Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp5090679imm; Tue, 26 Jun 2018 05:51:31 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfrPHywZGy3Eq87yAkexhosZt13yJ57JolVbJ0/rhwtlYZA7bxwYvo1iYlGH2p/AUa0xdF/ X-Received: by 2002:a62:4a51:: with SMTP id x78-v6mr1370625pfa.45.1530017491479; Tue, 26 Jun 2018 05:51:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530017491; cv=none; d=google.com; s=arc-20160816; b=B+P5s5wyNlFK8Qokijan3bu3+0WG1lbzBVq8FzFRutWXN5Yct+Lbn+yCf5/uvMF+Oi kjrIw7a1PbGgEBQ+G0KhJb4wjxW6Mg+AibfeXiYD19Qanygcp89+aILk+q4r6jHYDb4U 05vTMd41cPl4+pTd8mcmNB0kCCFqQoedkIj2qKyDQIo/qR3rRnEK5PNg028MshfkJgP5 dg9kpvmTF0VCsJY9PWZBZSdIHm2LRL21TtCggF2uh8AjCSdFX3RMOzDGmv7wwjsFwsJS S0TOVAWFIp7LIjxf0ra7mnj9+PVtEVsbc17w0VzHBG2j4b+/hHa/d3RPgdjMrH1pGb5D /kCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:to:from :arc-authentication-results; bh=+iY2TBQI88XQMaWrtGhWktJmCvBx3f0eQWzbxZgiEXU=; b=X9VmkKFpaSnHmKIRVtTumKvPtTeUeCuoMQWCEw06cwm/wcuxVkdiItvPLuf4o9nEX0 IX29Yz4H93rO+qVcoTTZJ9jrMneCxKfIxDr78D/7zBxwu74YRYPoL+FkCmGObhXlsmKB y5t1qWr8uk1lYw/NV7L14TF5hZF1ltbntXBmGbBxDkupvHJd2CpRVjZG5zGnryaKs7o9 mOiloCtTrYenVc1eZNPcGQfCWce+gCocwfyB/9l2DsnEmR/C+2m3e9JBChE1z76TUbVP nJuaytGKHldLmGJxCjQwFpzRb3eZuTEoWaRmSgeySHCLruM+0VcCk9SU3/0nn7uX61S1 IJ1Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g11-v6si1385705pgn.487.2018.06.26.05.51.16; Tue, 26 Jun 2018 05:51:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964845AbeFZMui (ORCPT + 99 others); Tue, 26 Jun 2018 08:50:38 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:55324 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934343AbeFZMuh (ORCPT ); Tue, 26 Jun 2018 08:50:37 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4405B401EF11; Tue, 26 Jun 2018 12:50:36 +0000 (UTC) Received: from crecklin.bos.com (ovpn-121-147.rdu2.redhat.com [10.10.121.147]) by smtp.corp.redhat.com (Postfix) with ESMTP id D99792166B5D; Tue, 26 Jun 2018 12:50:35 +0000 (UTC) From: Chris von Recklinghausen To: keescook@chromium.org, labbott@redhat.com, pabeni@redhat.com, linux-mm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [v2 PATCH] add param that allows bootline control of hardened usercopy Date: Tue, 26 Jun 2018 08:50:30 -0400 Message-Id: <1530017430-5394-1-git-send-email-crecklin@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Tue, 26 Jun 2018 12:50:36 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Tue, 26 Jun 2018 12:50:36 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'crecklin@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Enabling HARDENED_USER_COPY causes measurable regressions in the networking performances, up to 8% under UDP flood. A generic distro may want to enable HARDENED_USER_COPY in their default kernel config, but at the same time, such distro may want to be able to avoid the performance penalties in with the default configuration and disable the stricter check on a per-boot basis. This change adds a boot parameter that to conditionally disable HARDENED_USERCOPY at boot time. v1->v2: remove CONFIG_HUC_DEFAULT_OFF default is now enabled, boot param disables move check to __check_object_size so as to not break optimization of __builtin_constant_p() include linux/atomic.h before linux/jump_label.h Signed-off-by: Chris von Recklinghausen --- .../admin-guide/kernel-parameters.rst | 1 + .../admin-guide/kernel-parameters.txt | 3 +++ include/linux/thread_info.h | 5 ++++ mm/usercopy.c | 27 +++++++++++++++++++ 4 files changed, 36 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.rst b/Documentation/admin-guide/kernel-parameters.rst index b8d0bc07ed0a..87a1200a1db6 100644 --- a/Documentation/admin-guide/kernel-parameters.rst +++ b/Documentation/admin-guide/kernel-parameters.rst @@ -100,6 +100,7 @@ parameter is applicable:: FB The frame buffer device is enabled. FTRACE Function tracing enabled. GCOV GCOV profiling is enabled. + HUC Hardened usercopy is enabled HW Appropriate hardware is enabled. IA-64 IA-64 architecture is enabled. IMA Integrity measurement architecture is enabled. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index efc7aa7a0670..d14be0038aed 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -816,6 +816,9 @@ disable= [IPV6] See Documentation/networking/ipv6.txt. + disable_hardened_usercopy [HUC] + Disable hardened usercopy checks + disable_radix [PPC] Disable RADIX MMU mode on POWER9 diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h index 8d8821b3689a..ab24fe2d3f87 100644 --- a/include/linux/thread_info.h +++ b/include/linux/thread_info.h @@ -109,6 +109,11 @@ static inline int arch_within_stack_frames(const void * const stack, #endif #ifdef CONFIG_HARDENED_USERCOPY +#include +#include + +DECLARE_STATIC_KEY_FALSE(bypass_usercopy_checks); + extern void __check_object_size(const void *ptr, unsigned long n, bool to_user); diff --git a/mm/usercopy.c b/mm/usercopy.c index e9e9325f7638..6a1265e1a54e 100644 --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -20,6 +20,8 @@ #include #include #include +#include +#include #include /* @@ -248,6 +250,9 @@ static inline void check_heap_object(const void *ptr, unsigned long n, */ void __check_object_size(const void *ptr, unsigned long n, bool to_user) { + if (static_branch_likely(&bypass_usercopy_checks)) + return; + /* Skip all tests if size is zero. */ if (!n) return; @@ -279,3 +284,25 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user) check_kernel_text_object((const unsigned long)ptr, n, to_user); } EXPORT_SYMBOL(__check_object_size); + +DEFINE_STATIC_KEY_FALSE(bypass_usercopy_checks); +EXPORT_SYMBOL(bypass_usercopy_checks); + +static bool disable_huc_atboot = false; + +static int __init parse_disable_usercopy(char *str) +{ + disable_huc_atboot = true; + return 1; +} + +static int __init set_disable_usercopy(void) +{ + if (disable_huc_atboot == true) + static_branch_enable(&bypass_usercopy_checks); + return 1; +} + +__setup("disable_hardened_usercopy", parse_disable_usercopy); + +late_initcall(set_disable_usercopy); -- 2.17.0