Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp610178ima;
        Fri, 26 Oct 2018 03:53:11 -0700 (PDT)
X-Google-Smtp-Source: AJdET5euszoSI+ccFmNI6z15VUJm3Uu2BSxBI3SLOFg48fSLro2neZce/O1TaX90nx75ckimwhlF
X-Received: by 2002:a63:d849:: with SMTP id k9-v6mr2952067pgj.200.1540551190989;
        Fri, 26 Oct 2018 03:53:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540551190; cv=none;
        d=google.com; s=arc-20160816;
        b=bHUV4a3EBePy3zmgtNTwUtN9b4K8eJMyng8NGMm96BtaXwXD5Rvd0jmAGmnoonQuaP
         yxAReq8f2U3fpHSf8XF1khZJ2nCcyLG/6uhfdY6c17FUT6P3g0BF4eG0290TY6qEQoSi
         hRMD5gZk29Vf4WFjvUeikcl6+f65ZXh0vxyFB413y8ioIG8FesLE2p/fvfJPvf6K7Kpp
         oXUVbKBH8uHZWwm9vKj7IUxlS6vddJsz0ua/i74fpssxvvuG5YdfKty/L8UC2yhmKRt3
         g9GK/4N52gQ4lK53y8ufTF6hFISQYWRRsQR6kBYJyf2DecsFWxl6iBw7q7vqjJ8sUR3s
         z4/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature;
        bh=c/WqbMWHMcD/8iKow4AF4NNyb4XgPQah5Hm7QPT62b4=;
        b=JXyvzU0bXO/m++NoqVCXnKSkjwlD3zbDjMCp71alfNAOAkTTOhtpUdNdekz/23Qqc4
         cn6nNPg69De+32z5Nx1gbnM/yiLMABF9KT00g7/WfvHJuCWyODgyiLAL6rN2y5JSBPbb
         gLSsDKCKugTMD9x0ZiOarVXaN8H5n/40u3MHkN0jAmEX+UkdiCCC1HIKWogK+A1+mfis
         AKp6TUBzwZe2pT2CDkFntrIn7FwXaiirI6jAzNWrF6sOzITqiVsObfyzFvLHFskmCu+F
         +j/9hiZbJA6YW1Pn682laZ+AlVyTvopxorlhAIExPcjHEGFzpz4QJUTZ2AJx89rLxkjH
         ew1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Fiwx4b64;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t6-v6si10209777plq.275.2018.10.26.03.52.55;
        Fri, 26 Oct 2018 03:53:10 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Fiwx4b64;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727313AbeJZT3E (ORCPT <rfc822;chenhe.dev@gmail.com>
        + 99 others); Fri, 26 Oct 2018 15:29:04 -0400
Received: from mail-yb1-f196.google.com ([209.85.219.196]:40967 "EHLO
        mail-yb1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726493AbeJZT3E (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 Oct 2018 15:29:04 -0400
Received: by mail-yb1-f196.google.com with SMTP id e16-v6so267171ybk.8
        for <linux-kernel@vger.kernel.org>; Fri, 26 Oct 2018 03:52:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=c/WqbMWHMcD/8iKow4AF4NNyb4XgPQah5Hm7QPT62b4=;
        b=Fiwx4b64jA9UIjAnt67rUn29Okv8mTMVOXlacT/zJC0Fyc31MoUNJOmWONxOshbuXb
         f3wd3Rz2GsP+FCCCkRCA7Dz+krUmhdZ+CuiwtprfAFKcxKl6capY3iQ/TZcOSg5pHpGa
         hGLe1qRsPKYDAuDncrv5cScHAY3lJBmr8Id2I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=c/WqbMWHMcD/8iKow4AF4NNyb4XgPQah5Hm7QPT62b4=;
        b=dCdSE0E0mQWtbTDb4xSJqRTWTaUhKPSrPYd66BZvSwjbnfZJR2MwnYQ0CySILIDlmR
         nIZjygw1/TH1n2jurndbWaOIqdm6gipGtbJiwsHxn47EURNaHcNu93XrxInO7UEZjAFq
         +jnSO7S2ZtFgp+PJ0XzIr//nbwqGwCHXtWfryT+aoMHSoyrc8PIJeat0UGdrWUgol2Fs
         lPckGp0hXXpggEor2UPu6zYDX+Gz6LLIBs8GtjRl2kUZWm8toxUeK1deSysMBFP5HcqM
         Q8GKpsX27Uwhmki40Vv8w8rLD1lzZ2Njd7Wch6zuoBmhkfbrcsnedLfE/Az/X6xtSmQz
         D4Bw==
X-Gm-Message-State: AGRZ1gImL+82VazUaIYV65AxBvGNnMwdIDi00nEiANJbdpuH/yFGHmxq
        boom3Axzg8Df4vVZZczfCvUsY89TKZoSCQ==
X-Received: by 2002:a25:764d:: with SMTP id r74-v6mr2843712ybc.461.1540551146994;
        Fri, 26 Oct 2018 03:52:26 -0700 (PDT)
Received: from mail-yw1-f49.google.com (mail-yw1-f49.google.com. [209.85.161.49])
        by smtp.gmail.com with ESMTPSA id k85-v6sm2732794ywa.76.2018.10.26.03.52.26
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 26 Oct 2018 03:52:26 -0700 (PDT)
Received: by mail-yw1-f49.google.com with SMTP id j202-v6so253447ywa.13
        for <linux-kernel@vger.kernel.org>; Fri, 26 Oct 2018 03:52:26 -0700 (PDT)
X-Received: by 2002:a81:9b83:: with SMTP id s125-v6mr2804635ywg.47.1540550790136;
 Fri, 26 Oct 2018 03:46:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:3990:0:0:0:0:0 with HTTP; Fri, 26 Oct 2018 03:46:28
 -0700 (PDT)
In-Reply-To: <20181026092609.GB3159@worktop.c.hoisthospitality.com>
References: <20181023213504.28905-1-igor.stoppa@huawei.com>
 <20181023213504.28905-11-igor.stoppa@huawei.com> <20181026092609.GB3159@worktop.c.hoisthospitality.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Fri, 26 Oct 2018 11:46:28 +0100
X-Gmail-Original-Message-ID: <CAGXu5jKCs01jvtvpEFS7R8qCR-5iRqK11kJxLJY99NicGWc4aQ@mail.gmail.com>
Message-ID: <CAGXu5jKCs01jvtvpEFS7R8qCR-5iRqK11kJxLJY99NicGWc4aQ@mail.gmail.com>
Subject: Re: [PATCH 10/17] prmem: documentation
To:     Peter Zijlstra <peterz@infradead.org>
Cc:     Igor Stoppa <igor.stoppa@gmail.com>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Matthew Wilcox <willy@infradead.org>,
        Dave Chinner <david@fromorbit.com>,
        James Morris <jmorris@namei.org>,
        Michal Hocko <mhocko@kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Igor Stoppa <igor.stoppa@huawei.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Laura Abbott <labbott@redhat.com>,
        Randy Dunlap <rdunlap@infradead.org>,
        Mike Rapoport <rppt@linux.vnet.ibm.com>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Oct 26, 2018 at 10:26 AM, Peter Zijlstra <peterz@infradead.org> wrote:
> I still don't really understand the whole write-rare thing; how does it
> really help? If we can write in kernel memory, we can write to
> page-tables too.

