Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4332164yba; Wed, 17 Apr 2019 09:16:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqzFADOvMIthO/nIoXX4HWkk/OZaIJKUqRGn1rWjWAfU5RzA1G6gJi8xow2MBqPH9Cnj3BlH X-Received: by 2002:a63:f809:: with SMTP id n9mr84426002pgh.201.1555517797197; Wed, 17 Apr 2019 09:16:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555517797; cv=none; d=google.com; s=arc-20160816; b=zJNhpysN3oAUWOtzuopql/ZOplIJXBFAMt4mqHg/pTxyICMlmCLvExL1EFd+SyzOC8 8vgiYDrJOcEKM1TZ/BmVezAryqEGFhViJF8+K59Pq8qPNzG0bKXVrWABFKPJf7rBl4Q7 Vblx6//0z6Ri0BbEww0N2qAnC9pQc2dLIJC5nHlByKH4q/RNyuCKqkRRBNwTd1BTM3O/ Xm3y8ie2lwCUUnedoDgl3CnaJBtIqVUN35r4KKpLN80EjzftioGD17WdsjjEVPf1e+5a LkXrWkOXPVt4qOxe+fG1+1M2tKVgl5dIZoGtaPcuqyNUMX4IBfJ8vpYD3U6N+x0jEtgF 1EZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=2E2gGWXwlEXHD0EdhjliuzLa0L4LUy3dnmNjJuBPY1M=; b=vFvEHEgTGsLN+T3mYmFhBGdgTV5PN9/S/NRSlUXkgY2Dgntld+vl/pBfAd8/OyJ6AL R2rgqE+PJ7x11S3asUUYlPTSHNKcTuMLCu7Yi8xW/G1E3D1noebugmdxfqAhvo/mKc4l erYkpJTm4/lgTVqOb8AvJ9dOpsD8ldupzNAih+tdyEa4BzjBJsFUHPZqv3M7D17a3ewO mBieHPnVMH6FkTjM2KpATYgZx/Y3WrpxKSMloQdjAEFfZqMWKUy5Ls3rw3r3MHze48ZV CqRk1F4xr5lTsjmDpIMMNOkrcSGNUDKmrJxA+1av4LF5Xaa5h+4xizc38pLpARoz3KGH TYFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b="nyS/WVic"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m17si51519371pgi.514.2019.04.17.09.16.21; Wed, 17 Apr 2019 09:16:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b="nyS/WVic"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732634AbfDQQP3 (ORCPT + 99 others); Wed, 17 Apr 2019 12:15:29 -0400 Received: from mail-wr1-f68.google.com ([209.85.221.68]:45772 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729395AbfDQQP2 (ORCPT ); Wed, 17 Apr 2019 12:15:28 -0400 Received: by mail-wr1-f68.google.com with SMTP id s15so32682052wra.12; Wed, 17 Apr 2019 09:15:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=2E2gGWXwlEXHD0EdhjliuzLa0L4LUy3dnmNjJuBPY1M=; b=nyS/WViclzZJjR30HVMMB/ma7fcLYSTWP9QxF2Fshf4EJq6uRarq3jSaxiVNfV92fh zEZfmA69o8F7gNO5JT6uv0zE0OJeE7BWbIRv09fAQTN2l+N2dnFwJ9Lfuiiy6+74FoDp uGRo9f5/Goa9H9R9Ca2oLvyjv31O0I5e5WLdLO3tmvoyjg1wNvw+8b2zxVEfd9gJSTwJ +SSg2n/omewPli8xLPnvSElOhwgHU9I/P33Tw7RfhZ2LRLr+x5PTn04fXGfMHG1ZHR4/ XB7f4UjQbIdtenugCUJSD8W8ywk7H6JVByBN8MjE8ZURVuqLb51s1gVwQaBsfh/AY/u/ 6ICw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=2E2gGWXwlEXHD0EdhjliuzLa0L4LUy3dnmNjJuBPY1M=; b=nBR+wtjJDdfshmdLRlUr6HJ3s3sJNaMlD/cPBjdwVglBPYCKFrAaDyohXcLTHW69r7 eASUxXylTxAMhwwqGmu6MfufZ6eZu9tYd9qUtKU/evVu/zRlWKILIgPaC8ojkOj3/Nxh AxFSZxj9WF4tnwKeBMS1ADslhqQnkOHF3BEIXOZtkJwkdLat8F6D6Zvw8T6DVAoRAyDz sjis53MhqFOeh8euiUM14P6zJUJhsOILf8Xl4qsuF+ufNUzBdq0plMPjdLGAdSB5YiwC PTehD+rKnCZ1S/DJUlhJtUbiabVAXOltmdCkLXQFT9pUEjBfIRztmeE6HWoaaUjWbmSL A0sg== X-Gm-Message-State: APjAAAXqpgtV+XHu5MDOih9bYLs8MRsw7gNiQSYn6qEBMMgwHqT2fGUr fnp1dzY8CNaMdF3T/yaLEqM= X-Received: by 2002:adf:dbce:: with SMTP id e14mr59140093wrj.249.1555517726742; Wed, 17 Apr 2019 09:15:26 -0700 (PDT) Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213]) by smtp.gmail.com with ESMTPSA id y1sm154976060wrd.34.2019.04.17.09.15.24 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 17 Apr 2019 09:15:25 -0700 (PDT) Date: Wed, 17 Apr 2019 18:15:22 +0200 From: Ingo Molnar To: Khalid Aziz Cc: juergh@gmail.com, tycho@tycho.ws, jsteckli@amazon.de, keescook@google.com, konrad.wilk@oracle.com, Juerg Haefliger , deepa.srinivasan@oracle.com, chris.hyser@oracle.com, tyhicks@canonical.com, dwmw@amazon.co.uk, andrew.cooper3@citrix.com, jcm@redhat.com, boris.ostrovsky@oracle.com, iommu@lists.linux-foundation.org, x86@kernel.org, linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-security-module@vger.kernel.org, Khalid Aziz , Linus Torvalds , Andrew Morton , Thomas Gleixner , Andy Lutomirski , Peter Zijlstra , Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven , Greg Kroah-Hartman Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) Message-ID: <20190417161042.GA43453@gmail.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Sorry, had to trim the Cc: list from hell. Tried to keep all the mailing lists and all x86 developers. ] * Khalid Aziz wrote: > From: Juerg Haefliger > > This patch adds basic support infrastructure for XPFO which protects > against 'ret2dir' kernel attacks. The basic idea is to enforce > exclusive ownership of page frames by either the kernel or userspace, > unless explicitly requested by the kernel. Whenever a page destined for > userspace is allocated, it is unmapped from physmap (the kernel's page > table). When such a page is reclaimed from userspace, it is mapped back > to physmap. Individual architectures can enable full XPFO support using > this infrastructure by supplying architecture specific pieces. I have a higher level, meta question: Is there any updated analysis outlining why this XPFO overhead would be required on x86-64 kernels running on SMAP/SMEP CPUs which should be all recent Intel and AMD CPUs, and with kernel that mark all direct kernel mappings as non-executable - which should be all reasonably modern kernels later than v4.0 or so? I.e. the original motivation of the XPFO patches was to prevent execution of direct kernel mappings. Is this motivation still present if those mappings are non-executable? (Sorry if this has been asked and answered in previous discussions.) Thanks, Ingo