Received: by 10.223.185.116 with SMTP id b49csp1093862wrg; Wed, 14 Feb 2018 11:31:23 -0800 (PST) X-Google-Smtp-Source: AH8x225nXl56BUEqpAzogUkGlKv/DGDn9qIYC8uwin8nKuQYHk2MsKgSsu2SBkbftuxJfhpFPsZu X-Received: by 2002:a17:902:3a1:: with SMTP id d30-v6mr76693pld.409.1518636683127; Wed, 14 Feb 2018 11:31:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518636683; cv=none; d=google.com; s=arc-20160816; b=gsr0W45SR49CKVxg7N1u8oJ2/fETRFj3iAQhCN1RF4Dl6k4QAKRKkqeJukxmmWKvnB IgvgtgyY9Xg/BRW1mDoU+Dr6ej9XqTiBPTjRBn8x9UR9lfg3NxxxCyhLP0rlx+Gtqxe1 4TfMSwlclkGi0kdU1XIxcjz73HM2WpQb/aAwwr1V5bFJuxtejuzrzqdiScICaSpXiLp+ NugDfoDv7u0dNjwNHBFZ7SRuG6Fm9fJcnov6CL4l9A0vZw1nseWp4AwANj5IksbsEJM9 1TKM6gIc8YmHL6n1zXFJNrw8seGB+73Cf1A6il5nYqWSMsO2yX7Azzo3w5/taSM1Uj87 9MVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=+pT1Fi01Lu8bUJkU2aB1f3HQgjSszYqwMhaJHfaAvy8=; b=wEgAojGh0UwZtTfnqNLorvD69GxOwoGVxg9po5jha7NyPJ3lbvUqyGVpaOd+TvauT5 j1d3ZPtLELEwVrTJuLDX4ybBxayGMP8In4oYpGJ++8QfI0PVvCrraeXPmqz/SfbTJTnn MTRRrz0lFUEv7bsxQdW98DV/3ZQoRsR54krsYxKFUq++ZK44jRwBKN69XCRZJLVMgy9x RJKkjk4Yt+hATruSiyHQC/Kq/9/GoWL82Glgrpz79AjECNpTHXfY+f2wsxtCxDbGqP5i qbbExx5nrBCTcDinSUFEw35Uif373S5sV30WEOt/773yK3fXU+GjrMMjZBvLa/K5RcBR ZMuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=jKpsUZZZ; dkim=fail header.i=@chromium.org header.s=google header.b=kJOPPxzq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l19-v6si47799pli.285.2018.02.14.11.31.08; Wed, 14 Feb 2018 11:31:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=jKpsUZZZ; dkim=fail header.i=@chromium.org header.s=google header.b=kJOPPxzq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1162971AbeBNT3Z (ORCPT + 99 others); Wed, 14 Feb 2018 14:29:25 -0500 Received: from mail-ua0-f193.google.com ([209.85.217.193]:41470 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1162960AbeBNT3X (ORCPT ); Wed, 14 Feb 2018 14:29:23 -0500 Received: by mail-ua0-f193.google.com with SMTP id d4so9841087uak.8 for ; Wed, 14 Feb 2018 11:29:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+pT1Fi01Lu8bUJkU2aB1f3HQgjSszYqwMhaJHfaAvy8=; b=jKpsUZZZtQUnBgo8IUUIOv/hHhrHQlroG6A9IEULZ6k+liRYxdswRCqDt6uDrdNNbl X0VVEvYK3GDY72AsKyokIgQgW8973T25r8dSpHHqBdp4ZRMsgIvJ4qZ777SjUi8QFmAJ 5I3LSDnPDIyhfOJsiRYW4LYud2hRfT0BsBJKoi/GoCBRUsnbV/qCs/0oEOBryREBBcXK Rp8B8v/uuYldpa8/qMjzZc/rrpMCdf7FFhPyzX5fnDnOYXPzbJLtQq+TiQp8Z3MOO16X 5A9b2hk6DaMXP8jCTTmBZDY5HmpUsD5GhvXugTB0XVqPx1YhwH1P21pfU8tpADKvACT0 1EAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+pT1Fi01Lu8bUJkU2aB1f3HQgjSszYqwMhaJHfaAvy8=; b=kJOPPxzqTBi4UIdk7xb8mi/PYvLizHhq152lvIaVQT7vN1z4LIRQSdzthhnRuHktDh 4LetegOeiidSnvqJkKBG7IylfYZYDmiNdmEG6d23zKp3WKy2PribKYrDeNLjsH5Mc4Al ozo7HKZXhTONtwUdHGwsUJSBq17KM8OryndyE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+pT1Fi01Lu8bUJkU2aB1f3HQgjSszYqwMhaJHfaAvy8=; b=ccop6C59mhFSStq6kJfD2I8dKxXQEPprjwE64b2znMEu3UQLXgi//7+Qu8SnGaJayl IY3iMAWzKRemNImiK7Q40r1154tJU5ljfvrUqQw4nYuyL1ymCor/GKIS+WNerVbeujhJ jDeWFmTBzmdr6H9i6wNMP5gY6u893F3X5gCWidYetSIiMdwLRde+9ExPBjJF0X1JVb8p zqkFLwA7JYlC9PjYxTh6monIRQe8yc7LQHEcqHMVyuN8uDFOzeFhQSrlO9aaEEj3i+87 4Sn5XlwaYfSsXnJF9bk26muDewuERaqLzeUVai3tmsUpKBDFQ3UfaoYZYNrYFNnOy0pk /kKg== X-Gm-Message-State: APf1xPDiyYhIJtMcvMLzb6EBBDEpvP6AcadhNlM483K5BndSsAfN/sPC CUN/qC5fDMRVjCHpRtv2QeXg4CsfkzPi9fC5tQnQiw== X-Received: by 10.176.83.203 with SMTP id l11mr282736uaa.167.1518636562151; Wed, 14 Feb 2018 11:29:22 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.56.87 with HTTP; Wed, 14 Feb 2018 11:29:21 -0800 (PST) In-Reply-To: <2f23544a-bd24-1e71-967b-e8d1cf5a20a3@redhat.com> References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> <2f23544a-bd24-1e71-967b-e8d1cf5a20a3@redhat.com> From: Kees Cook Date: Wed, 14 Feb 2018 11:29:21 -0800 X-Google-Sender-Auth: XgzMYYYzYp6lt2yAitlISGqo0oo Message-ID: Subject: Re: arm64 physmap (was Re: [kernel-hardening] [PATCH 4/6] Protectable Memory) To: Laura Abbott Cc: Jann Horn , Igor Stoppa , Boris Lukashev , Christopher Lameter , Matthew Wilcox , Jerome Glisse , Michal Hocko , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , Kernel Hardening , linux-arm-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 14, 2018 at 11:06 AM, Laura Abbott wrote: > On 02/13/2018 01:43 PM, Kees Cook wrote: >> >> On Tue, Feb 13, 2018 at 8:09 AM, Laura Abbott wrote: >>> >>> No, arm64 doesn't fixup the aliases, mostly because arm64 uses larger >>> page sizes which can't be broken down at runtime. CONFIG_PAGE_POISONING >>> does use 4K pages which could be adjusted at runtime. So yes, you are >>> right we would have physmap exposure on arm64 as well. >> >> >> Errr, so that means even modules and kernel code are writable via the >> arm64 physmap? That seems extraordinarily bad. :( >> >> -Kees >> > > (adding linux-arm-kernel and changing the subject) > > Kernel code should be fine, if it isn't that is a bug that should be > fixed. Modules yes are not fully protected. The conclusion from past I think that's a pretty serious problem: we can't have aliases with mismatched permissions; this degrades a deterministic protection (read-only) to a probabilistic protection (knowing where the alias of a target is mapped). Having an attack be "needs some info leaks" instead of "need execution control to change perms" is a much lower bar, IMO. > experience has been that we cannot safely break down larger page sizes > at runtime like x86 does. We could theoretically > add support for fixing up the alias if PAGE_POISONING is enabled but > I don't know who would actually use that in production. Performance > is very poor at that point. Why does using finer granularity on the physmap degrade performance? I assume TLB pressure, but what is heavily using that area? (I must not be understanding what physmap actually gets used for -- I thought it was just a convenience to have a 1:1 virt/phys map for some lookups?) -Kees -- Kees Cook Pixel Security