Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp4002903imm; Mon, 25 Jun 2018 08:09:21 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKMurY+EyPHHr/oe6IAcAVyP9YtxqjNHTz+49U5qw105wuAWTuGS+CQiSLZ/TwiTKhfumat X-Received: by 2002:a63:6243:: with SMTP id w64-v6mr6955059pgb.179.1529939361531; Mon, 25 Jun 2018 08:09:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529939361; cv=none; d=google.com; s=arc-20160816; b=I5K5gCR8lSOBTUCQD2GakwZtCgyVAqkM6Ql89YbvjXbDJibXp913hZvZRd4ZjUQiZF /KQKWCHBEkvSxl9lKbP6c2Jbxsmv7PsRcb3zw/HeDv7znxr7I29eao1Z775KRTHrQodh JYPd9vwxCrTm8mXeZrYtW+C270NF0Jmobgode++/bUf+TkN9FZySa7jPrNJpmmIl0EkX hIAoyGbmp0PCO0OutR7nfqdxqphGmgbR2Hot4jFkn45w8LwM7JmjestTMpLDI/TfNDJa Dj9Y0iont60sK5PyvT6xtl9FgJ7DxjNyMjpcAAIKUVKS0jDUwRSei2LDx2OaRbGnZLse J3YQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:to:from :arc-authentication-results; bh=KK79tKzDAQnEhsuQV0jxaMV02kGloVbJGa5vIi3x1f4=; b=yhEdPiJw/0O56BoyojNK3eQHNYTC9jwkqoEG4IXNuaQ3RuR9R6va0mS6SJQUYHmNXU spZQ9d/1vSx2/2OWM6xo/gbWlou5EowcL/k+BeO+kA75a2WJz+gpi6qpFBQzSKhYEVNY zzNjy6B0IQ9h0woOFHWAYQ2R1iXQglcpXqUGzzhrACBbkGeIIrlR71ZrJ8+ESQMb8wqk hnXm3mBR74fZgcsPQLQxM4Y838aQTtSQtp3O0qybN71ci2CCi04spx3ak1rYDSjn7hTO 6OjpmFR5UPBkwoiPrkPdoGoQ64pV/gBjdOfiasuefz7wWUpTULc7oAt9ov8TlmPu8rJu EqPw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m6-v6si12150179pgt.636.2018.06.25.08.09.07; Mon, 25 Jun 2018 08:09:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934691AbeFYPIX (ORCPT + 99 others); Mon, 25 Jun 2018 11:08:23 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:38088 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934559AbeFYPIW (ORCPT ); Mon, 25 Jun 2018 11:08:22 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1EFD64023132; Mon, 25 Jun 2018 15:08:22 +0000 (UTC) Received: from crecklin.bos.com (dhcp-17-195.bos.redhat.com [10.18.17.195]) by smtp.corp.redhat.com (Postfix) with ESMTP id E97072166B5D; Mon, 25 Jun 2018 15:08:21 +0000 (UTC) From: Chris von Recklinghausen To: keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@vger.kernel.org Subject: [PATCH] add param that allows bootline control of hardened usercopy Date: Mon, 25 Jun 2018 11:08:20 -0400 Message-Id: <1529939300-27461-1-git-send-email-crecklin@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 25 Jun 2018 15:08:22 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 25 Jun 2018 15:08:22 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'crecklin@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Enabling HARDENED_USER_COPY causes measurable regressions in the networking performances, up to 8% under UDP flood. A generic distro may want to enable HARDENED_USER_COPY in their default kernel config, but at the same time, such distro may want to be able to avoid the performance penalties in with the default configuration and enable the stricter check on a per-boot basis. This change adds a config variable and a boot parameter to conditionally enable HARDENED_USER_COPY at boot time, and switch HUC to off if HUC_DEFAULT_OFF is set. Signed-off-by: Chris von Recklinghausen --- .../admin-guide/kernel-parameters.rst | 2 ++ .../admin-guide/kernel-parameters.txt | 3 ++ include/linux/thread_info.h | 7 +++++ mm/usercopy.c | 28 +++++++++++++++++++ security/Kconfig | 10 +++++++ 5 files changed, 50 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.rst b/Documentation/admin-guide/kernel-parameters.rst index b8d0bc07ed0a..c3035038e3ae 100644 --- a/Documentation/admin-guide/kernel-parameters.rst +++ b/Documentation/admin-guide/kernel-parameters.rst @@ -100,6 +100,8 @@ parameter is applicable:: FB The frame buffer device is enabled. FTRACE Function tracing enabled. GCOV GCOV profiling is enabled. + HUC Hardened usercopy is enabled + HUCF Hardened usercopy disabled at boot HW Appropriate hardware is enabled. IA-64 IA-64 architecture is enabled. IMA Integrity measurement architecture is enabled. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index efc7aa7a0670..cd3354bc14d3 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -816,6 +816,9 @@ disable= [IPV6] See Documentation/networking/ipv6.txt. + enable_hardened_usercopy [HUC,HUCF] + Enable hardened usercopy checks + disable_radix [PPC] Disable RADIX MMU mode on POWER9 diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h index 8d8821b3689a..140a36cc1c2c 100644 --- a/include/linux/thread_info.h +++ b/include/linux/thread_info.h @@ -109,12 +109,19 @@ static inline int arch_within_stack_frames(const void * const stack, #endif #ifdef CONFIG_HARDENED_USERCOPY +#include + +DECLARE_STATIC_KEY_FALSE(bypass_usercopy_checks); + extern void __check_object_size(const void *ptr, unsigned long n, bool to_user); static __always_inline void check_object_size(const void *ptr, unsigned long n, bool to_user) { + if (static_branch_likely(&bypass_usercopy_checks)) + return; + if (!__builtin_constant_p(n)) __check_object_size(ptr, n, to_user); } diff --git a/mm/usercopy.c b/mm/usercopy.c index e9e9325f7638..ce3996da1b2e 100644 --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -279,3 +279,31 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user) check_kernel_text_object((const unsigned long)ptr, n, to_user); } EXPORT_SYMBOL(__check_object_size); + +DEFINE_STATIC_KEY_FALSE(bypass_usercopy_checks); +EXPORT_SYMBOL(bypass_usercopy_checks); + +#ifdef CONFIG_HUC_DEFAULT_OFF +#define HUC_DEFAULT false +#else +#define HUC_DEFAULT true +#endif + +static bool enable_huc_atboot = HUC_DEFAULT; + +static int __init parse_enable_usercopy(char *str) +{ + enable_huc_atboot = true; + return 1; +} + +static int __init set_enable_usercopy(void) +{ + if (enable_huc_atboot == false) + static_branch_enable(&bypass_usercopy_checks); + return 1; +} + +__setup("enable_hardened_usercopy", parse_enable_usercopy); + +late_initcall(set_enable_usercopy); diff --git a/security/Kconfig b/security/Kconfig index c4302067a3ad..a6173897b85c 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -189,6 +189,16 @@ config HARDENED_USERCOPY_PAGESPAN been removed. This config is intended to be used only while trying to find such users. +config HUC_DEFAULT_OFF + bool "allow CONFIG_HARDENED_USERCOPY to be configured but disabled" + depends on HARDENED_USERCOPY + help + When CONFIG_HARDENED_USERCOPY is enabled, disable its + functionality unless it is enabled via at boot time + via the "enable_hardened_usercopy" boot parameter. This allows + the functionality of hardened usercopy to be present but not + impact performance unless it is needed. + config FORTIFY_SOURCE bool "Harden common str/mem functions against buffer overflows" depends on ARCH_HAS_FORTIFY_SOURCE -- 2.17.0