Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5663018imu; Tue, 13 Nov 2018 09:48:26 -0800 (PST) X-Google-Smtp-Source: AJdET5fsyLtAhER8lsjvOiuCLkClZZXvzaPxoCD5ZWCdfPx5ApY5VitIu4mgb90vGnsv0lAPyieO X-Received: by 2002:a63:e302:: with SMTP id f2mr5666789pgh.320.1542131306112; Tue, 13 Nov 2018 09:48:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542131306; cv=none; d=google.com; s=arc-20160816; b=dKr9H9HLiN9O/iV9PXtqt0uLDmJfCnFlLJg+sd/6wGIxPH6U/XZuTdI6Ujbh3mTnel XjlfSuQEHiTp8HMSkVzct2Shqo0EtyXJEmgVUTrZNDz+FcM4ldSQBVmXZk/rhrmOvGGZ o9S4EV3N8mM00hGfiLHvdWLl8QWv39SnHELr6I1k3SfoYZDqAsbHdNS21t/Z1tm9275D iVwTO+Z5Yf5hL0m/H5T/YUtS0IMIr4vDS9yVeQZ9Ih3xvjQdZVi3xbMzVpWpnjPkT0d7 jnpsq5/swZUdkjj2gLTMVq+PqBPEo9MrR5MPw1DzWz+v96xRV0MOmYK0f0ir7TUvsSQy WBjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=f7n/XQvhSDnEsGaJKW58jdkk2D4ym9hJknP2qcsIFCE=; b=DLO9xFd1RSvMED9WiaM9qSm47crzLkTVB1W1CUtD7eKgOTl+PORFVHr375GjhtZBGL OiwmkeHFN9qC3A1MNPlR+EgIXws0VMHPyYRM5K+BNCNEKMjQPi2edhxBS4sAdSrbR/fx PlBUhd5iC0t6TmjN0CuMw3hLwxV1CYUUGcd/03jk4aqEfFo8TyiELcDSOYZEnBbODPf1 4y3r3r1kMFXNWPLdL+Y1cttzfyy3fw9PZ9I2cApls4+y2LkaRNqZAFykf1z1Z/LQbJRG /vOQkaMYxc5wqdjD+U8/NlhMu59e9JjTcPIOr6ECZwPfrdZvZKIy+Qy6A/tqF4woLfay WZXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=WNZPZ7no; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j10-v6si3927690plg.20.2018.11.13.09.48.06; Tue, 13 Nov 2018 09:48:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=WNZPZ7no; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732124AbeKNDqi (ORCPT + 99 others); Tue, 13 Nov 2018 22:46:38 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:42851 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730995AbeKNDqi (ORCPT ); Tue, 13 Nov 2018 22:46:38 -0500 Received: by mail-wr1-f68.google.com with SMTP id u5-v6so9033505wrn.9 for ; Tue, 13 Nov 2018 09:47:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=f7n/XQvhSDnEsGaJKW58jdkk2D4ym9hJknP2qcsIFCE=; b=WNZPZ7noieoN3d0Wj73z1nQxycNboSxy+hdQGYFyESEX7p4GHseoecy5EPqHedLZ10 f/cTFcmQSPB8WoHUTUQRxtKCyO5QgVUb6ME1d29PaoHwjd8Bwvt9g0XXQ/Ol0eN2IVz7 bpKDPa4uaWoAWxq/qKiALKrzBloS2uZfIh0ymHWEKJMIybjy8q58kxd4Rd+UhpKJMXGO O5enADVsodN6UPRnvyRz0S6paG9fK0k+RK1cjFVnZQQnbybgwtjUsRMInqDxf98v5G5F qAnkucn/N49UTVtv20dMwOf4yfKrVyhXvP/+zAFKm+qrw6o7MjvOb1iJ4lWpR0cxY3wG f6nA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=f7n/XQvhSDnEsGaJKW58jdkk2D4ym9hJknP2qcsIFCE=; b=gME7t93FFBOTc/5+8JIHotCjGkkbP1F38mzCmnmyq7DVl+P3nbM2PJCxxt6pNI6r+7 eSGwtepebXwGzEgl26/xuKU6fvmFSJVfP1AAE3m0FoR+NfkURKLZNE1tQQai22vQGvhV HtbmLgNpt/UfJ1EklceKK/a7Sj0Vig8sgHC7AFzkNekYZ9M8EXtSR5RWUA0v22C8iV50 YLNnYnImL36OYpJRmB77RKoj17O/kumOE4HEtls/baVtzDUR8Jb7Ot7EttFqa8Mz0ZTA LhZdNxlC6M+Krt8gXvr1GNxWmm3+vow7hAX0PNo9eJmWdushPrxCbwXPAfOjQwIxlX03 Nd5A== X-Gm-Message-State: AGRZ1gI25Orb5ykPR6wOxa6mym0qWmwgvd1mLBVQkvEAAAs03ikv2/dl Zgf0TweSif4sae93puGOiJxjVunZARornSG4k01tGQ== X-Received: by 2002:adf:9d4a:: with SMTP id o10-v6mr6056301wre.94.1542131248499; Tue, 13 Nov 2018 09:47:28 -0800 (PST) MIME-Version: 1.0 References: <20181023213504.28905-1-igor.stoppa@huawei.com> <20181023213504.28905-11-igor.stoppa@huawei.com> <20181026092609.GB3159@worktop.c.hoisthospitality.com> <20181028183126.GB744@hirez.programming.kicks-ass.net> <40cd77ce-f234-3213-f3cb-0c3137c5e201@gmail.com> <20181030152641.GE8177@hirez.programming.kicks-ass.net> <0A7AFB50-9ADE-4E12-B541-EC7839223B65@amacapital.net> <6f60afc9-0fed-7f95-a11a-9a2eef33094c@gmail.com> <386C0CB1-C4B1-43E2-A754-DA8DBE4FB3CB@gmail.com> In-Reply-To: <386C0CB1-C4B1-43E2-A754-DA8DBE4FB3CB@gmail.com> From: Andy Lutomirski Date: Tue, 13 Nov 2018 09:47:16 -0800 Message-ID: Subject: Re: [PATCH 10/17] prmem: documentation To: Nadav Amit Cc: Igor Stoppa , Kees Cook , Peter Zijlstra , Mimi Zohar , Matthew Wilcox , Dave Chinner , James Morris , Michal Hocko , Kernel Hardening , linux-integrity , LSM List , Igor Stoppa , Dave Hansen , Jonathan Corbet , Laura Abbott , Randy Dunlap , Mike Rapoport , "open list:DOCUMENTATION" , LKML , Thomas Gleixner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 13, 2018 at 9:43 AM Nadav Amit wrote: > > From: Andy Lutomirski > Sent: November 13, 2018 at 5:16:09 PM GMT > > To: Igor Stoppa > > Cc: Kees Cook , Peter Zijlstra , Nadav Amit , Mimi Zohar , Matthew Wilcox , Dave Chinner , James Morris , Michal Hocko , Ke= rnel Hardening , linux-integrity , LSM List , Igor Stoppa , Dave Hansen , Jonathan Corbet , Laura Abbott , Randy Dunlap , Mike Rapoport , open list:DOCUMENTATION , LKML , Thomas Gleixner > > Subject: Re: [PATCH 10/17] prmem: documentation > > > > > > On Tue, Nov 13, 2018 at 6:25 AM Igor Stoppa wro= te: > >> Hello, > >> I've