Received: by 10.223.176.46 with SMTP id f43csp899719wra;
        Fri, 26 Jan 2018 08:37:24 -0800 (PST)
X-Google-Smtp-Source: AH8x225xe7ZzzxD0opdBhIyGCRNhw2b0TmznFArOOn2u97TsVigaemj6M3/J1gqao8vnJEGWCljz
X-Received: by 2002:a17:902:a24:: with SMTP id 33-v6mr14670624plo.141.1516984644244;
        Fri, 26 Jan 2018 08:37:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516984644; cv=none;
        d=google.com; s=arc-20160816;
        b=uy0kf9tM2RGYkfFSvR8B08dZLLdadfxVrzHeeFyVrhJvNf7hAaBtUTNEU35lobqtrE
         iLE+cmoXBzL90uT+qkS4kTvZyI2YmzPK1M6UpOAFAmCLK0+rHEAHWBcKKLcOqTG4IfXR
         8Q1iP9Qgmn1dS0a89xygKoEecxjOKSbmfoZGsUJZN/hn0+6IGIoYO+svvHQAUhpP3LI7
         j2ZV5O8/8XIKBDDwIBGs0LBQr8WT7Q8DsV7fz+fJNQo0LHdSKt2udfQmpjQkrbzyeqZ6
         X9ylgU4fJf3fCWggemw4RMJ76TAB1NDwrpCSwDln2MUT7duF7+ZGRQ6bHp0G9VuWEeSc
         C1yw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=97qdVHi4f0Mg3N5E75oGR8cKV8dHbHmobWSE6hs5WiQ=;
        b=Ort9aarJC2v/3u8WfZkF0VicKch6NOV4PfnRJ3JyUNsS6KeqG8wPecNSwd4mKNg/Yu
         GPsryZscj9PzL9BgpFE0HJaL5NVWGngA1XaY1CqFipaMvCzYeiGMZuWPKQ9zZJbZtXjU
         8BhVd9QIUt3uo0COvkxl17siolkk+X4AZCi1IC4wWO1VysgvrHR1wC/P9tf3hzFeVcHF
         ZfiVfkPzWsQujJLQoYzGEN3POSsYFst+MIknKm+ApuL5rHIz6BlXDQE6W5c2C8S4Ptru
         yGQwT2zJIkgBQ9yO9YnjiaKg7zh3r5rND/Gaq03HU7abMMHwYiusOr6W6RxhIkqOnOhm
         f5bw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sempervictus-com.20150623.gappssmtp.com header.s=20150623 header.b=zUQ83g95;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c200si6538422pfb.301.2018.01.26.08.37.09;
        Fri, 26 Jan 2018 08:37:24 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sempervictus-com.20150623.gappssmtp.com header.s=20150623 header.b=zUQ83g95;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752578AbeAZQgf (ORCPT <rfc822;justmaker@gmail.com> + 99 others);
        Fri, 26 Jan 2018 11:36:35 -0500
Received: from mail-pg0-f68.google.com ([74.125.83.68]:40814 "EHLO
        mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752353AbeAZQgb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 Jan 2018 11:36:31 -0500
Received: by mail-pg0-f68.google.com with SMTP id g16so578353pgn.7
        for <linux-kernel@vger.kernel.org>; Fri, 26 Jan 2018 08:36:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sempervictus-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=97qdVHi4f0Mg3N5E75oGR8cKV8dHbHmobWSE6hs5WiQ=;
        b=zUQ83g95Y12A+Jmhi0WUukLgxOhM7a4xPVJFY/kskf+dOE1C2BeCbnfGvNbzoEiwdR
         S98du4ScIMEnkKhsgk9bOPkFslU1ZR/BMHko1PIj63Pd6y2c1VItklwZSG/lXSRgHJux
         Ybh34xVSTZOIZeFiBlXz6qg40X4Ynu8voFUyiy8zT9IICDsUPJPeqaPIMtTyV3jYAwZB
         BiREgmmmUZd6i5qqAnI1ct9NT+T/WRYur+CX0VYKs8sVp+69yNf8mxC6sRSG53sEq8O2
         disNHU/gWyWhVG0lmHdvkSZgln2u1foUIKjH82ZxbIk5g3pnrl1x3AntmNUhth1o9dP1
         13rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=97qdVHi4f0Mg3N5E75oGR8cKV8dHbHmobWSE6hs5WiQ=;
        b=CSCvrzEs46A0U+82M6Uvd2bhY1hzrY0TfUObqb3LdyggLx+VHh+hwV23VLokjupwx8
         Mg19dsxDnQ+e8rpODa0A4IeMT3AYA2NMEq2dne2vET3uCrNvVdQtMab+tth5esiJcniZ
         eaddib/ckabHLmUejKG6GHggAtZyx5DL7gzRrKp1Mxf/ufHNmc5oIXWsMIietYoNXayX
         FESwo2w+4hQQ8KcKT8KYR/pkbY1jReJOlk5IEjgBMhcgcLuQS7IEJZQlNqSQUvptBHKu
         zn6EQjhsZd1v8Gqz8leozIvHiJ7zcCFfAysH1K6fobUsQw2gFIyuGo5rc3aAvqzrYmYO
         88LA==
