Received: by 10.223.185.116 with SMTP id b49csp2893195wrg; Mon, 12 Feb 2018 17:27:55 -0800 (PST) X-Google-Smtp-Source: AH8x224eANFLjXzq5DPVQdb+v1PU3wgEl2hxmp/YzbTAni4ANlQ1f82IaEcGnqsXmZYNwkZ+HDVP X-Received: by 2002:a17:902:61:: with SMTP id 88-v6mr12648812pla.428.1518485275556; Mon, 12 Feb 2018 17:27:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518485275; cv=none; d=google.com; s=arc-20160816; b=TVG6bdXmaJxWc8+ZqTtKo0iGTvDUTpxbO+enAAejDpB9v393qqE1TBW7gd1nQPM5PV /aIXxRawKCsMS9tZc/io90OkOKQ6xkDeoMm0RgKjSt/z3KEkvQQLk7wMIFFn3rzKJ/JX 4HvK076Ve7FUvG4QbBakTOevKEFwxL78DrsIsFivfzVvyl7VDN4rvFTJn6qlPbFlTp/e K7uvA60f5och7akLISmZRKq5g0NiGTTNgkOrSuVggIAJtf6nmmP6n+Pi3nT8MPvJCQau tj72HBb4OVVVerNo/+eUbF8vWWOi352illbG9dwbYbqBrDTrG1H0E/lzxryQU1lxnlwu Xj1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=bUv7XZpsNUhzGfg0e/df4BF6V/ipu316ovCjJT2tb98=; b=kcTdgFwB94YvJOip0hO2IzAQdRvhpu5051mp4vr//hpg9w0c+SS447zprvxAW20gUR VGMZuqAzZyQ3PvtWBrbHVupMpznCZEZlQgAybRmGYRxd6F8GB1kqomeAHMyycswVjOQP KtS5mVtmX58+Qe04bw2OV9ggUFYW5XQtI0CscYmfZYAWMi2Wt2CNv92TsAigPbyWly2z yo7p+/mwL6VyncEAkifDw49aT/V4l+5yqt1efQy5nNeAQ3flfx6ukvIg/bRfpZ8Xr6oP 4HtsFCYAYWmkqJkShccv+x8EakUV+MpXcfSHLGT6PeKuN7SB9Nqo929yylfhGt/EsmCG eGpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=M4to1MsG; dkim=fail header.i=@chromium.org header.s=google header.b=UsUQg6R6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bh3-v6si501013plb.661.2018.02.12.17.27.41; Mon, 12 Feb 2018 17:27:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=M4to1MsG; dkim=fail header.i=@chromium.org header.s=google header.b=UsUQg6R6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933310AbeBMBZb (ORCPT + 99 others); Mon, 12 Feb 2018 20:25:31 -0500 Received: from mail-ua0-f180.google.com ([209.85.217.180]:41641 "EHLO mail-ua0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933112AbeBMBZ2 (ORCPT ); Mon, 12 Feb 2018 20:25:28 -0500 Received: by mail-ua0-f180.google.com with SMTP id d4so6104016uak.8 for ; Mon, 12 Feb 2018 17:25:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=bUv7XZpsNUhzGfg0e/df4BF6V/ipu316ovCjJT2tb98=; b=M4to1MsGeDAMQm1rA52uBMyT0/Yslu03L8oZDPc51JtrSEaMQO9/7emJUHx73gVtUb TEg8vEW9jNu+RELQVgqVJciIE891wZvctyI8qKcEKbEzA8zJ/b0tpXGK/nBc/jdmsbcR JseOgABTUBQNvkEPTLpbRI19JOSMm4K8BmBBB1fhqN0x9KGxTzXZAgCIgDO5n4dePG7R NnmXxXiYfnBfU/Pcg8fTltDS04ijDTtt5prZpsvVdoySH7djzGyqFld9BzVd5r8nyIYs 7asfVLBS2Tz8hb4JUkdCgaTiSlkhg7d2oF0CddehrS3yavto513cimcAxbRJ1HknvAuT g3PA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=bUv7XZpsNUhzGfg0e/df4BF6V/ipu316ovCjJT2tb98=; b=UsUQg6R6Qe+UT7rWDQlulbs3OI9V4JAop/on29WF2GihsthGlYG/kKV5MdPFqAhfDg x/9lgHLvwTj663RaAeIh/4zrdYYws8e8GiqBB1oa4/bse+U68VP9Rxlhz1mzxyg/g4uw JOaLlYNqEyA22G1qrRK+h2hVZzC28K0Vq+Yaw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=bUv7XZpsNUhzGfg0e/df4BF6V/ipu316ovCjJT2tb98=; b=rWYp8wtBDJG8v+1UoIzdyXkGA0WJBB2tIMU4hDEHRjNUwE9K9a0BR39Hmxf8MqIAwL