Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3630303imm; Mon, 15 Oct 2018 01:10:17 -0700 (PDT) X-Google-Smtp-Source: ACcGV62h+ALnBKfFSmEYKTSCw6doxsrAOG/xgNHiKJUtOqJhShsBrM0MvKKwdQ/mSFbneEX9OSKR X-Received: by 2002:a62:2845:: with SMTP id o66-v6mr16523762pfo.17.1539591017573; Mon, 15 Oct 2018 01:10:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539591017; cv=none; d=google.com; s=arc-20160816; b=wGDGErP2CxFAu9SpczA1AAkTTzBo5StpTIXcin6oEs5fmDF8TTsa1WtK6ilzPlxquZ tBkkou3jZmWi4IC2HFHs+5nM01MK1ra9nJO+yhfiw5gFcClCjfLVpkdBvlZmSdTO02cK bnfLJa1KkYgkpg0Kiv6AsgzLLocfQ787aNlNX5EsIrxDqT9tfbBYPouhIMOE9TRIA6Wi aUv/ScqBPJxEksn0OdavaaH1gsHaYdqAlRXywZqa4/jUpzk4d1+HHwTb2u1eFGeqSkSQ m/WdXlmFAMYK3s0zPWKm0yhhtnMrZeQHK7zin4aspnJXNAuv2q2WVibHvSh9N1n1MdQh PS7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:organization:references:cc:to:subject:from :dkim-signature; bh=Dg9XB6zUtoe7qqQI02MC6TtsPJn5zwmTVmE0wuD6rbw=; b=hHpLTgqc6LFfZr2ghRnEbHqHxKbhhDOrx+m1WB1VbebBIbYEBQ+Ey6pFSXd87xWa31 W1F0jpJnkEwphJh+/eEL94zxgb5iPKwJlMcIZYefHJqgRt2FqJTJcMhxnYydHbp2zPEp SdEX6qTbkne56EfSEGeIROGCPHF0qNZooCzsRsX6W+xZIHjoQOjcrmr4cSVpk7XZsq5k Q3ZbGGXahPBpEfvr89wCivjBHHUhW+pvODaHdoeyzE4aGFzDQkBgLSm+c17Qdp6iM9us 5YWNJVV4X7hq5f8LvfEMTysy2cZuwdkF4wEQPo6IdNEnDwgOxO+Yxi+la1+54dubXa4d wsVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=zuQX3WaE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v1-v6si10088104plb.396.2018.10.15.01.10.03; Mon, 15 Oct 2018 01:10:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=zuQX3WaE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726687AbeJOPwT (ORCPT + 99 others); Mon, 15 Oct 2018 11:52:19 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:39238 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726456AbeJOPwT (ORCPT ); Mon, 15 Oct 2018 11:52:19 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w9F849NZ061487; Mon, 15 Oct 2018 08:07:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : subject : to : cc : references : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=Dg9XB6zUtoe7qqQI02MC6TtsPJn5zwmTVmE0wuD6rbw=; b=zuQX3WaERXkNKoWYzl2623IhHTB2GPOXrAD+iNg+9nUBcarI9LMaGqDJcJ9zHTe0N3mh B4sBLbEWGrvh4rj04H9SimXtsKMTzpnqNNRT5wYAquLn472V74ysViowRcUP1zYX44QO YFZXliHgsXHz3CorJPemRkF6s7yGlPC44Z2xpXkHT3lThJk9Np/s4Lr0tsjiTk8LABV/ PByDBwR+2fjazJXAtJbSuIQJPh/ZM+5zj8BzuTwXaputCNqv1kX3TGH5DJpQQ/xiRhAS hSHWjNFegGS2WcxA0d8+dOnEAlhZMN8X4QIAN/+tGSClOPCCY7Q3Lilc61J3VHeSzI0z Yg== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2120.oracle.com with ESMTP id 2n39br0ptr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 15 Oct 2018 08:07:35 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w9F87Xct032230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 15 Oct 2018 08:07:33 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w9F87U3K013570; Mon, 15 Oct 2018 08:07:31 GMT Received: from [10.191.235.38] (/10.191.235.38) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 15 Oct 2018 01:07:30 -0700 From: Khalid Aziz Subject: Re: Redoing eXclusive Page Frame Ownership (XPFO) with isolated CPUs in mind (for KVM to isolate its guests per CPU) To: "Stecklina, Julian" Cc: "juerg.haefliger@hpe.com" , "deepa.srinivasan@oracle.com" , "jmattson@google.com" , "andrew.cooper3@citrix.com" , "Woodhouse, David" , "torvalds@linux-foundation.org" , "linux-kernel@vger.kernel.org" , "linux-mm@kvack.org" , "boris.ostrovsky@oracle.com" , "pradeep.vincent@oracle.com" , "konrad.wilk@oracle.com" , "tglx@linutronix.de" , "kanth.ghatraju@oracle.com" , "joao.m.martins@oracle.com" , "liran.alon@oracle.com" , "ak@linux.intel.com" , "keescook@google.com" , "kernel-hardening@lists.openwall.com" , "chris.hyser@oracle.com" , "tyhicks@canonical.com" , "john.haxby@oracle.com" , "jcm@redhat.com" References: <5efc291c-b0ed-577e-02d1-285d080c293d@oracle.com> <7221975d-6b67-effa-2747-06c22c041e78@oracle.com> <1537800341.9745.20.camel@amazon.de> Organization: Oracle Corp Message-ID: <063f5efc-afb2-471f-eb4b-79bf90db22dd@oracle.com> Date: Mon, 15 Oct 2018 02:07:17 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <1537800341.9745.20.camel@amazon.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9046 signatures=668706 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810150076 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/24/2018 08:45 AM, Stecklina, Julian wrote: > I didn't test the version with TLB flushes, because it's clear that the > overhead is so bad that no one wants to use this. I don't think we can ignore the vulnerability caused by not flushing stale TLB entries. On a mostly idle system, TLB entries hang around long enough to make it fairly easy to exploit this. I was able to use the additional test in lkdtm module added by this patch series to successfully read pages unmapped from physmap by just waiting for system to become idle. A rogue program can simply monitor system load and mount its attack using ret2dir exploit when system is mostly idle. This brings us back to the prohibitive cost of TLB flushes. If we are unmapping a page from physmap every time the page is allocated to userspace, we are forced to incur the cost of TLB flushes in some way. Work Tycho was doing to implement Dave's suggestion can help here. Once Tycho has something working, I can measure overhead on my test machine. Tycho, I can help with your implementation if you need. -- Khalid