I can speak to the general goal. The specific implementation here may
not fit all the needs, but it's a good starting point for discussion.

One aspect of hardening the kernel against attack is reducing the
internal attack surface. Not all flaws are created equal, so there is
variation in what limitations an attacker may have when exploiting
flaws (not many flaws end up being a fully controlled "write anything,
anywhere, at any time"). By making the more sensitive data structures
of the kernel read-only, we reduce the risk of an attacker finding a
path to manipulating the kernel's behavior in a significant way.

Examples of typical sensitive targets are function pointers, security
policy, and page tables. Having these "read only at rest" makes them
much harder to control by an attacker using memory integrity flaws. We
already have the .rodata section for "const" things. Those are
trivially read-only. For example there is a long history of making
sure that function pointer tables are marked "const". However, some
things need to stay writable. Some of those in .data aren't changed
after __init, so we added the __ro_after_init which made them
read-only for the life of the system after __init. However, we're
still left with a lot of sensitive structures either in .data or
dynamically allocated, that need a way to be made read-only for most
of the time, but get written to during very specific times.

The "write rarely" name itself may not sufficiently describe what is
wanted either (I'll take the blame for the inaccurate name), so I'm
open to new ideas there. The implementation requirements for the
"sensitive data read-only at rest" feature are rather tricky:

- allow writes only from specific places in the kernel
- keep those locations inline to avoid making them trivial ROP targets
- keep the writeability window open only to a single uninterruptable CPU
- fast enough to deal with page table updates

The proposal I made a while back only covered .data things (and used
x86-specific features). Igor's proposal builds on this by including a
way to do this with dynamic allocation too, which greatly expands the
scope of structures that can be protected. Given that the x86-only
method of write-window creation was firmly rejected, this is a new
proposal for how to do it (vmap window). Using switch_mm() has also
been suggested, etc.

We need to find a good way to do the write-windowing that works well
for static and dynamic structures _and_ for the page tables... this
continues to be tricky.

Making it resilient against ROP-style targets makes it difficult to
deal with certain data structures (like list manipulation). In my
earlier RFC, I tried to provide enough examples of where this could
get used to let people see some of the complexity[1]. Igor's series
expands this to even more examples using dynamic allocation.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/write-rarely

-- 
Kees Cook