr/fwgQJt/o7B/06DMqiqz86awT7MFgL0 JUDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:organization :from:cc:references:to:arc-authentication-results; bh=DQb1MR4xdYsz4SZ+3UK//nlGTlGSYt8Wp2RFh3STg/k=; b=VEaSOEjeA0PX/HWG9BqUV1zFz3FrmvP9xbF/D6Cl3+iA8WZATSbPQYnGt3esGYyOCc GIr9Np1S33gtQCiIPVVyP1IHR4oV5R+Wuhy5Q2dn/jI2XnU7CI4X0rLAEZ4foQPRKz7N CTWnZP+2oliBoEsj1Gxel9ONEFiunOcnkhJ8+EeAVVrKhLV2T8XoxOxPZdBu6fnmTmHO 1Uf8n8B2/hwEAYknLyeSPk8abND6brZFGbEsMAkyjCnfBqMnhsfALUv9UmH+CDfWJ15Z mY4oGo0ihOR51TuhCnTP5cMa756WY8lgzDaENxQiQuLmf7qQNJM/oTjif4InUAue80WH +Otg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s14si7181579pgf.741.2018.01.18.17.01.27; Thu, 18 Jan 2018 17:01:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752184AbeASBA5 (ORCPT + 99 others); Thu, 18 Jan 2018 20:00:57 -0500 Received: from edison.jonmasters.org ([173.255.233.168]:36022 "EHLO edison.jonmasters.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754862AbeASBAu (ORCPT ); Thu, 18 Jan 2018 20:00:50 -0500 Received: from boston.jonmasters.org ([74.92.29.237] helo=washington.bos.jonmasters.org) by edison.jonmasters.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ecL32-00018a-Ka; Fri, 19 Jan 2018 01:00:49 +0000 To: Will Deacon , Jayachandran C References: <1515157961-20963-4-git-send-email-will.deacon@arm.com> <20180108072253.GA178830@jc-sabre> <9bc1f137-d78c-e46e-e1bc-f49160d5f289@arm.com> <20180108174016.GB180149@jc-sabre> <20180108175100.GW25869@arm.com> <20180109040626.GB4924@jc-sabre> <20180109100034.GD4297@arm.com> Cc: Marc Zyngier , linux-arm-kernel@lists.infradead.org, lorenzo.pieralisi@arm.com, ard.biesheuvel@linaro.org, catalin.marinas@arm.com, linux-kernel@vger.kernel.org, labbott@redhat.com, christoffer.dall@linaro.org From: Jon Masters Organization: World Organi{s,z}ation Of Broken Dreams Message-ID: Date: Thu, 18 Jan 2018 20:00:47 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <20180109100034.GD4297@arm.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 74.92.29.237 X-SA-Exim-Mail-From: jcm@jonmasters.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on edison.jonmasters.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 Subject: Re: [v2,03/11] arm64: Take into account ID_AA64PFR0_EL1.CSV3 X-SA-Exim-Version: 4.2.1 (built Sun, 08 Nov 2009 07:31:22 +0000) X-SA-Exim-Scanned: Yes (on edison.jonmasters.org) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01/09/2018 05:00 AM, Will Deacon wrote: > On Mon, Jan 08, 2018 at 08:06:27PM -0800, Jayachandran C wrote: >> On Mon, Jan 08, 2018 at 05:51:00PM +0000, Will Deacon wrote: >>> On Mon, Jan 08, 2018 at 09:40:17AM -0800, Jayachandran C wrote: >>>> On Mon, Jan 08, 2018 at 09:20:09AM +0000, Marc Zyngier wrote: >>>>> On 08/01/18 07:24, Jayachandran C wrote: >>>>>> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c >>>>>> index 19ed09b..202b037 100644 >>>>>> --- a/arch/arm64/kernel/cpufeature.c >>>>>> +++ b/arch/arm64/kernel/cpufeature.c >>>>>> @@ -862,6 +862,13 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, >>>>>> return __kpti_forced > 0; >>>>>> } >>>>>> >>>>>> + /* Don't force KPTI for CPUs that are not vulnerable */ >>>>>> + switch (read_cpuid_id() & MIDR_CPU_MODEL_MASK) { >>>>>> + case MIDR_CAVIUM_THUNDERX2: >>>>>> + case MIDR_BRCM_VULCAN: >>>>>> + return false; >>>>>> + } >>>>>> + >>>>>> /* Useful for KASLR robustness */ >>>>>> if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) >>>>>> return true; >>>>>> >>>>> >>>>> KPTI is also an improvement for KASLR. Why would you deprive a user of >>>>> the choice to further secure their system? >>>> >>>> The user has a choice with kpti= at the kernel command line, so we are >>>> not depriving the user of a choice. KASLR is expected to be enabled by >>>> distributions, and KPTI will be enabled by default as well. >>>> >>>> On systems that are not vulnerable to variant 3, this is an unnecessary >>>> overhead. >>> >>> KASLR can be bypassed on CPUs that are not vulnerable to variant 3 simply >>> by timing how long accesses to kernel addresses from EL0 take -- please read >>> the original KAISER paper for details about that attack on x86. kpti >>> mitigates that. If you don't care about KASLR, don't enable it (arguably >>> it's useless without kpti). >> >> The code above assumes that all ARM CPUs (now and future) will be vulnerable >> to timing attacks that can bypass KASLR. I don't think that is a correct >> assumption to make. > > Well, the code is assuming that the difference between a TLB hit and a miss > can be measured and that permission faulting entries can be cached in the > TLB. I think that's a safe assumption for the moment. You can also disable > kaslr on the command line and at compile-time if you don't want to use it, > and the same thing applies to kpti. I really see this more as user > preference, rather than something that should be keyed off the MIDR and we > already provide those controls via the command line. > > To be clear: I'll take the MIDR whitelisting, but only after the KASLR check > above. > >> If ThunderX2 is shown to be vulnerable to any timing based attack we can >> certainly move the MIDR check after the check for the CONFIG_RANDOMIZE_BASE. >> But I don't think that is the case now, if you have any PoC code to check >> this I can run on the processor and make the change. > > I haven't tried, but if you have a TLB worth its salt, I suspect you can > defeat kaslr by timing prefetches or faulting loads to kernel addresses. > >> It is pretty clear that we need a whitelist check either before or after the >> CONFIG_RANDOMIZE_BASE check. > > Please send a patch implementing this after the check. JC: what's the plan here from Cavium? I didn't see such a patch (but might have missed it). I've asked that we follow the same logic as on x86 within Red Hat and default to disabling (k)pti on hardware known not to be vulnerable to that explicit attack. Sure, KASLR bypass is "not good"(TM) and there are ton(ne)s of new ways to do that found all the time, but the performance hit is non-zero and there is a difference between breaking randomization vs. leaking cache data, and HPC folks are among those who are going to come asking why they need to turn off PTI all over the place. The equivalent would be on x86 where one vendor always has PTI enabled, the other only if the user explicitly requests that it be turned on at boot time. Jon.