Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp4274070imm; Mon, 25 Jun 2018 12:46:14 -0700 (PDT) X-Google-Smtp-Source: ADUXVKK0cBVeB+We9YxeY7ShTtdCuqoIYRT5TtzkFdwcDo6bDjeRmTMD8b0EiaiWYNsOzuU9HWjy X-Received: by 2002:a17:902:3041:: with SMTP id u59-v6mr13800969plb.208.1529955974609; Mon, 25 Jun 2018 12:46:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529955974; cv=none; d=google.com; s=arc-20160816; b=cp3hhkJ2J9T4PeKacz14OjSaamu00ITgzjTMGzR5Z/qfAgA3Ai2HNzAgC9AX4djanS F0cG4EEmYnUWqg+QHlZBx2rsUXpffon3+GF03G6DZ4qYpX7RRZcAUEY7Tcsxn3pW8FzY OPjHj9yk2xnC61Z402cUpqGnJiI2bYlZkNPQdKSF1EizoYw9A+/VdJGVtBTC3V/GuMa1 EaBxJ9h/rXDQVc2qjQxg1RwkPdegc6nC9m9ZvtyxjfFzQn68ucXFOoRlzBuI1EJ/CcwL V5TEhVod/Xs+nJkc4BLIawREidHPmMJ03dlq2boGCpJHUVn9v4R0GfXuZBpJ8SaTqnYy hJmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:arc-authentication-results; bh=wR7Pg419wz8ma2AE6NIuyPqgHf9RdSw1q+f3YPr6bOs=; b=1G+cWvjsidwSpQXsRh6S1dHwyw4xuLNXY3H7GKxLKmOiAUirVEJAYXU4gwdI7pkyyd Zdmi01hWV0Rx/WFPYUrJjaKl7xQpJ3YAnf8gvuW9sDKJNaW0BOfGZdZcmPRHw6FZVJdR K0zVzEyCiVbmDSq0JVwI2Nj5wTNFXuHnEv5l0p35xXCI/hX4C9JHG+j/Upbye8+7O9Rb ZPjGItdbYdFdxIR5kB2ASQRQPDyaeFEvDmhUt5rGNlF0CpN6ICiGe5KU2hkxPcctABXZ 1anPWyfrvi7RhqX3FqvGroxfAk4bA82rxm0R38PAI4+uGPT7FdTpUj4QI+1uuR9Bywlo p9wg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r133-v6si6997956pgr.17.2018.06.25.12.45.59; Mon, 25 Jun 2018 12:46:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935074AbeFYTo1 (ORCPT + 99 others); Mon, 25 Jun 2018 15:44:27 -0400 Received: from mail-ot0-f193.google.com ([74.125.82.193]:43900 "EHLO mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934970AbeFYToZ (ORCPT ); Mon, 25 Jun 2018 15:44:25 -0400 Received: by mail-ot0-f193.google.com with SMTP id i19-v6so16384443otk.10 for ; Mon, 25 Jun 2018 12:44:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=wR7Pg419wz8ma2AE6NIuyPqgHf9RdSw1q+f3YPr6bOs=; b=SbVoOWJFAnfcTpQ9X6hOCI9JggAPfs0WHWlmXZteSfHhdXTe2nR+NhMiVBre7f9I+i IDA3ixvR07HOmMfqg6TXDd1LKVK8zdSG+7DDnMNZSkWhl+bL21rmeXkCMoYHLecDdsKH rKvKTr/7EWvLn3X9w7PA34cAGi1Aj2qo+QKjRCAGuK6qcsyD5xe6so7qnKsmPGvU8ev5 Z5VTXOvxQQwEvDIOGCghvirnxhqS5XITS0gZqdyVYplDC/nGexTFd/ngv0uuDRDjrTvL /cBN+oqgWzbtHsKh7g+6mHO0ypCHkgUVmLeMPE+7ubvL9EogFyKGrxNvClU81y8jfceQ Jb2w== X-Gm-Message-State: APt69E1Bo/mrAXLLmWBtO/OONqJGGgcAUfgn0H8nPcigsje4rVpPAQ71 lZgjcZ6kC6kFLb2LCGEZYu3kVQ== X-Received: by 2002:a9d:4044:: with SMTP id o4-v6mr7648295oti.283.1529955865355; Mon, 25 Jun 2018 12:44:25 -0700 (PDT) Received: from ?IPv6:2601:602:9802:a8dc::f0c1? ([2601:602:9802:a8dc::f0c1]) by smtp.gmail.com with ESMTPSA id u13-v6sm7045920oiv.18.2018.06.25.12.44.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Jun 2018 12:44:24 -0700 (PDT) Subject: Re: [PATCH] add param that allows bootline control of hardened usercopy To: Christoph von Recklinghausen , keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org References: <1529939300-27461-1-git-send-email-crecklin@redhat.com> From: Laura Abbott Message-ID: Date: Mon, 25 Jun 2018 12:44:22 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/25/2018 08:22 AM, Christoph von Recklinghausen wrote: > Add correct address for linux-mm > > On 06/25/2018 11:08 AM, Chris von Recklinghausen wrote: >> Enabling HARDENED_USER_COPY causes measurable regressions in the >> networking performances, up to 8% under UDP flood. >> >> A generic distro may want to enable HARDENED_USER_COPY in their default >> kernel config, but at the same time, such distro may want to be able to >> avoid the performance penalties in with the default configuration and >> enable the stricter check on a per-boot basis. >> >> This change adds a config variable and a boot parameter to conditionally >> enable HARDENED_USER_COPY at boot time, and switch HUC to off if >> HUC_DEFAULT_OFF is set. >> >> Signed-off-by: Chris von Recklinghausen >> --- >> .../admin-guide/kernel-parameters.rst | 2 ++ >> .../admin-guide/kernel-parameters.txt | 3 ++ >> include/linux/thread_info.h | 7 +++++ >> mm/usercopy.c | 28 +++++++++++++++++++ >> security/Kconfig | 10 +++++++ >> 5 files changed, 50 insertions(+) >> >> diff --git a/Documentation/admin-guide/kernel-parameters.rst b/Documentation/admin-guide/kernel-parameters.rst >> index b8d0bc07ed0a..c3035038e3ae 100644 >> --- a/Documentation/admin-guide/kernel-parameters.rst >> +++ b/Documentation/admin-guide/kernel-parameters.rst >> @@ -100,6 +100,8 @@ parameter is applicable:: >> FB The frame buffer device is enabled. >> FTRACE Function tracing enabled. >> GCOV GCOV profiling is enabled. >> + HUC Hardened usercopy is enabled >> + HUCF Hardened usercopy disabled at boot >> HW Appropriate hardware is enabled. >> IA-64 IA-64 architecture is enabled. >> IMA Integrity measurement architecture is enabled. >> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt >> index efc7aa7a0670..cd3354bc14d3 100644 >> --- a/Documentation/admin-guide/kernel-parameters.txt >> +++ b/Documentation/admin-guide/kernel-parameters.txt >> @@ -816,6 +816,9 @@ >> disable= [IPV6] >> See Documentation/networking/ipv6.txt. >> >> + enable_hardened_usercopy [HUC,HUCF] >> + Enable hardened usercopy checks >> + >> disable_radix [PPC] >> Disable RADIX MMU mode on POWER9 >> >> diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h >> index 8d8821b3689a..140a36cc1c2c 100644 >> --- a/include/linux/thread_info.h >> +++ b/include/linux/thread_info.h >> @@ -109,12 +109,19 @@ static inline int arch_within_stack_frames(const void * const stack, >> #endif >> >> #ifdef CONFIG_HARDENED_USERCOPY >> +#include >> + >> +DECLARE_STATIC_KEY_FALSE(bypass_usercopy_checks); >> + >> extern void __check_object_size(const void *ptr, unsigned long n, >> bool to_user); >> >> static __always_inline void check_object_size(const void *ptr, unsigned long n, >> bool to_user) >> { >> + if (static_branch_likely(&bypass_usercopy_checks)) >> + return; >> + >> if (!__builtin_constant_p(n)) >> __check_object_size(ptr, n, to_user); >> } >> diff --git a/mm/usercopy.c b/mm/usercopy.c >> index e9e9325f7638..ce3996da1b2e 100644 >> --- a/mm/usercopy.c >> +++ b/mm/usercopy.c >> @@ -279,3 +279,31 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user) >> check_kernel_text_object((const unsigned long)ptr, n, to_user); >> } >> EXPORT_SYMBOL(__check_object_size); >> + >> +DEFINE_STATIC_KEY_FALSE(bypass_usercopy_checks); >> +EXPORT_SYMBOL(bypass_usercopy_checks); >> + >> +#ifdef CONFIG_HUC_DEFAULT_OFF >> +#define HUC_DEFAULT false >> +#else >> +#define HUC_DEFAULT true >> +#endif >> + >> +static bool enable_huc_atboot = HUC_DEFAULT; >> + >> +static int __init parse_enable_usercopy(char *str) >> +{ >> + enable_huc_atboot = true; >> + return 1; >> +} >> + >> +static int __init set_enable_usercopy(void) >> +{ >> + if (enable_huc_atboot == false) >> + static_branch_enable(&bypass_usercopy_checks); >> + return 1; >> +} >> + >> +__setup("enable_hardened_usercopy", parse_enable_usercopy); >> + >> +late_initcall(set_enable_usercopy); >> diff --git a/security/Kconfig b/security/Kconfig >> index c4302067a3ad..a6173897b85c 100644 >> --- a/security/Kconfig >> +++ b/security/Kconfig >> @@ -189,6 +189,16 @@ config HARDENED_USERCOPY_PAGESPAN >> been removed. This config is intended to be used only while >> trying to find such users. >> >> +config HUC_DEFAULT_OFF >> + bool "allow CONFIG_HARDENED_USERCOPY to be configured but disabled" >> + depends on HARDENED_USERCOPY >> + help >> + When CONFIG_HARDENED_USERCOPY is enabled, disable its >> + functionality unless it is enabled via at boot time >> + via the "enable_hardened_usercopy" boot parameter. This allows >> + the functionality of hardened usercopy to be present but not >> + impact performance unless it is needed. >> + >> config FORTIFY_SOURCE >> bool "Harden common str/mem functions against buffer overflows" >> depends on ARCH_HAS_FORTIFY_SOURCE > > This seems a bit backwards, I'd much rather see hardened user copy default to on with the basic config option and then just have a command line option to turn it off. Thanks, Laura