Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp2192723imm; Sat, 30 Jun 2018 13:12:28 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKgzCXlFishmoF8aEPNqwWej/sXyLmEpust7m0cuA69MsNBNNPDcLRPDEWqdFn/wyDPDcDi X-Received: by 2002:a17:902:bf43:: with SMTP id u3-v6mr19937931pls.322.1530389548932; Sat, 30 Jun 2018 13:12:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530389548; cv=none; d=google.com; s=arc-20160816; b=gZDmbDDpvMFAF3g7VkhqdsqtfbkewWc+ajyrmWKhQ49NTDY8ttrf23QGqm46qzoV8H sOCYPLqtT2im0ndfmDlXgVYrqY/S/GWHj7oxHqkNC0IiFmOA3jdZ9MwanVwkf49kjeO7 r1WEQuu8qPg2cJ4S3EDHy8rDsJWyT9iRZ3+uQFXqZoGtmz1sVyJIRstJ/I9aipujM/U7 iZH/A+3wKVXd9ppdcrh3xEBnlPyDzHFKoOWiuom7ae7xUvDLgFS67m/4/1o+LZk7t8rS yCaCHa1dvHv3eBRcXfP3gIB3/mnxdDB5S+Ltxtr+7EUSpPOsol9ff1DeUBBcHjITSSqj FCCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=WhTmf/HrkNxJM3n8J0v9jaJRX4CQolyAN5xNyiU23AQ=; b=PE5g8w6evACnH2TtNZE7oWvOVKJv9u5ujmDlEL8+3siwf+kDJXo8GwdtT9C47InDXH bqUwn02j2tTIcoQCMYwuZ09Mruj90cxMsY97pWP8TDr0XIYSPHuGn8H9+BaIMZH4/4Sy EnItuew72ARvhtL5vDs5O/VxK5GNeXcUUctsd13bRP28vCyC/PKQG5P4URSkmB8ErsRZ EalRxB+kbBSqbu/WF3gVXNn20d7OP4NOXyhqGjkeXOvACeAG3jJ9t6+Y2CxhSQ6zX6Or wS08fvMDNwtPWUdvyma1v6HPxgxeXmMHlGpJ7/5SOp8YzNDkPVXoHCUucdLB7Gv5C0yP reBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=UMOgM0LA; dkim=fail header.i=@chromium.org header.s=google header.b=SGttwnyM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z2-v6si12443507pfz.241.2018.06.30.13.12.12; Sat, 30 Jun 2018 13:12:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=UMOgM0LA; dkim=fail header.i=@chromium.org header.s=google header.b=SGttwnyM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751556AbeF3ULd (ORCPT + 99 others); Sat, 30 Jun 2018 16:11:33 -0400 Received: from mail-yb0-f193.google.com ([209.85.213.193]:44906 "EHLO mail-yb0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751483AbeF3ULb (ORCPT ); Sat, 30 Jun 2018 16:11:31 -0400 Received: by mail-yb0-f193.google.com with SMTP id a2-v6so3776338ybe.11 for ; Sat, 30 Jun 2018 13:11:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=WhTmf/HrkNxJM3n8J0v9jaJRX4CQolyAN5xNyiU23AQ=; b=UMOgM0LAInt7D1iksWolfxY5qTBThOEDoJtkuo02RMxPsfurRLqBIk++kJ4tofBPuR oY02mt6vvhJwEzUos3cUfmBGVTtxDE4BMHvEqPjqoPXbOWTk/+u2xRrRsNoA6xQSyy1o CVMYi3jqMKitMUvEtFEhMPhXRV+nRxb7KSk1DJpdJys74KHqRQCT0LmTnwOHPmGZV3BJ axgHJUr46zeL2Za1gqKt02+p1Q/2FeVKjXnYU4+alzWGBev7vW0Xf87Hzg0l8FextdJW IJ5SORnHjzKhbBlxORiYIamSTXy7Yud4Myt2HJyCpJD5gvtYIbK2xnydmMpxeYEb28RG 98+g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=WhTmf/HrkNxJM3n8J0v9jaJRX4CQolyAN5xNyiU23AQ=; b=SGttwnyM15ChXW31ycXDOn7KVKIrCu4LFZV2bL7ayPozfB95ob3Tj0Eu1uVyaysHnj vmrH4iLu/FxDIY8kDG2VLOSSvmGU2G+FMHnuRgH6lzY3X92Ha67WcFjaPdm146WaXhzR VnwKzM4iLvjTQ/xUq01d5P9vFC+r/2NL3V4Tk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=WhTmf/HrkNxJM3n8J0v9jaJRX4CQolyAN5xNyiU23AQ=; b=o3z8aB6+fnRgJA0O61avSyst+0ey2hd5PxQtUKdoQcasaEFEKZdWVIKTBsD+xaTVZh uDjtuT36UUYY52KDR1SrRjbC/efyfgDsrK3froYCSE4GQYT2L3nF638U8C5iTn7umiON Wis0qVgm910exV/g1uQRpxy4Apm+vTPOVu3UVjeaKweoxJuN1N9Z971Or2kxg4F5cHLw RV1NHpxbVV2HR/XxLvCOnTWXJTFhHww6j3ii41j1Uu5qG8V4J2nNqUR89PP8nQ+xaEGT Gv2ZtfF+6X6Ov72HPJdNxX8ep7aDD67o6Ak0gc5bnuFF5qZQaInET4RSovQiGPw3N+PS gRRg== X-Gm-Message-State: APt69E0XmA5x2xfn2Bhx/N8Mxbqm0dAAJh64I7wMNZx2Hc1OzB1lk2vx Ia3idOkvLnemmVUaa/gzO2Szgwes96BaCysG2AcD9g== X-Received: by 2002:a25:b219:: with SMTP id