Received: by 10.223.185.116 with SMTP id b49csp1138472wrg; Wed, 14 Feb 2018 12:12:59 -0800 (PST) X-Google-Smtp-Source: AH8x226HLFxxl/Ru3RJzlnXYwhp9mcaU31qQNCXy9qsAkjA93xBk94AE/RxJIP3ggOj2AC19QYNW X-Received: by 10.99.64.196 with SMTP id n187mr161792pga.147.1518639179376; Wed, 14 Feb 2018 12:12:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518639179; cv=none; d=google.com; s=arc-20160816; b=c2a5n1BFBOIisEiPzu7Huj9UXuC6afsPxjjLAxZy41O5hVp8iZGQKp/Kl8Dd8lI2GG cMCiyLBah/bxW/BrzbNnXU3/RuReWvhXWiKj+7zq2Tdn1367lSJD/txYwVC797aiDmm1 SHNPdHILB8qVOcopiwOcjY5VX3TUN+VuI/gTL0Wlde+y4zQG67tsKg9pgLWPC0rg8bu5 8KyKBx+E5ppck0DkNDCgie7kWwlHqGWiCtSFRNy5pFgbnx7P6NGluRWV9BlTGmTz/0qU +x0/yF/G+FsgAXsIqvlZZFRMNGCHY+Vw3TuYjX2WZjQKyiNqCmV+fOwdLg/EY6YrUCAS bwEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=93Q1VlZoqaYmYkLqdTvgbtufpo3VARs2s4WLpe0DBHY=; b=QnknV8/z+pPdvX/w0+ivoYoE04liC+IpKvN23I/PTTqurZcyqLdOj777llAIoT3Oui LotkNXIjIINtzcah0DTBYte47OfsxlUtq2iKkzjNVqV5izkIEJ4bbMYcMiFCGNzr1RSw S70WCVGEvqGsneUkkORdmT/i0NPinZwRMYCdkFQqw3fYUoMM1Bmx7hWWasdYvmedM6xF BC0ZUZenWd9D96VHeOcymRRsmgcb7QzsrEXyQbtJyV1fn5eA8Gb+SU0ovXjYqruDoDFU DvnQlYkLb/m+LQteM5fZrxofDKFP4gv4KrmQeDAuPRySSJHG+Fe177JKTzl1ZMvd8Pqe Yvgg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m1-v6si1736808plb.83.2018.02.14.12.12.44; Wed, 14 Feb 2018 12:12:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1162651AbeBNTGN (ORCPT + 99 others); Wed, 14 Feb 2018 14:06:13 -0500 Received: from mail-ot0-f194.google.com ([74.125.82.194]:41156 "EHLO mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1162470AbeBNTGK (ORCPT ); Wed, 14 Feb 2018 14:06:10 -0500 Received: by mail-ot0-f194.google.com with SMTP id w38so3256948ota.8 for ; Wed, 14 Feb 2018 11:06:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=93Q1VlZoqaYmYkLqdTvgbtufpo3VARs2s4WLpe0DBHY=; b=eU4aoMmOcmHP+Fkjms2/bhPoHONMRqKqiLd8TMVxRymXdO93LpN/CyWByY4yzD7q/c JWRXdQQb8or0ABX+r/STacB0VPxDhM8ABVpUy8rXubEBkRUp4NLACwZdp4eDvnq6M3im D5bezyQZtBmPAXJOVtQ/Xxs+YWHdlQK2J5JEUOaHy9bkFUYkCwljKPDHZykax9n+J4HE OroNa0pDpConCrjoFKO1FjckXRpzYB3z1zI2VAXwE8FX5TkEHqqwUJUkts44CqE/47uo OhBHo35eCUGcWLe8Dz094vfLtf9i0eEfkdgd9kZeQKkdBw12649ndlEkvZ1UD457szWv PL7Q== X-Gm-Message-State: APf1xPAa53v0ZxasLi/ryuu1oMLj2vwWqMtcQnlrBHQI7BN105KxvP0J WkmZ3qw80Gxjp3BR2cnL5eakOQ== X-Received: by 10.157.23.22 with SMTP id i22mr30737ota.123.1518635170135; Wed, 14 Feb 2018 11:06:10 -0800 (PST) Received: from ?IPv6:2601:602:9802:a8dc::f21a? ([2601:602:9802:a8dc::f21a]) by smtp.gmail.com with ESMTPSA id 93sm7593432ots.42.2018.02.14.11.06.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Feb 2018 11:06:08 -0800 (PST) Subject: arm64 physmap (was Re: [kernel-hardening] [PATCH 4/6] Protectable Memory) To: Kees Cook Cc: Jann Horn , Igor Stoppa , Boris Lukashev , Christopher Lameter , Matthew Wilcox , Jerome Glisse , Michal Hocko , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , Kernel Hardening , linux-arm-kernel References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> From: Laura Abbott Message-ID: <2f23544a-bd24-1e71-967b-e8d1cf5a20a3@redhat.com> Date: Wed, 14 Feb 2018 11:06:06 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/13/2018 01:43 PM, Kees Cook wrote: > On Tue, Feb 13, 2018 at 8:09 AM, Laura Abbott wrote: >> No, arm64 doesn't fixup the aliases, mostly because arm64 uses larger >> page sizes which can't be broken down at runtime. CONFIG_PAGE_POISONING >> does use 4K pages which could be adjusted at runtime. So yes, you are >> right we would have physmap exposure on arm64 as well. > > Errr, so that means even modules and kernel code are writable via the > arm64 physmap? That seems extraordinarily bad. :( > > -Kees > (adding linux-arm-kernel and changing the subject) Kernel code should be fine, if it isn't that is a bug that should be fixed. Modules yes are not fully protected. The conclusion from past experience has been that we cannot safely break down larger page sizes at runtime like x86 does. We could theoretically add support for fixing up the alias if PAGE_POISONING is enabled but I don't know who would actually use that in production. Performance is very poor at that point. Thanks, Laura