Received: by 10.213.65.68 with SMTP id h4csp579715imn;
        Fri, 23 Mar 2018 10:49:33 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtWg884kS7row/2cmC2ESwh0vIe1LObRZT2avCDSwLx13RiOsPWWY3WTgQfgDmtjLMM1t6B
X-Received: by 2002:a17:902:a981:: with SMTP id bh1-v6mr31039000plb.255.1521827373115;
        Fri, 23 Mar 2018 10:49:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521827373; cv=none;
        d=google.com; s=arc-20160816;
        b=xDzc18kTJIroDRM4vua5BWZfOpxuEdB+Z8bCFR1+Gz9hxBpSCE7476uHdyUeQ0Kd5y
         3yxzL41PZc2QtHMQqXJQzRmPsboLvrX5+Gqt3qc1VDRZbN7R65zYE2vDcxCw9l7EZ6+o
         PUDBwCcff820uJmaSV/ziZaBSrDCCo8LX6/HXFU1pr8MpnMFfWFZCCDYg8gEiT0jgJ/0
         fcw8KNh7d6pmGM2Fy8Ko3j6L+GdF2GFyeWKFR/4C1onEHjKX684YR1/1Vyg8NLaFEsYk
         avcckAoXyBgnAQGkxgBCBZPkso59cXiKhtuW0RsKb+uZgUJ1yU9/YOubxzoPSBwK4DyE
         AWfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:in-reply-to:references:date
         :from:cc:to:subject:arc-authentication-results;
        bh=CNUkDjWEv4I2j85ZqF923hMC9m77auAmig3vscZqPqo=;
        b=c2t++AAWKbYhmTSX319OYH/wGbUsnursx/resVKNCgbfb9Vhf2bCKpjw7iWzWAR039
         5CqK6wWDvmGHtWfKqLjnvovcvUziJpE/T+Jy2NbNacJ44zhFRxsQmMnlvQL8k2tSdPh4
         XmdjYg8FKdSdWwKr75+AyZOXFmVIW5KwS5gJDN9IqGe1onWlP+2useLiAgGuTkyV7JxV
         hwi3fI9KKWN72iBX7Ob6PffSRSb1sEtPZNTQTeIVNyAygF0zvL3ZAfmBiAWzJDiblFQW
         HV2qZDp5BdLriYhdeDWARPvC2g5FmCG8/KUB9TSNo8ff60NQhRv71AiCzqNlDbY/Ypl0
         zEtg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d23si6309033pgn.235.2018.03.23.10.49.18;
        Fri, 23 Mar 2018 10:49:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752531AbeCWRsN (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Fri, 23 Mar 2018 13:48:13 -0400
Received: from mga06.intel.com ([134.134.136.31]:57889 "EHLO mga06.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752176AbeCWRrH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 23 Mar 2018 13:47:07 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Mar 2018 10:47:06 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.48,351,1517904000"; 
   d="scan'208";a="214296950"
Received: from viggo.jf.intel.com (HELO localhost.localdomain) ([10.54.39.119])
  by fmsmga005.fm.intel.com with ESMTP; 23 Mar 2018 10:47:05 -0700
Subject: [PATCH 11/11] x86/pti: leave kernel text global for !PCID
To:     linux-kernel@vger.kernel.org
Cc:     linux-mm@kvack.org, Dave Hansen <dave.hansen@linux.intel.com>,
        aarcange@redhat.com, luto@kernel.org,
        torvalds@linux-foundation.org, keescook@google.com,
        hughd@google.com, jgross@suse.com, x86@kernel.org, namit@vmware.com
From:   Dave Hansen <dave.hansen@linux.intel.com>
Date:   Fri, 23 Mar 2018 10:45:04 -0700
References: <20180323174447.55F35636@viggo.jf.intel.com>
In-Reply-To: <20180323174447.55F35636@viggo.jf.intel.com>
Message-Id: <20180323174504.60B178AB@viggo.jf.intel.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


I'm sticking this at the end of the series because it's a bit weird.
It can be dropped and the rest of the series is still useful without
it.

