Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp548227imu; Wed, 9 Jan 2019 02:13:52 -0800 (PST) X-Google-Smtp-Source: ALg8bN63VhznrMATJpBzY28Of5UG3KDDPL9Vp5aSB+Kd4Us7hmDUhqq/V6cLBPVRZ9AlEdmSH6WX X-Received: by 2002:a63:b30f:: with SMTP id i15mr4840766pgf.240.1547028832131; Wed, 09 Jan 2019 02:13:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547028832; cv=none; d=google.com; s=arc-20160816; b=qaLOuiNk9oFBNXCqjlqrGaHIDHiFAxgABFMC4+zCoCd+Xhr2Z9cF1fcNU2IxnHBPmN 2nPSFA4xkT+ly6Z0/1lhHGmzWmu8FRyrbL0wSmtiePSBPXGgrcPuJELrSwpUbJbgQ0f9 9ygvUABomQYZEjlywrB39f+jJU7R3a20iSCA7D5yf6Rf5xVy5+2DO4uA2i9/TdTxBYA4 5mvdcZEOrpQ8YCWNoSExv4piyEOHxYHT0IZeulqmz9J6DD5Gbv6Q990kY8fmwuVDRq2K VeFvb3BMLmvvpo+HgVGhjpmChtlNALKK9DRwsnhR0lebWwyTDPZZVn19sbl/X9rVLJrz R3vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=becW8LSxSgSTf/7rvTvE8x7OQV0VxXsSuGMisT955rE=; b=cBtbJNUR52d2pQOxLwTI9ygYICfhTkNmhkw8xtOOVIk0x46Ga1Bf5gFgWO2AiOUuqF WPaGAIsz90IOaQOd1mJiUCaIsZihYuAEMazujAh7/nILscJEEoB/b524fStdDJ2LwcMu b8xkCDQAdPWn7IrxYrIkc91Xfxp6MrnCCf02444JNgY45a3TdSsQYi5+llOKVzOz1E00 dd4E3Q0GxmjPWjVs6Xhcc4h0f7XqhWjoDtX4oe5I4axUf3qPe9IgYHi6Br3Pozah+cZ+ ysX2Jv72ZHdpIgxF3kqORddKb0MnKGV7jjcav+GIeEXyClE0q6IfuY6T/dKNi0z8LWdJ mUTA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p10si3417241pgi.549.2019.01.09.02.13.36; Wed, 09 Jan 2019 02:13:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730181AbfAIKJA (ORCPT + 99 others); Wed, 9 Jan 2019 05:09:00 -0500 Received: from mx2.suse.de ([195.135.220.15]:42840 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729603AbfAIKJA (ORCPT ); Wed, 9 Jan 2019 05:09:00 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id A306CAEEB; Wed, 9 Jan 2019 10:08:58 +0000 (UTC) Date: Wed, 9 Jan 2019 11:08:57 +0100 (CET) From: Jiri Kosina To: Dave Chinner cc: Linus Torvalds , Matthew Wilcox , Jann Horn , Andrew Morton , Greg KH , Peter Zijlstra , Michal Hocko , Linux-MM , kernel list , Linux API Subject: Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged In-Reply-To: <20190109043906.GF27534@dastard> Message-ID: References: <20190106001138.GW6310@bombadil.infradead.org> <20190108044336.GB27534@dastard> <20190109022430.GE27534@dastard> <20190109043906.GF27534@dastard> User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 9 Jan 2019, Dave Chinner wrote: > FWIW, I just realised that the easiest, most reliable way to invalidate > the page cache over a file range is simply to do a O_DIRECT read on it. Neat, good catch indeed. Still, it's only the invalidation part, but the residency check is the crucial one. > > Rationale has been provided by Daniel Gruss in this thread -- if the > > attacker is left with cache timing as the only available vector, he's > > going to be much more successful with mounting hardware cache timing > > attack anyway. > > No, he said: > > "Restricting mincore() is sufficient to fix the hardware-agnostic > part." > > That's not correct - preadv2(RWF_NOWAIT) is also hardware agnostic and > provides exactly the same information about the page cache as mincore. Yeah, preadv2(RWF_NOWAIT) is in the same teritory as mincore(), it has "just" been overlooked. I can't speak for Daniel, but I believe he might be ok with rephrasing the above as "Restricting mincore() and RWF_NOWAIT is sufficient ...". > Timed read/mmap access loops for cache observation are also hardware > agnostic, and on fast SSD based storage will only be marginally slower > bandwidth than preadv2(RWF_NOWAIT). > > Attackers will pick whatever leak vector we don't fix, so we either fix > them all (which I think is probably impossible without removing caching > altogether) We can't really fix the fact that it's possible to do the timing on the HW caches though. > or we start thinking about how we need to isolate the page cache so that > information isn't shared across important security boundaries (e.g. page > cache contents are per-mount namespace). Umm, sorry for being dense, but how would that help that particular attack scenario on a system that doesn't really employ any namespacing? (which I still believe is a majority of the systems out there, but I might have just missed the containers train long time ago :) ). -- Jiri Kosina SUSE Labs