Received: by 10.223.185.116 with SMTP id b49csp1218128wrg; Wed, 21 Feb 2018 14:23:06 -0800 (PST) X-Google-Smtp-Source: AH8x227jK6lSCan54rYbki8HsRDxcRu/3nccIONGPbOmjJw9MrfO84LTOEemY5DPelc20oU7j3Hk X-Received: by 10.99.39.1 with SMTP id n1mr3825455pgn.155.1519251786317; Wed, 21 Feb 2018 14:23:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519251786; cv=none; d=google.com; s=arc-20160816; b=bbVKrV5VMdakzqKJ2PUGVOXoQjHNrxx4Ht4c1IxphWQw0MTZVRk64NkdSNPf4NIXO1 Fhi+raodBRAfPOrVyDiq64Q1zOnVKPag56jJIGE2QivraHbHasLJ6gxfuPjMW3ayGbsR d2OG79H/CnioXfAtvY/BwwMUyAOmetGQaOyQb82gRQIBBTTlyP5hZ9RPiObU45Aqilon HwxLYPaP8Wt3+apOBP3IDsILKsy784tJ+9PeidDfv9u288aTLr194lsPdHtrBHdPrYyb hzDeOqEKfWALxD399ddBpmfmJIsIlccAX3u2S04COAf0ZsuaMT8G3NN1EQWPn77wgDlc 4Y7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=dBGekIZz3Mzon9hgyko58nNR9/HABhsdF8kpFTKOGJ0=; b=pjrT6ILyzGVV1GkiL00z+4svW8irYddXKtNfyPcGBGtQQzMhKtXQh62IZ7uwYDFV5P NE7wwiCdgpCi5F/TGPFV8HDdUMkv62VezHgx0r2Es5QQH4nFnJdSMmS9wSrkQ84/1Ep7 nDE2S0u/geVb5AzhRD2vOzpZ7qYyLsqJRZttWsFC3ivZrUKMr59EG99cV6p2nSB3P4YZ xaYDl4H/qmyHwwlMD6Oar+LMz1JZYTt53UaNLLaLnOmIX9hXHd4x4iyD1zpKZp9Zo2FM 2bX31LcJrPTM1fddNA+uTNWlv8O/IEivFgF5Ps8Hyov4FP1pW3TcO1KInVdiFZ4qb+VC vZuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=OhPZO8V/; dkim=fail header.i=@chromium.org header.s=google header.b=SASVIkTu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u64si1589398pgc.295.2018.02.21.14.22.51; Wed, 21 Feb 2018 14:23:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=OhPZO8V/; dkim=fail header.i=@chromium.org header.s=google header.b=SASVIkTu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751332AbeBUWWO (ORCPT + 99 others); Wed, 21 Feb 2018 17:22:14 -0500 Received: from mail-ua0-f193.google.com ([209.85.217.193]:34197 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751129AbeBUWWM (ORCPT ); Wed, 21 Feb 2018 17:22:12 -0500 Received: by mail-ua0-f193.google.com with SMTP id m43so2089262uah.1 for ; Wed, 21 Feb 2018 14:22:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=dBGekIZz3Mzon9hgyko58nNR9/HABhsdF8kpFTKOGJ0=; b=OhPZO8V/TQ8U23qnvleDIy7gOw+elJ61K11N1YoCwPiz3f7cq4UaF/8WXiwUA4hYEp tze5uyUxdfpl80/c/nbj9gpgK3EJo9xmBTEIfBQl/CGX4THtuhIYK7SscTnbZXCO787h g3rh4Eyr7DJUnMOk5tygEMb0dtj3Kbb3h7q1QV5vd71Pvr4mH2iCks0+7kmgYHWroit4 yf5HVF/qHeX7L3enrH+XvnJFLwl3hROtkgmoI3c96c7E1VBSD54s32m4+8ekI9sDHeJJ RPF0Vh/KKEpT1Re0yAo+IA2OlPdmhLJW25lsgwBzQS840BTJ2cjo20vsjiVHK5NR8Y21 LzxQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=dBGekIZz3Mzon9hgyko58nNR9/HABhsdF8kpFTKOGJ0=; b=SASVIkTuzoZJ9FGuQjf5YpxSvs9rXN3xftfEglbbTPUaRyXxo42oGve9sAId5UqKuT 0Zlh87t/QnXSa6NQzJQ6kP6b8TWQBzqA5VY1kd3NvlXmCmyHXtH73K9PR8JhC/0DZ2PS 7bXSfT6LZYRVg4iau9X/j3I9fnWqajq2qTDCc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=dBGekIZz3Mzon9hgyko58nNR9/HABhsdF8kpFTKOGJ0=; b=I7Sh5UgOhwrz/kzbMqT/HCA8Lq7cPyfq3ovEfrUxcOHj78FoCDMI/xfAYSFfOPJ6WZ FBc5Pm61XXQ7WkaPEGFF60u6DvqHTe1RIGUWwB+R6I0nN/WvHX3ox5bNTkS2fjXI5lwr