Received: by 10.223.185.116 with SMTP id b49csp2760677wrg; Mon, 12 Feb 2018 15:28:44 -0800 (PST) X-Google-Smtp-Source: AH8x225ox+Voak7pmzzH2jWL1bDkg97wpJjngS4AQUSx/CZG+itKIYmFgx4eXaMO08kgHqqXfgEB X-Received: by 10.99.126.24 with SMTP id z24mr6472500pgc.343.1518478124779; Mon, 12 Feb 2018 15:28:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518478124; cv=none; d=google.com; s=arc-20160816; b=oThNS4yrK6Sae9YeZ7jinXYC+Nqh6edvO2XG2UB3U892q5dxgpPlDhXSp6YpgwMGjS 4L+Z1EwKQJcpj8W4hpI+wSnvVtCWcia/GifEP3LxwtqXZk0O86h5g51Jin6Hlnybinto tIT/eNtQ60FuhR6AAgswN1QmYNzcmRBuiA1KODnRplVUSsRmXb1/DacaSVA6xuJ9EmcU GNDXNkf2PUK+wTv1trroFbFKeDuHwmn/WD94qZygtSG+jU9Jguyr7s1Whx9PxCc55o2q mG1ke8y9hUTu25MfzARmP9xL+BEBb+TnpMmToOGoU14cRW14AW6YQVolgVWosz2RV8cz li9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=mHqPXgJc0vSknFYZn7JjZ9PV1vq5wZgBjD2HHxUiOYc=; b=EoIfT+EtE7bgIuodyitZjHwAYxGdCKUoekRRPJr8WpO9cWeiBa8xcPRAOeLT88Jlzw OZXqQE+2eq61ZTChtcHlxhUYzHalyK9ww7GEz+O5TBZLEgAbdC846bPALiYClDjdjB1P x/iBiNOa85L4JGPS3k3UhfohtNLLzuI906Ll/Eyk2DpiTluFYLYRL6HQxD94syGWzxE4 gENMu8zj/TnQ2d7rV1I2BkwpFKgxPYrGZPuZ7E5G7FJiBGtIex2R3Fv+K7mQVWYhNWVX ELNGEYDOejBNh398QMOc8z2skSJLaTMGeG4dReLkD46QyaG73KjR60LKrAqMF925pN6R yf/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=jSAnxGUL; dkim=fail header.i=@chromium.org header.s=google header.b=LolcFZOG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b1si347397pgq.773.2018.02.12.15.28.30; Mon, 12 Feb 2018 15:28:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=jSAnxGUL; dkim=fail header.i=@chromium.org header.s=google header.b=LolcFZOG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932743AbeBLX1X (ORCPT + 99 others); Mon, 12 Feb 2018 18:27:23 -0500 Received: from mail-ua0-f182.google.com ([209.85.217.182]:45056 "EHLO mail-ua0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932464AbeBLX1V (ORCPT ); Mon, 12 Feb 2018 18:27:21 -0500 Received: by mail-ua0-f182.google.com with SMTP id z3so10489978uae.12 for ; Mon, 12 Feb 2018 15:27:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=mHqPXgJc0vSknFYZn7JjZ9PV1vq5wZgBjD2HHxUiOYc=; b=jSAnxGULbXvD2blnDm5oehOMBF2bVKTothslcKtcgPa3A9bMDN1ntd7fq4N+Xwujnq 8fcOxjrYjZc/NfjJPL6vGNo96jc7nvnirRWR/L8eFvDLukHX+52q/uGpAH2oYuosIBjX DCfO72VSKhlp2MlEetdAB3kI4HHSDibEQ4KVhUbKil9zmtKLvDtQkSx9RExmZAEqBVpx /GEmOoQLHfFbUZnv1hQ+xUWIFw9JcN2i+NPXlv+oSPuxPMostw94D2vB+aCoXQysDE3C H0TFPYLaaAZrhYA9inLZJ+P+z7WsaW6OrlIWxoapcJ6xyMg51ORq3gtimeVNBWJbWWki 3mAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=mHqPXgJc0vSknFYZn7JjZ9PV1vq5wZgBjD2HHxUiOYc=; b=LolcFZOGOfoxyGlswI7BVELh+83AGr5dCNaQe5WinDpMrC2Gni/YmVfZYDOnvzSxzv VY5itGx+Swr/p7Os2Dmhj4qMqG4zf4MhoWURvsC/oOvnpXIyYEMxQT6gJDAGFWihIMQS FuvLldodae1bcB8JNsmH8ZoQTT+RU8HOZVUr4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=mHqPXgJc0vSknFYZn7JjZ9PV1vq5wZgBjD2HHxUiOYc=; b=mEpyE1JJduBOc4YaZfh1L79djRv8IQ9wtS5pL6VmXQB/p1zFOGFp73bNHTCMrrF0rd JrlrynlexeZMRXSGwXv/bOstDQrM7c+FA1/QvD5d3kSxdaZDfF62kYoT5dcpQjUhLh6k zhunfrOGfSbMgzPTEnMTCAFMlJ5cJGxums1huD3XY1u9CvFDXj1ttLGcTPvDMRbGtP1w OrymiP00EXWoNSryHjUEnsrTH7GzV28Q49X2/ATgm5X9oKTSEHyoC4ZCjHtTHpMPHoUw BnwaDmX2oU+RyJzpj75EidXFqy2rXRbPYyg6FIcmuO3LQy0upetLAcPkQBInwWOG24r1 MRtQ== X-Gm-Message-State: APf1xPBhBfFGvPd5p+v03nK6dtSopCHW8DNlbvUrGoQ0Nr+u+2CZFfDH Byal+lx3ShzkTvvQLyIIHPBsi5I1IQqGFL3vx9/FSg== X-Received: by 10.176.73.209 with SMTP id f17mr13332392uad.110.1518478040103; Mon, 12 Feb 2018 15:27:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.67.196 with HTTP; Mon, 12 Feb 2018 15:27:19 -0800 (PST) In-Reply-To: <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> From: Kees Cook Date: Mon, 12 Feb 2018 15:27:19 -0800 X-Google-Sender-Auth: hOVZuSamH-PaKthrOejkDGYiSts Message-ID: Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory To: Igor Stoppa Cc: Boris Lukashev , Christopher Lameter , Matthew Wilcox , Jann Horn , Jerome Glisse , Michal Hocko , Laura Abbott , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Feb 4, 2018 at 7:05 AM, Igor Stoppa wrote: > On 04/02/18 00:29, Boris Lukashev wrote: >> On Sat, Feb 3, 2018 at 3:32 PM, Igor Stoppa wrote: > > [...] > >>> What you are suggesting, if I have understood it correctly, is that, >>> when the pool is protected, the addresses already given out, will become >>> traps that get resolved through a lookup table that is built based on >>> the content of each allocation. >>> >>> That seems to generate a lot of overhead, not to mention the fact that >>> it might not play very well with the MMU. >> >> That is effectively what i'm suggesting - as a form of protection for >> consumers against direct reads of data which may have been corrupted >> by some irrelevant means. In the context of pmalloc, it would probably >> be a separate type of ro+verified pool > ok, that seems more like an extension though. > > ATM I am having problems gaining traction to get even the basic merged :-) > > I would consider this as a possibility for future work, unless it is > said that it's necessary for pmalloc to be accepted ... I would agree: let's get basic functionality in first. Both verification and the physmap part can be done separately, IMO. -Kees -- Kees Cook Pixel Security