Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp651363imm; Wed, 29 Aug 2018 08:48:48 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYswE0CaZXxX4WDsVdAYh1X7ghhED+OqP61+5igME8Y96oc8k3FGmdxqXkHlarC1D8rFAUZ X-Received: by 2002:a63:f:: with SMTP id 15-v6mr6318420pga.430.1535557728577; Wed, 29 Aug 2018 08:48:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535557728; cv=none; d=google.com; s=arc-20160816; b=m5NuZ84bJDoe4iQsJpw/1887qYcTccqtL8FJcEo0ePEVjax9Tvwpqpycpz1zsTlZyn mxYrQm5bN/7C2aTpGKYors63UEMqvdarrDsMdy6RWy2y2y8NYTJtxT9aMVK5xBazvK6a DUAl1JE54A+LMHokpf+UcZaeJPZVPco8DtE7lhCwoWQFQ5p0dpL3uKAEkAEcIzm6U7dD PwcQLx4cKLeqQUhvdlUTg2oOCgDy+COeq5x/JZqMVXCKhZelQ/ajv29lvNcwemGbZ5/b PcocGn8BXN+EjwJEu5LlP2L1n+7IChTNu6647zxGOSlvtZIdqlqzd5GAMH3OmWaDDshE w9Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=hlAHuMJgf6Z/E2q21P25RtiVsYOHhMES8X5w+i13/TM=; b=sruJBYsXnLB2zIBFwFmFDi4eDsyTeqxN7tvtK4w6nbEWEuYiI4/0OEj9N9CqXEr/oV R7EFv4ISNwEiq11VnpyXPtcdqhJAfrLigTY1Chr/AqEM73h24ZDXIQaqwohxghbU/R6v XFWeQziuPjCCquc+9gyflc26vKKfv5KX2i4R5a5OpELQ4Owcco6e6AqD4u6C29VP4mSn fAlNn4YpWW3p06x1GYi5HnsHNI2UwP+oE5t5wZEMnDvtuBo8fiqkfZ3OnF8z063mKvgJ aBg3rNGQrOMFoH9ZoBVBznwtJNAqwLSlcQWmi1W966AXQeHVBXFmAsRxozunjRE3CtD1 xlZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uzjhrb8B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l9-v6si3983443pgg.622.2018.08.29.08.48.32; Wed, 29 Aug 2018 08:48:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uzjhrb8B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729204AbeH2Toa (ORCPT + 99 others); Wed, 29 Aug 2018 15:44:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:40636 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729154AbeH2Toa (ORCPT ); Wed, 29 Aug 2018 15:44:30 -0400 Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2A87D206B5 for ; Wed, 29 Aug 2018 15:46:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1535557617; bh=zjf/EKoxje99OaOSNSksrP57Sa/nknvwGUwmDpHARXc=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=uzjhrb8BEvjFkfWSLr7vAMky2n7rrPHwQkmw3N2OBHS1alCdsguFqcc0AvkzdPsL5 ZtWjy5+LFYc+GJSmlGNUjMRxLT7OSbUKzBijDjgaSgo615n63D/eChHxKmtX6zsn0r sDrbb53hdX3NhhDMCHotyFtTnDjvaALTPTLNZZE4= Received: by mail-wm0-f53.google.com with SMTP id y139-v6so5727831wmc.2 for ; Wed, 29 Aug 2018 08:46:57 -0700 (PDT) X-Gm-Message-State: APzg51A7KEGNpi98LIrL3ylSIHevKU0WccFKTioBlTqRH3qSClmBY2ho QfKeWdnIiaWk52Ybtx1xbVQbTJaO88CRkLubjnJqSQ== X-Received: by 2002:a1c:8313:: with SMTP id f19-v6mr4387701wmd.144.1535557615692; Wed, 29 Aug 2018 08:46:55 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1c:548:0:0:0:0:0 with HTTP; Wed, 29 Aug 2018 08:46:35 -0700 (PDT) In-Reply-To: <20180829081147.184610-3-namit@vmware.com> References: <20180829081147.184610-1-namit@vmware.com> <20180829081147.184610-3-namit@vmware.com> From: Andy Lutomirski Date: Wed, 29 Aug 2018 08:46:35 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH 2/6] x86/mm: temporary mm struct To: Nadav Amit , Rik van Riel Cc: Thomas Gleixner , LKML , Ingo Molnar , X86 ML , Arnd Bergmann , linux-arch , Andy Lutomirski , Masami Hiramatsu , Kees Cook , Peter Zijlstra Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Rik, this is the patch I was referring to. On Wed, Aug 29, 2018 at 1:11 AM, Nadav Amit wrote: > From: Andy Lutomirski > > Sometimes we want to set a temporary page-table entries (PTEs) in one of > the cores, without allowing other cores to use - even speculatively - > these mappings. There are two benefits for doing so: > > (1) Security: if sensitive PTEs are set, temporary mm prevents their use > in other cores. This hardens the security as it prevents exploding a > dangling pointer to overwrite sensitive data using the sensitive PTE. > > (2) Avoiding TLB shootdowns: the PTEs do not need to be flushed in > remote page-tables. > > To do so a temporary mm_struct can be used. Mappings which are private > for this mm can be set in the userspace part of the address-space. > During the whole time in which the temporary mm is loaded, interrupts > must be disabled. > > The first use-case for temporary PTEs, which will follow, is for poking > the kernel text. > > [ Commit message was written by Nadav ] > > Cc: Andy Lutomirski > Cc: Masami Hiramatsu > Cc: Kees Cook > Cc: Peter Zijlstra > Signed-off-by: Nadav Amit > --- > arch/x86/include/asm/mmu_context.h | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h > index eeeb9289c764..96afc8c0cf15 100644 > --- a/arch/x86/include/asm/mmu_context.h > +++ b/arch/x86/include/asm/mmu_context.h > @@ -338,4 +338,24 @@ static inline unsigned long __get_current_cr3_fast(void) > return cr3; > } > > +typedef struct { > + struct mm_struct *prev; > +} temporary_mm_state_t; > + > +static inline temporary_mm_state_t use_temporary_mm(struct mm_struct *mm) > +{ > + temporary_mm_state_t state; > + > + lockdep_assert_irqs_disabled(); > + state.prev = this_cpu_read(cpu_tlbstate.loaded_mm); > + switch_mm_irqs_off(NULL, mm, current); > + return state; > +} > + > +static inline void unuse_temporary_mm(temporary_mm_state_t prev) > +{ > + lockdep_assert_irqs_disabled(); > + switch_mm_irqs_off(NULL, prev.prev, current); > +} > + > #endif /* _ASM_X86_MMU_CONTEXT_H */ > -- > 2.17.1 >