Received: by 10.192.165.156 with SMTP id m28csp945593imm; Thu, 19 Apr 2018 10:04:50 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/9Rm+5XmSc80XwoAYQbAfBXxrJHbXfJfCh5Rq9S4BjjuI39ewgYvibA3wqLiykzlo52zfF X-Received: by 10.99.135.198 with SMTP id i189mr5669062pge.2.1524157490913; Thu, 19 Apr 2018 10:04:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524157490; cv=none; d=google.com; s=arc-20160816; b=VOW6Dfx/DwcnzcAfdcIxnMZO6b+ob6fp/OEYwDB7wL+ZBbv6g+hRoRoHix1PD+9AXU PMdBg3cIr3YU77vDA2NoEsXPnf1WlsBaHc+l1ji/wwkjWGAt/Q4ABruQAQ2K7WdUWS+7 lZQMJCKjPB4C47KOIkV9HOaPSKpG1oanGtQ4jwT4jSLIrmO/geiw51qWT2b2NbQWlNzh SYNosM21oYlOQ2eRmA9H14ApmjVOIVQh72FOQKpNJqjMFPdL0uFzkKCmu2lk//zVDTO5 eBwCaVYgXJ5moRSfIulTaEmuBz+VrFBNAzMJSe61v/G9LXeGEqptgGqanbo90DFoh58o s5vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=RANG9YZXCrDlgBfyON5OHIT07IMp+QlLlIblcFCMpFU=; b=NHjoPE4PChD8QAkFVFgxyHy2jLbqwaaumQXqg6WxLdZ1n0qH/bi1xSqs4ZIYX5eu6B e8P92oHM9lIFhHhoq23rap2y6uoPYRmysLtFi5A3V3odvE+6C/EO73f/j3b3R+5JDTpv 6ahqYwrB5Pd9ytoPBK0YOcuUUQjaKrqsTR9xAXSlZj6xliVojy8aP7CiBBWZ0n49Gpi4 wQwgEa5S3VyRL0ynceL+Y/fDNoFH0VIsrBqCbTWFp9+03L5zAFqz3DpzMOksMX83Mzpp 9CPzNm2IQADn/Jh3f5ACuwJPA7CC1tUPc9UJpZEJ1w26Ul90G1VngxWLkZu5aicjC2Q3 0nqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=kRUFDC4U; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h12si3477007pfn.300.2018.04.19.10.04.29; Thu, 19 Apr 2018 10:04:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=kRUFDC4U; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753971AbeDSQzU (ORCPT + 99 others); Thu, 19 Apr 2018 12:55:20 -0400 Received: from mail-ua0-f194.google.com ([209.85.217.194]:33285 "EHLO mail-ua0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753915AbeDSQzS (ORCPT ); Thu, 19 Apr 2018 12:55:18 -0400 Received: by mail-ua0-f194.google.com with SMTP id q26so3909052uab.0 for ; Thu, 19 Apr 2018 09:55:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RANG9YZXCrDlgBfyON5OHIT07IMp+QlLlIblcFCMpFU=; b=kRUFDC4UQcTp5XSEXKbZDAKtN96kwut473MSmEJtNUnKpZOvUlEDAUDiZ6NwNiTb+i ja7ObO1baOM7welgsQvYzF/u8jImZ02vgfXbZmSHk3MYi7l6Tx64xsCfOZft6QTAUOp6 YxqC2FkSPUezPUUcHMIEke190JLoKZS0WhcdKknt3ShGUSWvfpjB+uIhmEJJQT6S63qP rsLHm8AxrnB6I7lO1rpgTii+oJR3wWIqMMHJkbClZt0fkuIhva0PPWaQQD/9q+wESyJY fs2HeuQA6yuom1pHL9CqDPwnDenIN6l8gidqkpQVh0g6ImCmol9aZcmS6NmFcOv0Kakw hghg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RANG9YZXCrDlgBfyON5OHIT07IMp+QlLlIblcFCMpFU=; b=F4pg0YgshKeMySrO2ERA7jdAFoG8b5mY1kczMZqUjQ6guypeRxJJzLoiTgMAUSgItO LpsMm3C91Hrtb8UA1wPqUng3meu1ILrg6HyAylXYMHgzwUOElnzzVlKqmRidvLcYm7uV 83h9aeZVR0KAG4QEdPAVHRlg53yu/mEhuGVqvYYlfNk74lJ67F5T/09jaZB2NCvmAC9T nP/WvbBAT6nC7WzM/6EWp7EToNoDx6Gdg2J0tPKnM9vuwgN6u72RBa3X0c0F5lbsX+th VqTS91EqmEihXmSeKOUr8W4yug0N8W1KFITGhBcjX7p4fZlHIM6VoPLrGh/E8oEX5IhA Kutg== X-Gm-Message-State: ALQs6tD4E2Qh+Y988injT7UgMBjp4Lg95wtj3e9Tjm4uRwbjh2H5cXhf dXkcZU/oTkg2K3wer3Ei+UhLzG/bYAneGFGRGLc1Fg== X-Received: by 10.159.40.35 with SMTP id c32mr5466846uac.193.1524156917640; Thu, 19 Apr 2018 09:55:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Thu, 19 Apr 2018 09:55:16 -0700 (PDT) In-Reply-To: References: <20180406205501.24A1A4E7@viggo.jf.intel.com> <20180406205518.E3D989EB@viggo.jf.intel.com> From: Kees Cook Date: Thu, 19 Apr 2018 09:55:16 -0700 Message-ID: Subject: Re: [PATCH 11/11] x86/pti: leave kernel text global for !PCID To: Dave Hansen Cc: LKML , Linux-MM , Andrea Arcangeli , Andy Lutomirski , Linus Torvalds , Hugh Dickins , Juergen Gross , X86 ML , namit@vmware.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 19, 2018 at 9:02 AM, Dave Hansen wrote: > On 04/18/2018 05:11 PM, Kees Cook wrote: >> On Fri, Apr 6, 2018 at 1:55 PM, Dave Hansen wrote: >>> +/* >>> + * For some configurations, map all of kernel text into the user page >>> + * tables. This reduces TLB misses, especially on non-PCID systems. >>> + */ >>> +void pti_clone_kernel_text(void) >>> +{ >>> + unsigned long start = PFN_ALIGN(_text); >>> + unsigned long end = ALIGN((unsigned long)_end, PMD_PAGE_SIZE); >> I think this is too much set global: _end is after data, bss, and brk, >> and all kinds of other stuff that could hold secrets. I think this >> should match what mark_rodata_ro() is doing and use >> __end_rodata_hpage_align. (And on i386, this should be maybe _etext.) > > Sounds reasonable to me. This does assume that there are no secrets > built into the kernel image, right? It's hard to say, but I was trying to consider the basic threat model of having your kernel image available to an attacker (i.e. a distro kernel can be examined from packages, etc). In that case, the text and rodata are readable through much more direct mechanisms. Everything after rodata is run-time state, and should be excluded in the general case. I would expect more paranoid system builders to boot with "pti=on", but perhaps we should disable Global under other specific CONFIGs, or make a specific CONFIG for it that other options can select, probably. -Kees -- Kees Cook Pixel Security