Received: by 10.223.176.5 with SMTP id f5csp4343193wra; Tue, 30 Jan 2018 06:01:40 -0800 (PST) X-Google-Smtp-Source: AH8x225S/oZpryrWBl/OzzqNfGu4l0KY+LNc2O8tDkbZ3Jpmk24o6fJ/mhShZ9WRFNPhgPiUunWM X-Received: by 10.99.115.67 with SMTP id d3mr24837873pgn.223.1517320900532; Tue, 30 Jan 2018 06:01:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517320900; cv=none; d=google.com; s=arc-20160816; b=uJkebMWWLvvLIgNHtxo+eBGaOZTczUqbBzyUS4HKJIShmbRS5NADUJm4KusDMPo6Au WZZiFWPdcpkOWJJSuHlJGlpYZ80rzh7L6BSogOfMEiKqufvmxNCm7mcsef6fR1+p/TLu LRAjtR4wcWjkEOW4PjrBuJnXxRATgYkSFq4R5+ndzo72gEkXuLnU9lwe6xGgrf5Tfwrs BNeRh/bUK9V/hY7sCyZmN95nRcxxpXue44F4y0rIYZzilY65/cJUUytvIVwCZML2zqLc JPbp7L7gkkir10xLjKMxEmounYq8ktzOFYf1CqBhJick0/Bgzn7x4P7Z/AI4zgpuVS1B JJgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=wG5T6RyN/ZHdF4y5Fj3Di7bvo5RIUt+uNRZVfRDxfIw=; b=DfT1h7reHbNEXMyPJmfBd87OyMa1+/X2cdngFRzB6rC2TZRwlN9Lg+XSg9gtMbhgnM /F4Yjx/do78/mds8uYLjhA84mfoNxt7odSu8zr67pXCgUQPZIDGqzSCMhEHyZcuzC1Mf S80ODnjBqpdpXOWy3E3Y+b11B+IVBUy26z7h6N6wkswAAZhZV7TgLRqt6w3DGjcJuDQg R+AtTcwThC89DC7OVQYqGDCvoIHTWSbgr8qwzrcLz0CEarmi3FhnzxC/a0YcogDTOl2R x/0QVMSzuvFBZ36hdl4pfugdSF9UZCvMvBLeuX3M1OSUFzUEzQUz2NWROB+iUq0KJQ6g VwtA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h3-v6si11635821plb.527.2018.01.30.06.01.25; Tue, 30 Jan 2018 06:01:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752358AbeA3Nqo (ORCPT + 99 others); Tue, 30 Jan 2018 08:46:44 -0500 Received: from lhrrgout.huawei.com ([194.213.3.17]:23878 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752335AbeA3Nqn (ORCPT ); Tue, 30 Jan 2018 08:46:43 -0500 Received: from LHREML714-CAH.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 071BE87F6900F; Tue, 30 Jan 2018 13:46:39 +0000 (GMT) Received: from [10.122.225.51] (10.122.225.51) by smtpsuk.huawei.com (10.201.108.37) with Microsoft SMTP Server (TLS) id 14.3.361.1; Tue, 30 Jan 2018 13:46:39 +0000 Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory To: Boris Lukashev CC: Jerome Glisse , Jann Horn , "Kees Cook" , Michal Hocko , Laura Abbott , Christoph Hellwig , Matthew Wilcox , Christoph Lameter , linux-security-module , Linux-MM , kernel list , "Kernel Hardening" References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <6c6a3f47-fc5b-0365-4663-6908ad1fc4a7@huawei.com> <20180125153839.GA3542@redhat.com> <8eb12a75-4957-d5eb-9a14-387788728b8a@huawei.com> From: Igor Stoppa Message-ID: <5782e30f-76b3-cf6f-e865-666aa958685e@huawei.com> Date: Tue, 30 Jan 2018 15:46:37 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.122.225.51] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 26/01/18 18:36, Boris Lukashev wrote: > I like the idea of making the verification call optional for consumers > allowing for fast/slow+hard paths depending on their needs. > Cant see any additional vectors for abuse (other than the original > ones effecting out-of-band modification) introduced by having > verify/normal callers, but i've not had enough coffee yet. Any access > races or things like that come to mind for anyone? Well, the devil is in the details. In this case, the question is how to perform the verification in a way that is sufficiently robust against races. After thinking about it for a while, I doubt it can be done reliably. It might work for some small data types, but the typical use case I have found myself dealing with, is protecting data structures. That also brings up a separate problem: what would be the size of data to hash? At one extreme there is a page, but it's probably too much, so what is the correct size? it cannot be smaller than a specific allocation, however that would imply looking for the hash related to the data being accessed, with extra overhead. And the data being accessed might be a field in a struct, for which we would not have any hash. There would be a hash only for the containing struct that was allocated ... Overall, it seems a good idea in theory, but when I think about its implementation, it seems like the overhead is so big that it would discourage its use for almost any practical purpose. If one really wants to be paranoid could, otoh have redundancy in a different pool. -- igor