Received: by 10.192.165.148 with SMTP id m20csp763249imm; Fri, 20 Apr 2018 15:29:00 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/oEJ3RYBICDd8TvTnWlxzGqsRoF8IHjNxqJdoeWaADM7d/cWmHjZQpzjb/ftXfHM5X9HIt X-Received: by 10.101.76.129 with SMTP id m1mr9643469pgt.90.1524263340355; Fri, 20 Apr 2018 15:29:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524263340; cv=none; d=google.com; s=arc-20160816; b=aR3gEm36T0mCQJvU8J+aJ4UQzVsJTpGEm1e35DGoEzk7bWsRImFaHnx/B1971OtCog sCjNGU7fEyU0Xj0TWZaVCbhxL0R+vMt7BY3gzG9UgOA35k6zM7+VhynW02fUQT8DFjAP AzvOF7zHdP1i8FBtIKLcLo+GvNjHTYdHtBimwX+YGKDqdlYFo5CTUx7uutKdaEXQHbDN E8eyo+MGGvykgagMVb0G0bwVAzf7PTimXgcEE/ul0xhO78WPhzWYp0GugETA7RFHQP9P 7fKDOFG4G8poZq7YzwDeZrjx4kafbQ8ygmXB1aY5DbL3xPQmwRyIG0HZN8bNbxbvI4C8 Vfww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:in-reply-to:references:date :from:cc:to:subject:arc-authentication-results; bh=dEP72a3ALXZBVcNJ6LCv79jYFNiYTgidTtiJ9cQuhMw=; b=Gcc6RqqQLjgZV0MXByNTxk71Qi21dCeA1f4jg4zapinqv7loiAaH2NOgtg9jrh5stI iRCCdlYP0fJ19Ra7tNN0DwlcBiMhHN3CGpeCA5kFVqwibBBepOS6PZ8Kcm3PxgCQ5K02 EHqeheWOGaeVYG+ZISPGbjsY8F8vjGksjPd2ajWPjcZDzON1Rt4hBa2AVwV817rZg7E3 W9L8yEbPbX1Q88nlmAiw0L6xAtik9w6ka6CCIb2Hga/pPZ/lZXQqbAvqBb4hkUXDXpc1 pN4kdiHDWbv9ozg430uI0d0jZMgF8d9fwSpM2mn+9F6oFCbonSNd9xoj0OeALb1FjQO2 02bA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i74si3039513pfd.105.2018.04.20.15.28.23; Fri, 20 Apr 2018 15:29:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753183AbeDTWZA (ORCPT + 99 others); Fri, 20 Apr 2018 18:25:00 -0400 Received: from mga09.intel.com ([134.134.136.24]:28854 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753059AbeDTWYS (ORCPT ); Fri, 20 Apr 2018 18:24:18 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Apr 2018 15:24:18 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,303,1520924400"; d="scan'208";a="33512854" Received: from viggo.jf.intel.com (HELO localhost.localdomain) ([10.54.39.119]) by fmsmga007.fm.intel.com with ESMTP; 20 Apr 2018 15:24:16 -0700 Subject: [PATCH 4/5] x86, pti: disallow global kernel text with RANDSTRUCT To: linux-kernel@vger.kernel.org Cc: linux-mm@kvack.org, Dave Hansen , keescook@google.com, aarcange@redhat.com, luto@kernel.org, arjan@linux.intel.com, bp@alien8.de, dan.j.williams@intel.com, dwmw2@infradead.org, gregkh@linuxfoundation.org, hughd@google.com, jpoimboe@redhat.com, jgross@suse.com, torvalds@linux-foundation.org, namit@vmware.com, peterz@infradead.org, tglx@linutronix.de, vbabka@suse.cz From: Dave Hansen Date: Fri, 20 Apr 2018 15:20:26 -0700 References: <20180420222018.E7646EE1@viggo.jf.intel.com> In-Reply-To: <20180420222018.E7646EE1@viggo.jf.intel.com> Message-Id: <20180420222026.D0B4AAC9@viggo.jf.intel.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I believe this was originally reported by the grsecurity team who tweeted about it (link below). RANDSTRUCT derives its hardening benefits from the attacker's lack of knowledge about the layout of kernel data structures. Keep the kernel image non-global in cases where RANDSTRUCT is in use to help keep the layout a secret. Signed-off-by: Dave Hansen Reported-by: Kees Cook Link: https://twitter.com/grsecurity/status/985678720630476800 Fixes: 8c06c7740 (x86/pti: Leave kernel text global for !PCID) Cc: Andrea Arcangeli Cc: Andy Lutomirski Cc: Arjan van de Ven Cc: Borislav Petkov Cc: Dan Williams Cc: David Woodhouse Cc: Greg Kroah-Hartman Cc: Hugh Dickins Cc: Josh Poimboeuf Cc: Juergen Gross Cc: Kees Cook Cc: Linus Torvalds Cc: Nadav Amit Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vlastimil Babka Cc: linux-mm@kvack.org --- b/arch/x86/mm/pti.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff -puN arch/x86/mm/pti.c~pti-glb-disable-with-compile-options arch/x86/mm/pti.c --- a/arch/x86/mm/pti.c~pti-glb-disable-with-compile-options 2018-04-20 14:10:02.702749165 -0700 +++ b/arch/x86/mm/pti.c 2018-04-20 14:10:02.706749165 -0700 @@ -421,6 +421,16 @@ static inline bool pti_kernel_image_glob if (boot_cpu_has(X86_FEATURE_K8)) return false; + /* + * RANDSTRUCT derives its hardening benefits from the + * attacker's lack of knowledge about the layout of kernel + * data structures. Keep the kernel image non-global in + * cases where RANDSTRUCT is in use to help keep the layout a + * secret. + */ + if (IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT)) + return false; + return true; } _