i25-v6mr10794685ybj.112.1530389490818; Sat, 30 Jun 2018 13:11:30 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:5f51:0:0:0:0:0 with HTTP; Sat, 30 Jun 2018 13:11:30 -0700 (PDT) In-Reply-To: <1530101255-13988-1-git-send-email-crecklin@redhat.com> References: <1530101255-13988-1-git-send-email-crecklin@redhat.com> From: Kees Cook Date: Sat, 30 Jun 2018 13:11:30 -0700 X-Google-Sender-Auth: UBU3nsZCqR_bncgpX6aNhR717ik Message-ID: Subject: Re: [PATCH v3] add param that allows bootline control of hardened usercopy To: Chris von Recklinghausen Cc: Laura Abbott , Paolo Abeni , LKML , Linux-MM , Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 27, 2018 at 5:07 AM, Chris von Recklinghausen wrote: > Enabling HARDENED_USER_COPY causes measurable regressions in nit: HARDENED_USERCOPY > networking performance, up to 8% under UDP flood. > > I'm running an a small packet UDP flood using pktgen vs. a host b2b > connected. On the receiver side the UDP packets are processed by a > simple user space process that just reads and drops them: > > https://github.com/netoptimizer/network-testing/blob/master/src/udp_sink.c > > Not very useful from a functional PoV, but it helps to pin-point > bottlenecks in the networking stack. > > When running a kernel with CONFIG_HARDENED_USERCOPY=y, I see a 5-8% > regression in the receive tput, compared to the same kernel without > this option enabled. > > With CONFIG_HARDENED_USERCOPY=y, perf shows ~6% of CPU time spent > cumulatively in __check_object_size (~4%) and __virt_addr_valid (~2%). > > The call-chain is: > > __GI___libc_recvfrom > entry_SYSCALL_64_after_hwframe > do_syscall_64 > __x64_sys_recvfrom > __sys_recvfrom > inet_recvmsg > udp_recvmsg > __check_object_size > > udp_recvmsg() actually calls copy_to_iter() (inlined) and the latters > calls check_copy_size() (again, inlined). Thanks for including these details! > > A generic distro may want to enable HARDENED_USER_COPY in their default same nit :) > kernel config, but at the same time, such distro may want to be able to > avoid the performance penalties in with the default configuration and > disable the stricter check on a per-boot basis. > > This change adds a boot parameter that conditionally disables > HARDENED_USERCOPY at boot time. > > v2->v3: > add benchmark details to commit comments > Don't add new item to Documentation/admin-guide/kernel-parameters.rst > rename boot param to "hardened_usercopy=" > update description in Documentation/admin-guide/kernel-parameters.txt > static_branch_likely -> static_branch_unlikely > add __ro_after_init versions of DEFINE_STATIC_KEY_FALSE, > DEFINE_STATIC_KEY_TRUE > disable_huc_atboot -> enable_checks (strtobool "on" == true) > > v1->v2: > remove CONFIG_HUC_DEFAULT_OFF > default is now enabled, boot param disables > move check to __check_object_size so as to not break optimization of > __builtin_constant_p() > include linux/atomic.h before linux/jump_label.h > > Signed-off-by: Chris von Recklinghausen > --- > .../admin-guide/kernel-parameters.txt | 11 ++++++++ > include/linux/jump_label.h | 6 +++++ > include/linux/thread_info.h | 5 ++++ > mm/usercopy.c | 26 +++++++++++++++++++ > 4 files changed, 48 insertions(+) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index efc7aa7a0670..560d4dc66f02 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -816,6 +816,17 @@ > disable= [IPV6] > See