GulXVHKkMyIxZRYcXkttwoaK6IQUPGCB1hQRzv6WboprfRkICYcyWpRQkQcqvkNm+VEl JMLHcp51rGtgjUwx+4+DQe/JVGopG0kO9SpgAUWK5DLWuUax7t92Vk5jjmHqAdXPzOYQ AmOaB3F3E6x8s6F2o7Nz5KrdZgyRUQc3BOyfYSnncYU+Nh10xbL8gJz+izkdNYwZsIf/ Qy/w== X-Gm-Message-State: APf1xPDt4UZa7qWpyEI8QKoTyvMX5QKHCTOAbX/ftEbINBMaNQD7KDmA VAI/FvOB7oZyHGzUa+TdGe61OB3iheqwR3ntEl9d/g== X-Received: by 10.176.48.231 with SMTP id d7mr3711601uam.0.1519251731582; Wed, 21 Feb 2018 14:22:11 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.242.140 with HTTP; Wed, 21 Feb 2018 14:22:10 -0800 (PST) In-Reply-To: References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> <2f23544a-bd24-1e71-967b-e8d1cf5a20a3@redhat.com> From: Kees Cook Date: Wed, 21 Feb 2018 14:22:10 -0800 X-Google-Sender-Auth: PzdZ4ezCTNnYGgm9squUKO51U9w Message-ID: Subject: Re: arm64 physmap (was Re: [kernel-hardening] [PATCH 4/6] Protectable Memory) To: Igor Stoppa Cc: Laura Abbott , Jann Horn , Boris Lukashev , Christopher Lameter , Matthew Wilcox , Jerome Glisse , Michal Hocko , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , Kernel Hardening , linux-arm-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 20, 2018 at 8:28 AM, Igor Stoppa wrote: > > > On 14/02/18 21:29, Kees Cook wrote: >> On Wed, Feb 14, 2018 at 11:06 AM, Laura Abbott wrote: > > [...] > >>> Kernel code should be fine, if it isn't that is a bug that should be >>> fixed. Modules yes are not fully protected. The conclusion from past >> >> I think that's a pretty serious problem: we can't have aliases with >> mismatched permissions; this degrades a deterministic protection >> (read-only) to a probabilistic protection (knowing where the alias of >> a target is mapped). Having an attack be "needs some info leaks" >> instead of "need execution control to change perms" is a much lower >> bar, IMO. > > Why "need execution control to change permission"? > Or, iow, what does it mean exactly? > ROP/JOP? Data-oriented control flow hijack? Right, I mean, if an attacker has already gained execute control, they can just call the needed functions to change memory permissions. But that isn't needed if there is a mismatch between physmap and virtmap: i.e. they can write to the physmap without needing to change perms first. > One can argue that this sort of R/W activity probably does require some > form of execution control, but AFAIK, the only way to to prevent it, is > to have CFI - btw, is there any standardization in that sense? I meant that I don't want a difference in protection between physmap and virtmap. I'd like to be able to reason the smae about the exposures in either. > So, from my (pessimistic?) perspective, the best that can be hoped for, > is to make it much harder to figure out where the data is located. > > Virtual mapping has this side effect, compared to linear mapping. Right, this is good, for sure. No complaints there at all. It's why I think pmalloc and arm64 physmap perms are separate issues. -Kees -- Kees Cook Pixel Security