X-Gm-Message-State: AKwxytfurNgYV8PCx0YEw1jyHqfu9qNfzmfDVSwRa8eDSr2Q75OM7jsV
        TRA8dOSqZEYxE/OJ/QKTptD55RjcovTLjR7CGYfjXIYY
X-Received: by 2002:a17:902:6945:: with SMTP id k5-v6mr5141587plt.389.1516984590786;
 Fri, 26 Jan 2018 08:36:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.140.141 with HTTP; Fri, 26 Jan 2018 08:36:30 -0800 (PST)
X-Originating-IP: [72.70.61.204]
In-Reply-To: <8eb12a75-4957-d5eb-9a14-387788728b8a@huawei.com>
References: <20180124175631.22925-1-igor.stoppa@huawei.com>
 <20180124175631.22925-5-igor.stoppa@huawei.com> <CAG48ez0JRU8Nmn7jLBVoy6SMMrcj46R0_R30Lcyouc4R9igi-g@mail.gmail.com>
 <6c6a3f47-fc5b-0365-4663-6908ad1fc4a7@huawei.com> <CAFUG7CfP_UyEH=1dmX=wsBz73+fQ0syDAy8ArKT0d4nMyf9n-g@mail.gmail.com>
 <20180125153839.GA3542@redhat.com> <8eb12a75-4957-d5eb-9a14-387788728b8a@huawei.com>
From:   Boris Lukashev <blukashev@sempervictus.com>
Date:   Fri, 26 Jan 2018 11:36:30 -0500
Message-ID: <CAFUG7CeAfymvCC5jpBSM88X=8nSu-ktE0h81Ws1dAO0KrZk=9w@mail.gmail.com>
Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory
To:     Igor Stoppa <igor.stoppa@huawei.com>
Cc:     Jerome Glisse <jglisse@redhat.com>, Jann Horn <jannh@google.com>,
        Kees Cook <keescook@chromium.org>,
        Michal Hocko <mhocko@kernel.org>,
        Laura Abbott <labbott@redhat.com>,
        Christoph Hellwig <hch@infradead.org>,
        Matthew Wilcox <willy@infradead.org>,
        Christoph Lameter <cl@linux.com>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jan 26, 2018 at 7:28 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
> On 25/01/18 17:38, Jerome Glisse wrote:
>> On Thu, Jan 25, 2018 at 10:14:28AM -0500, Boris Lukashev wrote:
>>> On Thu, Jan 25, 2018 at 6:59 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
>>
>> [...]
>>
>>> DMA/physmap access coupled with a knowledge of which virtual mappings
>>> are in the physical space should be enough for an attacker to bypass
>>> the gating mechanism this work imposes. Not trivial, but not
>>> impossible. Since there's no way to prevent that sort of access in
>>> current hardware (especially something like a NIC or GPU working
>>> independently of the CPU altogether)
>
> [...]
>
>> I am not saying that this can not happen but that we are trying our best
>> to avoid it.
>
> How about an opt-in verification, similar to what proposed by Boris
> Lukashev?
>
> When reading back the data, one could access the pointer directly and
> bypass the verification, or could use a function that explicitly checks
> the integrity of the data.
>
> Starting from an unprotected kmalloc allocation, even just turning the
> data into R/O is an improvement, but if one can afford the overhead of
> performing the verification, why not?
>

I like the idea of making the verification call optional for consumers
allowing for fast/slow+hard paths depending on their needs.
Cant see any additional vectors for abuse (other than the original
ones effecting out-of-band modification) introduced by having
verify/normal callers, but i've not had enough coffee yet. Any access
races or things like that come to mind for anyone? Shouldn't happen
with a write-once allocation, but again, lacking coffee.

> It would still be better if the service was provided by the library,
> instead than implemented by individual users, I think.
>
> --
> igor

-Boris