Global pages are bad for hardening because they potentially let an
exploit read the kernel image via a Meltdown-style attack which
makes it easier to find gadgets.

But, global pages are good for performance because they reduce TLB
misses when making user/kernel transitions, especially when PCIDs
are not available, such as on older hardware, or where a hypervisor
has disabled them for some reason.

This patch implements a basic, sane policy: If you have PCIDs, you
only map a minimal amount of kernel text global.  If you do not have
PCIDs, you map all kernel text global.

This policy effectively makes PCIDs something that not only adds
performance but a little bit of hardening as well.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: x86@kernel.org
Cc: Nadav Amit <namit@vmware.com>
---

 b/arch/x86/mm/pti.c |   34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff -puN arch/x86/mm/pti.c~kpti-global-text-option arch/x86/mm/pti.c
--- a/arch/x86/mm/pti.c~kpti-global-text-option	2018-03-21 16:32:14.312192277 -0700
+++ b/arch/x86/mm/pti.c	2018-03-21 16:32:14.316192277 -0700
@@ -66,12 +66,22 @@ static void __init pti_print_if_secure(c
 		pr_info("%s\n", reason);
 }
 
+enum pti_mode {
+	PTI_AUTO = 0,
+	PTI_FORCE_OFF,
+	PTI_FORCE_ON
+} pti_mode;
+
 void __init pti_check_boottime_disable(void)
 {
 	char arg[5];
 	int ret;
 
+	/* Assume mode is auto unless overridden. */
+	pti_mode = PTI_AUTO;
+
 	if (hypervisor_is_type(X86_HYPER_XEN_PV)) {
+		pti_mode = PTI_FORCE_OFF;
 		pti_print_if_insecure("disabled on XEN PV.");
 		return;
 	}
@@ -79,18 +89,23 @@ void __init pti_check_boottime_disable(v
 	ret = cmdline_find_option(boot_command_line, "pti", arg, sizeof(arg));
 	if (ret > 0)  {
 		if (ret == 3 && !strncmp(arg, "off", 3)) {
+			pti_mode = PTI_FORCE_OFF;
 			pti_print_if_insecure("disabled on command line.");
 			return;
 		}
 		if (ret == 2 && !strncmp(arg, "on", 2)) {
+			pti_mode = PTI_FORCE_ON;
 			pti_print_if_secure("force enabled on command line.");
 			goto enable;
 		}
-		if (ret == 4 && !strncmp(arg, "auto", 4))
+		if (ret == 4 && !strncmp(arg, "auto", 4)) {
+			pti_mode = PTI_AUTO;
 			goto autosel;
+		}
 	}
 
 	if (cmdline_find_option_bool(boot_command_line, "nopti")) {
+		pti_mode = PTI_FORCE_OFF;
 		pti_print_if_insecure("disabled on command line.");
 		return;
 	}
@@ -374,6 +389,23 @@ void pti_set_kernel_image_nonglobal(void
 	unsigned long start = PFN_ALIGN(_text);
 	unsigned long end = ALIGN((unsigned long)_end, PMD_PAGE_SIZE);
 
+	/*
+	 * Global pages and PCIDs are both ways to make kernel TLB
+	 * entries live longer, reduce TLB misses and improve kernel
+	 * performance.  But, leaving all kernel text Global makes
+	 * it potentially accessible to meltdown-style attacks which
+	 * make it trivial to find gadgets or defeat KASLR.
+	 *
+	 * Leave kernel text global, but only on systems that do not
+	 * have PCIDs and which have not explicitly enabled pti=on.
+	 */
+	if (!cpu_feature_enabled(X86_FEATURE_PCID) &&
+	    (pti_mode == PTI_AUTO)) {
+		pr_debug("processor does not support PCIDs, leaving "
+			 "kernel image global\n");
+		return;
+	}
+
 	pr_debug("set kernel image non-global\n");
 
 	set_memory_nonglobal(start, (end - start) >> PAGE_SHIFT);
_