Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp4396643imm;
        Mon, 20 Aug 2018 15:20:15 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPw25LcQJieZ6fqPdIYCo7LtH//PezcuAGm21NUPU1Kjs11ab3cpqSmgJPNuOG6k8fWfYLFY
X-Received: by 2002:a62:9645:: with SMTP id c66-v6mr50493887pfe.56.1534803615193;
        Mon, 20 Aug 2018 15:20:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1534803615; cv=none;
        d=google.com; s=arc-20160816;
        b=0RyP5JIdeZsnYw4nnbN75Dym3o40mLfGREU5gkAL9ClTs1RN76+M2WSSVjLB37+78h
         CNr+Hvj9My1UbjjuRFDQPlCD203zGNkKsTuV9fCFgK0g2wt5Tpg1LaCFmbbywVVGwcUV
         1LnnvBGUwX/G9rSKTP+sHJYntBHd30PQz0lR6BNryHB6Ap4B9YIRjnHDTRb+6OWev9iE
         etWnfbIkSHD0Y64PUj8RbwIp8uDB1o859hntI3toPnC85WSupKi+OZzYI+kHubMoNqcm
         CHhYiOu6hXZ0R2AlYnNQwaLHgE3lP2gmHPD5/UxfnK8NbVTVJn83wim75OEn/lJkMa0p
         G1PQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=zFbMYWiIwyuIKZlEWe68ephb74gxM4EVORgUHU0GLJE=;
        b=REl1fP4/efmxb9ZZ16DdCHULqoQl6msJbHiGB2VoBP2IFW/T7FvC3jytmjbaGHJrvf
         MxxDx9kGP1UlgZYvb14r6ZyVoG5i18DP3z/xIPmAWZeizBy5NTqf20Pn4QYtnw/3w7YH
         5dtnce3cN9CMh35+PmR8M4Tj5FzSms0OSpFWxLvjUhGL1P4a/4Cu8M1s/nkZ84aXRWk7
         o245cB4QJcq9py76DiRhPAiqjIqicNJykXFmrPmzILYIlg4+6TfJ30ZJjW3wAdaLaRPg
         dMp38RkQEkfPZxQqbBpgKEbM8aJiFMxr5Dj2e6yjCVV9uLn6RuCf/CwKM+dg1ctlxPjA
         5Kfg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=C0xUJ8tq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 89-v6si11379069plf.236.2018.08.20.15.19.59;
        Mon, 20 Aug 2018 15:20:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=C0xUJ8tq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726639AbeHUBfr (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Mon, 20 Aug 2018 21:35:47 -0400
Received: from mail-yw1-f41.google.com ([209.85.161.41]:36747 "EHLO
        mail-yw1-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726119AbeHUBfq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 20 Aug 2018 21:35:46 -0400
Received: by mail-yw1-f41.google.com with SMTP id w202-v6so1333606yww.3
        for <linux-kernel@vger.kernel.org>; Mon, 20 Aug 2018 15:18:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=zFbMYWiIwyuIKZlEWe68ephb74gxM4EVORgUHU0GLJE=;
        b=C0xUJ8tqzEflVKcJVzirM0OwWe13TcbLG5QDqJrmNo7hUVv9c1edZ+XhZypZPl580b
         6QXp+CyQlbzY4lZYWG56nk1sWFaNlfRN+q6ORPUqcPWh3rV3jv7SjOyFbaLUT0VSd/hR
         9aXp3fmZW0Z7fRjUli2xfVSZOwiW0GKg6SQ3ILclyN91d12YOUny7GLYrJpJg3XGJL/W
         c5ic7RafQgxv61kv1/mHE6SZMZsx8N9qX7/rL+hVZmD/V/IprhVRKvzpOPoJgZKctvlH
         7XP3CP95HpXSwPcYklmUYlg/HR7U7sQMnzKlG/pnhZbQXqFZDLdd5vc8r42l6M3aQTSJ
         CauQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=zFbMYWiIwyuIKZlEWe68ephb74gxM4EVORgUHU0GLJE=;
        b=ESEwJMyNznLqOS+1xFPiSxPpNnIOJJ8dZsFFslb5ucZET9yHdCO8dG/cwFRulMajjh
         OidC2C8AHcg29yG5hYXw4RZ+YhZw7rz1cut0639D3plcLzbK7E4mwVorVolqtqzrM/o2
         fgXwO++d9FWai/is6chfTgYsifYUIHxsnQEiZv5Ay8ZPIpARR07FaoWHNGOGwYaOCkaL
         MnHpJjXg6iA3CYar4Da8FBm0dQAantLmGdJzxftSm2eCc9BOTRdknTJ62iaW5GPw/Ex6
         ZCKZkyXuQdDxdZXNMxW/cBzGvAanNmvp/eyf3W0dHtgogJzHK/j+zouo74X2oOurFnDA
         TIGQ==
X-Gm-Message-State: APzg51BcpWQQYU0OhbOBV+qntkjIeAq5h5TTfkSNFlz+nDcPrB7ONpJE