been studying v4 of the patch-set [1] that Nadav has been working= on. > >> Incidentally, I think it would be useful to cc also the > >> security/hardening ml. > >> The patch-set seems to be close to final, so I am resuming this discus= sion. > >> > >> On 30/10/2018 19:06, Andy Lutomirski wrote: > >> > >>> I support the addition of a rare-write mechanism to the upstream kern= el. And I think that there is only one sane way to implement it: using an = mm_struct. That mm_struct, just like any sane mm_struct, should only differ= from init_mm in that it has extra mappings in the *user* region. > >> > >> After reading the code, I see what you meant. > >> I think I can work with it. > >> > >> But I have a couple of questions wrt the use of this mechanism, in the > >> context of write rare. > >> > >> > >> 1) mm_struct. > >> > >> Iiuc, the purpose of the patchset is mostly (only?) to patch kernel co= de > >> (live patch?), which seems to happen sequentially and in a relatively > >> standardized way, like replacing the NOPs specifically placed in the > >> functions that need patching. > >> > >> This is a bit different from the more generic write-rare case, applied > >> to data. > >> > >> As example, I have in mind a system where both IMA and SELinux are in = use. > >> > >> In this system, a file is accessed for the first time. > >> > >> That would trigger 2 things: > >> - evaluation of the SELinux rules and probably update of the AVC cache > >> - IMA measurement and update of the measurements > >> > >> Both of them could be write protected, meaning that they would both ha= ve > >> to be modified through the write rare mechanism. > >> > >> While the events, for 1 specific file, would be sequential, it's not > >> difficult to imagine that multiple files could be accessed at the same= time. > >> > >> If the update of the data structures in both IMA and SELinux must use > >> the same mm_struct, that would have to be somehow regulated and it wou= ld > >> introduce an unnecessary (imho) dependency. > >> > >> How about having one mm_struct for each writer (core or thread)? > > > > I don't think that helps anything. I think the mm_struct used for > > prmem (or rare_write or whatever you want to call it) should be > > entirely abstracted away by an appropriate API, so neither SELinux nor > > IMA need to be aware that there's an mm_struct involved. It's also > > entirely possible that some architectures won't even use an mm_struct > > behind the scenes -- x86, for example, could have avoided it if there > > were a kernel equivalent of PKRU. Sadly, there isn't. > > > >> 2) Iiuc, the purpose of the 2 pages being remapped is that the target = of > >> the patch might spill across the page boundary, however if I deal with > >> the modification of generic data, I shouldn't (shouldn't I?) assume th= at > >> the data will not span across multiple pages. > > > > The reason for the particular architecture of text_poke() is to avoid > > memory allocation to get it working. i think that prmem/rare_write > > should have each rare-writable kernel address map to a unique user > > address, possibly just by offsetting everything by a constant. For > > rare_write, you don't actually need it to work as such until fairly > > late in boot, since the rare_writable data will just be writable early > > on. > > > >> If the data spans across multiple pages, in unknown amount, I suppose > >> that I should not keep interrupts disabled for an unknown time, as it > >> would hurt preemption. > >> > >> What I thought, in my initial patch-set, was to iterate over each page > >> that must be written to, in a loop, re-enabling interrupts in-between > >> iterations, to give pending interrupts a chance to be served. > >> > >> This would mean that the data being written to would not be consistent= , > >> but it's a problem that would have to be addressed anyways, since it c= an > >> be still read by other cores, while the write is ongoing. > > > > This probably makes sense, except that enabling and disabling > > interrupts means you also need to restore the original mm_struct (most > > likely), which is slow. I don't think there's a generic way to check > > whether in interrupt is pending without turning interrupts on. > > I guess that enabling IRQs might break some hidden assumptions in the cod= e, > but is there a fundamental reason that IRQs need to be disabled? use_mm() > got them enabled, although it is only suitable for kernel threads. > For general rare-writish stuff, I don't think we want IRQs running with them mapped anywhere for write. For AVC and IMA, I'm less sure. --Andy