Received: by 10.223.176.46 with SMTP id f43csp629205wra; Fri, 26 Jan 2018 04:29:30 -0800 (PST) X-Google-Smtp-Source: AH8x226+reeH1hqKNmA87VuuNE1L4SyW9TBZ0+3e89OtQJ9PIrrg1ZnDyQdHYOT57A09HbMViisG X-Received: by 2002:a17:902:7148:: with SMTP id u8-v6mr14189955plm.255.1516969770747; Fri, 26 Jan 2018 04:29:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516969770; cv=none; d=google.com; s=arc-20160816; b=EutIeP75uZ5oJgg9ST0m5rbTTxyiec5OuU+RzNg1GJFGBzk6HEzaq39kV9TspODfLK SwkXuMWkFq9g457bE+u7wjOxQF/+gxuE6dBuitGDZU67EIM7lCiOvCgRdVMggFwBzddL jb/i1pZSTM2iV/psfKEMTVOxherfxtju8pTE95wNGYcbNtP6EsPX1UG0l52jKGPC3AjJ 54b9qaTffXxiHbUvLP5iXmNTrbO7mfd3SwrGHMe1CK695oYrxhpS+TAXez/SQI/rNKuS /4Oj9ABpaf/OCdMet9gumw/tUCRUeH50XC/HC9YZvSAqPoNpPhaGe91fMR+fbfYY4Jfm w9/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=pUbjzLqW+NXFeUzmffI3cvEOc4IpoH102CZ7hs6p77I=; b=abx77AkTmrxZbIWh4+ZfU9RQz79BNc2xCl3A6BdzvH5BJauH1mHtERaoy6fKYMwlzN z8T4hgI8HWmw+hBULDjylIzq9n/VqwkCrqUXT19KTKrL7ES3w7jIFAC1uyW6HBuqDjrW WCvMdrdMxJC6GH9KhrgCvQVXSmCHR8ZzB49C8CS1fGfqCf8pLMSrmeNEewgzcyHIHkG6 dvKKQbcbWIuJnQRJxa+w6hpdVDeE+MFjdjWGvAaFpU8MSEiAZuvnQH3LhwGCMQPFnrVN PvSr7YaLO4sH1/fDFq80MnnheNlBK9GeQJ0/1QjuOv8tfr+4HV8n7zgFqb4B93BFvo7D YMJQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t2si2930293pgc.747.2018.01.26.04.29.16; Fri, 26 Jan 2018 04:29:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752043AbeAZM2R (ORCPT + 99 others); Fri, 26 Jan 2018 07:28:17 -0500 Received: from lhrrgout.huawei.com ([194.213.3.17]:23007 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751830AbeAZM2P (ORCPT ); Fri, 26 Jan 2018 07:28:15 -0500 Received: from LHREML712-CAH.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id A227364BBB91C; Fri, 26 Jan 2018 12:28:12 +0000 (GMT) Received: from [10.122.225.51] (10.122.225.51) by smtpsuk.huawei.com (10.201.108.35) with Microsoft SMTP Server (TLS) id 14.3.361.1; Fri, 26 Jan 2018 12:28:09 +0000 Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory To: Jerome Glisse , Boris Lukashev CC: Jann Horn , Kees Cook , "Michal Hocko" , Laura Abbott , "Christoph Hellwig" , Matthew Wilcox , "Christoph Lameter" , linux-security-module , Linux-MM , kernel list , Kernel Hardening References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <6c6a3f47-fc5b-0365-4663-6908ad1fc4a7@huawei.com> <20180125153839.GA3542@redhat.com> From: Igor Stoppa Message-ID: <8eb12a75-4957-d5eb-9a14-387788728b8a@huawei.com> Date: Fri, 26 Jan 2018 14:28:11 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <20180125153839.GA3542@redhat.com> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.122.225.51] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 25/01/18 17:38, Jerome Glisse wrote: > On Thu, Jan 25, 2018 at 10:14:28AM -0500, Boris Lukashev wrote: >> On Thu, Jan 25, 2018 at 6:59 AM, Igor Stoppa wrote: > > [...] > >> DMA/physmap access coupled with a knowledge of which virtual mappings >> are in the physical space should be enough for an attacker to bypass >> the gating mechanism this work imposes. Not trivial, but not >> impossible. Since there's no way to prevent that sort of access in >> current hardware (especially something like a NIC or GPU working >> independently of the CPU altogether) [...] > I am not saying that this can not happen but that we are trying our best > to avoid it. How about an opt-in verification, similar to what proposed by Boris Lukashev? When reading back the data, one could access the pointer directly and bypass the verification, or could use a function that explicitly checks the integrity of the data. Starting from an unprotected kmalloc allocation, even just turning the data into R/O is an improvement, but if one can afford the overhead of performing the verification, why not? It would still be better if the service was provided by the library, instead than implemented by individual users, I think. -- igor