ttHMfGaicg6HHQj6MRR2N/p2ENn/vYXtIznVqULm1jrPF1W3MACnWQQ3R1lkhouUmoZ7 D8XQoZuOaLdubZ85LuxECO8sBciBP0N5hLp/I8YBi75WNehiD/ug0jHrYdgtRmTonxEY ZCuUT09lJX0XvkLxyHsEqJz+NfdC/z7RisnzAqKRdhn1bUJvRp3roNm8NPLPa8LiWiQs 6M6NiAU7ZhR/paXkARoHO1ydFPG8SrjYXwu4H8YRLyI2orVEgvLQLDiIjNlPgUd4R1YQ hPIw== X-Gm-Message-State: APf1xPBjZhgz+QDN6IZJI/lnU3NZoD8w7+e5Jj//r9Rsx8Luf4ikI3Tp eO8lNaiMyEvjTeK1R52uJSLtdNH7ogSOtIO03JRsXA== X-Received: by 10.176.0.229 with SMTP id 92mr14060137uaj.33.1518485127203; Mon, 12 Feb 2018 17:25:27 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.67.196 with HTTP; Mon, 12 Feb 2018 17:25:25 -0800 (PST) In-Reply-To: <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> From: Kees Cook Date: Mon, 12 Feb 2018 17:25:25 -0800 X-Google-Sender-Auth: t_zQAGZf1JlztdpxU0DT1uP6b5Y Message-ID: Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory To: Laura Abbott Cc: Igor Stoppa , Boris Lukashev , Christopher Lameter , Matthew Wilcox , Jann Horn , Jerome Glisse , Michal Hocko , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 12, 2018 at 4:40 PM, Laura Abbott wrote: > On 02/12/2018 03:27 PM, Kees Cook wrote: >> >> On Sun, Feb 4, 2018 at 7:05 AM, Igor Stoppa >> wrote: >>> >>> On 04/02/18 00:29, Boris Lukashev wrote: >>>> >>>> On Sat, Feb 3, 2018 at 3:32 PM, Igor Stoppa >>>> wrote: >>> >>> >>> [...] >>> >>>>> What you are suggesting, if I have understood it correctly, is that, >>>>> when the pool is protected, the addresses already given out, will >>>>> become >>>>> traps that get resolved through a lookup table that is built based on >>>>> the content of each allocation. >>>>> >>>>> That seems to generate a lot of overhead, not to mention the fact that >>>>> it might not play very well with the MMU. >>>> >>>> >>>> That is effectively what i'm suggesting - as a form of protection for >>>> consumers against direct reads of data which may have been corrupted >>>> by some irrelevant means. In the context of pmalloc, it would probably >>>> be a separate type of ro+verified pool >>> >>> ok, that seems more like an extension though. >>> >>> ATM I am having problems gaining traction to get even the basic merged >>> :-) >>> >>> I would consider this as a possibility for future work, unless it is >>> said that it's necessary for pmalloc to be accepted ... >> >> >> I would agree: let's get basic functionality in first. Both >> verification and the physmap part can be done separately, IMO. > > > Skipping over physmap leaves a pretty big area of exposure that could > be difficult to solve later. I appreciate this might block basic > functionality but I don't think we should just gloss over it without > at least some idea of what we would do. What's our exposure on physmap for other regions? e.g. things that are executable, or made read-only later (like __ro_after_init)? -Kees -- Kees Cook Pixel Security