Documentation/networking/ipv6.txt. > > + hardened_usercopy= > + [KNL] Under CONFIG_HARDENED_USERCOPY, whether > + hardening is enabled for this boot. Hardened > + usercopy checking is used to protect the kernel > + from reading or writing beyond known memory > + allocation boundaries as a proactive defense > + against bounds-checking flaws in the kernel's > + copy_to_user()/copy_from_user() interface. > + on Perform hardened usercopy checks (default). > + off Disable hardened usercopy checks. > + > disable_radix [PPC] > Disable RADIX MMU mode on POWER9 > > diff --git a/include/linux/jump_label.h b/include/linux/jump_label.h > index b46b541c67c4..1a0b6f17a5d6 100644 > --- a/include/linux/jump_label.h > +++ b/include/linux/jump_label.h > @@ -299,12 +299,18 @@ struct static_key_false { > #define DEFINE_STATIC_KEY_TRUE(name) \ > struct static_key_true name = STATIC_KEY_TRUE_INIT > > +#define DEFINE_STATIC_KEY_TRUE_RO(name) \ > + struct static_key_true name __ro_after_init = STATIC_KEY_TRUE_INIT > + > #define DECLARE_STATIC_KEY_TRUE(name) \ > extern struct static_key_true name > > #define DEFINE_STATIC_KEY_FALSE(name) \ > struct static_key_false name = STATIC_KEY_FALSE_INIT > > +#define DEFINE_STATIC_KEY_FALSE_RO(name) \ > + struct static_key_false name __ro_after_init = STATIC_KEY_FALSE_INIT > + > #define DECLARE_STATIC_KEY_FALSE(name) \ > extern struct static_key_false name > > diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h > index 8d8821b3689a..ab24fe2d3f87 100644 > --- a/include/linux/thread_info.h > +++ b/include/linux/thread_info.h > @@ -109,6 +109,11 @@ static inline int arch_within_stack_frames(const void * const stack, > #endif > > #ifdef CONFIG_HARDENED_USERCOPY > +#include > +#include > + > +DECLARE_STATIC_KEY_FALSE(bypass_usercopy_checks); > + This isn't needed any more since bypass_usercopy_checks is internal to __check_object_size() now. > extern void __check_object_size(const void *ptr, unsigned long n, > bool to_user); > > diff --git a/mm/usercopy.c b/mm/usercopy.c > index e9e9325f7638..39f8b1409618 100644 > --- a/mm/usercopy.c > +++ b/mm/usercopy.c > @@ -20,6 +20,8 @@ > #include > #include > #include > +#include > +#include > #include > > /* > @@ -248,6 +250,9 @@ static inline void check_heap_object(const void *ptr, unsigned long n, > */ > void __check_object_size(const void *ptr, unsigned long n, bool to_user) > { > + if (static_branch_unlikely(&bypass_usercopy_checks)) > + return; > + > /* Skip all tests if size is zero. */ > if (!n) > return; > @@ -279,3 +284,24 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user) > check_kernel_text_object((const unsigned long)ptr, n, to_user); > } > EXPORT_SYMBOL(__check_object_size); > + > +DEFINE_STATIC_KEY_FALSE_RO(bypass_usercopy_checks); This can be static. > +EXPORT_SYMBOL(bypass_usercopy_checks); No longer needs to be exported. > + > +static bool enable_checks __initdata = true; > + > +static int __init parse_hardened_usercopy(char *str) > +{ > + return strtobool(str, &enable_checks); > +} > + > +__setup("hardened_usercopy=", parse_hardened_usercopy); > + > +static int __init set_hardened_usercopy(void) > +{ > + if (enable_checks == false) > + static_branch_enable(&bypass_usercopy_checks); > + return 1; > +} > + > +late_initcall(set_hardened_usercopy); Otherwise, yeah, this looks good if the copy_from_iter() path can't be improved. -Kees -- Kees Cook Pixel Security