Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2410274imu; Wed, 21 Nov 2018 11:10:41 -0800 (PST) X-Google-Smtp-Source: AFSGD/UfCnkwN11zlK0OzVuVeUZNG1R6Zp7AINrxhngC18V4qGqSgcSfIuoY784szu8QcwEMn7Ox X-Received: by 2002:a63:64c:: with SMTP id 73mr7041668pgg.373.1542827441096; Wed, 21 Nov 2018 11:10:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542827441; cv=none; d=google.com; s=arc-20160816; b=mg4b/qo7hfthidbqY9Y8A+rFkbhftcevehLclvXqPClXgKBiT1XDbdCdCvHxvwgsPy FarOblhE/dfn9e547Tu7W3AkP8VCGdMilBCivr+a3oSf/BN4WV69U2gAVxsYcrZgRL6j JCa0WD2CVAEqOaKJR8xIGZ+QyGHIbw/GDBhRQ5x0n1tsMO325el9acGWZkJwOuHmXugj HiFfm6G9elqsBxhFpb20SH+Ui4JkqDXjHhmmWaOSxPAfOqYPX2+aOOZxIGy926aIz2ed weETioELB0vpbH/9oxHO6V9xWNSv/XoAQEYM8sPxZGmuDLgr91fjf0RnN1ZMp/2G+bNO 2Olg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=IaBTxksEkaU0YRi0Qg1Tj0SlP1yQnbMietLP1eUgU58=; b=Bjh+DSjnBvjVU4y2Z7sXf1VUyopDNBOEVIsWmrWqqH+2fHw6KJg7VcrAUY4GSP1ZZ2 cxCDyPKXi2XhxOzkCJOsvjm+zIBFtReGhfL152AsHsWdI+ULCcAQX1irc6kxncxP15n8 oItQziaJTawS9v0D3Pfv6a7rtyDJ+m8CBqapC4tkvJdL7MEcrxJfh+cIUUhCYe/m0LCC 008kY2z3Wfe31Uib9inkwRQlmVY54X+3hwO81kvAU9ok2skOJlZ3awe9BYwruscJH0X8 P47inOb6sRs+jo/3brly2fO1gGE4Tg8fe3z6sfHPoAeesFLJ8w8ev0lj8h2SXUTB+gxh d9VQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qv27V1nH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c32si6655208plj.38.2018.11.21.11.10.25; Wed, 21 Nov 2018 11:10:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qv27V1nH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732300AbeKVELt (ORCPT + 99 others); Wed, 21 Nov 2018 23:11:49 -0500 Received: from mail-pl1-f196.google.com ([209.85.214.196]:32811 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730480AbeKVELt (ORCPT ); Wed, 21 Nov 2018 23:11:49 -0500 Received: by mail-pl1-f196.google.com with SMTP id z23so6489897plo.0; Wed, 21 Nov 2018 09:36:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IaBTxksEkaU0YRi0Qg1Tj0SlP1yQnbMietLP1eUgU58=; b=qv27V1nHJ8pj5Fp3OI5Ny4Bmd8Rq7yWTlaJD2C4PDCjZJRGhpUxnOgwxQl8y29ugnR MK0a2f9m09jsCk61dpPqpDC02t4BLzN/xfkfONTspZltlgjK11xXTG0VVZ0Ldyf46B42 CZk60zO4fXa8JM9xMiQ2HB0QZuTFeaOL55WRWY8TkgKDR+5XcTo5L+y1zeSkefs+huYa Gm9mZERU24tcD4o/zXUkY5byDjrLnl0KOp4hSqmfsRQGV7umG7qWFQsL5cEompOodn+c fLxnvpVlKeAulPN9LzUTZ6EvNiK/TWkNNk9qYbP8DcAN1da6mbgx+vnAF9N+hwN61NFB kZRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IaBTxksEkaU0YRi0Qg1Tj0SlP1yQnbMietLP1eUgU58=; b=nwMkgtrfiWk8VyUh8o1nd/WeqJSlXKEcGxQj6ctMizR4rorJtmn2qw81MCXZypRnpJ uSe9rb+tSfARgH8Gu3MP2Bb3Gc01sgyFVHelgb9D62PH/g/otRJj5msjEkCm19ZUS+xc Rn/q40dENCpDRGQhelauAlcOBcwlj0ISMstdRiQe8+hh1OvXcxdVunDzfi2Fy/cqpY9H Cd7m2+LDdEM3MhGqrLOYZBDZMW/im0H9uHm5DpOEsspiUHiZl6YtRSv6hWYRzB6qRv/U xbDjUVgKfPPkmOe8drPdrx6ricy0rU5UYazt1YtGRURkFxEocAVcCsiJyuX8zyDgYF+0 tXXg== X-Gm-Message-State: AGRZ1gKBb8CICuNbfMmjMiGJgBHk3sMqNWUUoXcEuy6q0dpqBEpuauKi bRMAmSvrAV0xw+yR0TBSy7U= X-Received: by 2002:a62:37c7:: with SMTP id e190-v6mr7612388pfa.145.1542821789785; Wed, 21 Nov 2018 09:36:29 -0800 (PST) Received: from [10.33.114.204] ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id l63-v6sm49264741pfb.75.2018.11.21.09.36.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Nov 2018 09:36:29 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\)) Subject: Re: [PATCH 10/17] prmem: documentation From: Nadav Amit In-Reply-To: <1166e55c-0c06-195c-a501-383b4055ea46@gmail.com> Date: Wed, 21 Nov 2018 09:36:27 -0800 Cc: Andy Lutomirski , Igor Stoppa , Kees Cook , Peter Zijlstra , Mimi Zohar , Matthew Wilcox , Dave Chinner , James Morris , Michal Hocko , Kernel Hardening , linux-integrity , LSM List , Dave Hansen , Jonathan Corbet , Laura Abbott , Randy Dunlap , Mike Rapoport , "open list:DOCUMENTATION" , LKML , Thomas Gleixner Content-Transfer-Encoding: quoted-printable Message-Id: <03E199F6-FD90-4B88-838E-C3702F982F78@gmail.com> References: <20181023213504.28905-1-igor.stoppa@huawei.com> <20181023213504.28905-11-igor.stoppa@huawei.com> <20181026092609.GB3159@worktop.c.hoisthospitality.com> <20181028183126.GB744@hirez.programming.kicks-ass.net> <40cd77ce-f234-3213-f3cb-0c3137c5e201@gmail.com> <20181030152641.GE8177@hirez.programming.kicks-ass.net> <0A7AFB50-9ADE-4E12-B541-EC7839223B65@amacapital.net> <6f60afc9-0fed-7f95-a11a-9a2eef33094c@gmail.com> <386C0CB1-C4B1-43E2-A754-DA8DBE4FB3CB@gmail.com> <9373ccf0-f51b-4bfa-2b16-e03ebf3c670d@huawei.com> <2e52e103-15d0-0c26-275f-894dfd07e8ec@huawei.com> <1166e55c-0c06-195c-a501-383b4055ea46@gmail.com> To: Igor Stoppa X-Mailer: Apple Mail (2.3445.101.1) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Nov 21, 2018, at 8:34 AM, Igor Stoppa = wrote: >=20 > Hi, >=20 > On 13/11/2018 20:36, Andy Lutomirski wrote: >> On Tue, Nov 13, 2018 at 10:33 AM Igor Stoppa = wrote: >>> I forgot one sentence :-( >>>=20 >>> On 13/11/2018 20:31, Igor Stoppa wrote: >>>> On 13/11/2018 19:47, Andy Lutomirski wrote: >>>>=20 >>>>> For general rare-writish stuff, I don't think we want IRQs running >>>>> with them mapped anywhere for write. For AVC and IMA, I'm less = sure. >>>>=20 >>>> Why would these be less sensitive? >>>>=20 >>>> But I see a big difference between my initial implementation and = this one. >>>>=20 >>>> In my case, by using a shared mapping, visible to all cores, = freezing >>>> the core that is performing the write would have exposed the = writable >>>> mapping to a potential attack run from another core. >>>>=20 >>>> If the mapping is private to the core performing the write, even if = it >>>> is frozen, it's much harder to figure out what it had mapped and = where, >>>> from another core. >>>>=20 >>>> To access that mapping, the attack should be performed from the = ISR, I >>>> think. >>>=20 >>> Unless the secondary mapping is also available to other cores, = through >>> the shared mm_struct ? >> I don't think this matters much. The other cores will only be able = to >> use that mapping when they're doing a rare write. >=20 >=20 > I'm still mulling over this. > There might be other reasons for replicating the mm_struct. >=20 > If I understand correctly how the text patching works, it happens = sequentially, because of the text_mutex used by = arch_jump_label_transform >=20 > Which might be fine for this specific case, but I think I shouldn't = introduce a global mutex, when it comes to data. > Most likely, if two or more cores want to perform a write rare = operation, there is no correlation between them, they could proceed in = parallel. And if there really is, then the user of the API should = introduce own locking, for that specific case. I think that if you create per-CPU temporary mms as you proposed, you do = not need a global lock. You would need to protect against module unloading, = and maybe refactor the code. Specifically, I=E2=80=99m not sure whether = protection against IRQs is something that you need. I=E2=80=99m also not familiar = with this patch-set so I=E2=80=99m not sure what atomicity guarantees do you need. > A bit unrelated question, related to text patching: I see that each = patching operation is validated, but wouldn't it be more robust to first = validate all of then, and only after they are all found to be = compliant, to proceed with the actual modifications? >=20 > And about the actual implementation of the write rare for the = statically allocated variables, is it expected that I use Nadav's = function? It=E2=80=99s not =E2=80=9Cmy=E2=80=9D function. ;-) IMHO the code is in relatively good and stable state. The last couple of versions were due to me being afraid to add BUG_ONs as Peter asked me = to. The code is rather simple, but there are a couple of pitfalls that = hopefully I avoided correctly. Regards, Nadav=