        PkzNjlBvmDSsPoQOp1IQjMxFhJfTywsACKU6DLKlTQ==
X-Received: by 2002:a81:7443:: with SMTP id p64-v6mr2652106ywc.407.1534803501249;
 Mon, 20 Aug 2018 15:18:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:aa31:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 15:18:20
 -0700 (PDT)
In-Reply-To: <1534801939.10027.24.camel@amazon.co.uk>
References: <20180820212556.GC2230@char.us.oracle.com> <CA+55aFxZCyVZc4ZpRyZ3uDyakRSOG_=2XvnwMo4oejpsieF9=A@mail.gmail.com>
 <1534801939.10027.24.camel@amazon.co.uk>
From:   Kees Cook <keescook@google.com>
Date:   Mon, 20 Aug 2018 15:18:20 -0700
Message-ID: <CAGXu5jLSPGe7W0qpUYoQr4C-Yy5FV8Q=hUKRYO9zSbeUNSZn0g@mail.gmail.com>
Subject: Re: Redoing eXclusive Page Frame Ownership (XPFO) with isolated CPUs
 in mind (for KVM to isolate its guests per CPU)
To:     "Woodhouse, David" <dwmw@amazon.co.uk>
Cc:     "torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
        "konrad.wilk@oracle.com" <konrad.wilk@oracle.com>,
        "juerg.haefliger@hpe.com" <juerg.haefliger@hpe.com>,
        "deepa.srinivasan@oracle.com" <deepa.srinivasan@oracle.com>,
        "jmattson@google.com" <jmattson@google.com>,
        "andrew.cooper3@citrix.com" <andrew.cooper3@citrix.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "boris.ostrovsky@oracle.com" <boris.ostrovsky@oracle.com>,
        "linux-mm@kvack.org" <linux-mm@kvack.org>,
        "tglx@linutronix.de" <tglx@linutronix.de>,
        "joao.m.martins@oracle.com" <joao.m.martins@oracle.com>,
        "pradeep.vincent@oracle.com" <pradeep.vincent@oracle.com>,
        "ak@linux.intel.com" <ak@linux.intel.com>,
        "khalid.aziz@oracle.com" <khalid.aziz@oracle.com>,
        "kanth.ghatraju@oracle.com" <kanth.ghatraju@oracle.com>,
        "liran.alon@oracle.com" <liran.alon@oracle.com>,
        "jsteckli@os.inf.tu-dresden.de" <jsteckli@os.inf.tu-dresden.de>,
        "kernel-hardening@lists.openwall.com" 
        <kernel-hardening@lists.openwall.com>,
        "chris.hyser@oracle.com" <chris.hyser@oracle.com>,
        "tyhicks@canonical.com" <tyhicks@canonical.com>,
        "john.haxby@oracle.com" <john.haxby@oracle.com>,
        "jcm@redhat.com" <jcm@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Aug 20, 2018 at 2:52 PM, Woodhouse, David <dwmw@amazon.co.uk> wrote:
> On Mon, 2018-08-20 at 14:48 -0700, Linus Torvalds wrote:
>>
>> Of course, after the long (and entirely unrelated) discussion about
>> the TLB flushing bug we had, I'm starting to worry about my own
>> competence, and maybe I'm missing something really fundamental, and
>> the XPFO patches do something else than what I think they do, or my
>> "hey, let's use our Meltdown code" idea has some fundamental weakness
>> that I'm missing.
>
> The interesting part is taking the user (and other) pages out of the
> kernel's 1:1 physmap.
>
> It's the *kernel* we don't want being able to access those pages,
> because of the multitude of unfixable cache load gadgets.

Right. And even before Meltdown, it was desirable to remove those from
the physmap to avoid SMAP (and in some cases SMEP) bypasses (as
detailed in the mentioned paper:
http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf).

-Kees

-- 
Kees Cook
Pixel Security