Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4670352yba; Wed, 17 Apr 2019 17:01:11 -0700 (PDT) X-Google-Smtp-Source: APXvYqzDscMins/DWT2cs3khDUZDXtUgx45BjyIp8NbGw6oB1NlvGCxjGxFv1TDz8XcYQ3k9cgg0 X-Received: by 2002:a17:902:e382:: with SMTP id ch2mr89657829plb.94.1555545671851; Wed, 17 Apr 2019 17:01:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555545671; cv=none; d=google.com; s=arc-20160816; b=BEttAMGnL60F7LxYUTfuKHfASinkY7TQkEK4mxFQK7oiHWBFhcXEVy82/YL5DE3cux Yy0PIftmNuDPdewMG8fePatjFgZuOnCL0T83VhmCuHl1YvX9N0MrzpI67zOG+4qqKZKv JZaMnWeFWjhHJK1ZFAHKnzDKHe5xtgzLdyqSGK8TAwci6euGuCtNGJ6vY0Aay9n7VpTi 8+RqQyGTESz/Y6D62ESAFryGxx/i4o8InwXjsC6jxOFRd107ZilZr/Rf63nMYo1BqjHv x16RxSODnTfgVS/wpERNJjKRC81PUQ5OGsG8YxqdSyJRCYoU3dlat13ZoE6jQTTz+jZO x+hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=+kn5mtINPt4na060bar/tC0RHNfqAb7J/PmuZQ0Dyi8=; b=CvdqCEV+99RXxxjG+J3q9oSfL7fB0onIogFytx+pkaI5m3smjnU8NUYxUMYoLPYEd3 vJi0xWCHA62tdBH9vlFrLUB6oWsHlq970kBcsNPIpzrkdCVn0MuDK39vYg0vFj/hitZK utOuoEM+7pNYlp5KGIHgL4aPF9l+nhXRDR7SPsG7EmNORzjawF6KY+0C34SoRHxj3xpd eEWpO+zcZJcUqEvxiG+uQo5QpN4uIcu4B9G9mA9JCGOhe0DjyTMWOE3d6nD6D32E7B1B vkIDqZmzvCZ/GHYUoI79SWbZxzE1sx3RwOchn66jxerG9vYAqDMF54Pa1XmUZZSU8T+r ojnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=IBLCLtPu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a186si248768pge.251.2019.04.17.17.00.56; Wed, 17 Apr 2019 17:01:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=IBLCLtPu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387586AbfDQX60 (ORCPT + 99 others); Wed, 17 Apr 2019 19:58:26 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:39361 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729331AbfDQX60 (ORCPT ); Wed, 17 Apr 2019 19:58:26 -0400 Received: by mail-lf1-f67.google.com with SMTP id d12so145808lfk.6 for ; Wed, 17 Apr 2019 16:58:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+kn5mtINPt4na060bar/tC0RHNfqAb7J/PmuZQ0Dyi8=; b=IBLCLtPuOlIJGx6ETpn93rimEqBz5Au/0GjooFZAo0KIJTxoTsJPz413yAtvfmWoXY BqvjzirjujDpTm8Z8RGtzbE47EZiPUSxIfegDrH1aTumTX5oM8C5bVyiexfx7ifgxxPB UMawmkwQ/X7ZweYBYxIOjMj+Jba1Zio7Xb4vw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+kn5mtINPt4na060bar/tC0RHNfqAb7J/PmuZQ0Dyi8=; b=g8xnzWLK1myzwx1ODUqPJtcvGk7AeAEd91EMIyG+mftn5SgbPDSXARQPtRVp1Rp7wg AYFhgCJqTwK6bq73BSjxpJfeQvaU1AmImyTA+K2InsGzE0hpKSa7jyRSBC7nAiH9sfxC UzBOkWN/Vvy8BqXXQz2csy8MJYuE1UwmaX2Jwdir0BVktUd/WyKdD7s5AQJr1bOf+ORo RGJoa1uf8wmkij6E25mpDCH0i7qEm9mo1Fj3n8lbVYSqoItizH3GubGsWsiySaXl6Lry /D65vWn9T7YLJ0dAfVgPFF34KKnEVDIFZSx/9ry40lhDCfG/YxX0spbxSrhaaWo/h4Jl KyLA== X-Gm-Message-State: APjAAAWq9GXh6CGtN5RjvYseMyiuzGJQxdADY1a1hucmHAof85dNZtYO Ip0STa4hfVNn6PVMckv0Kdf+Kvg83Rk= X-Received: by 2002:ac2:5085:: with SMTP id f5mr20948510lfm.71.1555545503580; Wed, 17 Apr 2019 16:58:23 -0700 (PDT) Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com. [209.85.208.176]) by smtp.gmail.com with ESMTPSA id p14sm83538lfk.6.2019.04.17.16.58.23 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Apr 2019 16:58:23 -0700 (PDT) Received: by mail-lj1-f176.google.com with SMTP id v22so255453lje.9 for ; Wed, 17 Apr 2019 16:58:23 -0700 (PDT) X-Received: by 2002:a2e:5dd2:: with SMTP id v79mr48356924lje.22.1555545190479; Wed, 17 Apr 2019 16:53:10 -0700 (PDT) MIME-Version: 1.0 References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> In-Reply-To: From: Linus Torvalds Date: Wed, 17 Apr 2019 16:52:54 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) To: Thomas Gleixner Cc: Nadav Amit , Ingo Molnar , Khalid Aziz , juergh@gmail.com, Tycho Andersen , jsteckli@amazon.de, Kees Cook , Konrad Rzeszutek Wilk , Juerg Haefliger , deepa.srinivasan@oracle.com, chris.hyser@oracle.com, Tyler Hicks , David Woodhouse , Andrew Cooper , Jon Masters , Boris Ostrovsky , iommu , X86 ML , "linux-alpha@vger.kernel.org" , "open list:DOCUMENTATION" , Linux List Kernel Mailing , Linux-MM , LSM List , Khalid Aziz , Andrew Morton , Andy Lutomirski , Peter Zijlstra , Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 17, 2019 at 4:42 PM Thomas Gleixner wrote: > > On Wed, 17 Apr 2019, Linus Torvalds wrote: > > > With SMEP, user space pages are always NX. > > We talk past each other. The user space page in the ring3 valid virtual > address space (non negative) is of course protected by SMEP. > > The attack utilizes the kernel linear mapping of the physical > memory. I.e. user space address 0x43210 has a kernel equivalent at > 0xfxxxxxxxxxx. So if the attack manages to trick the kernel to that valid > kernel address and that is mapped X --> game over. SMEP does not help > there. Oh, agreed. But that would simply be a kernel bug. We should only map kernel pages executable when we have kernel code in them, and we should certainly not allow those pages to be mapped writably in user space. That kind of "executable in kernel, writable in user" would be a horrendous and major bug. So i think it's a non-issue. > From the top of my head I'd say this is a non issue as those kernel address > space mappings _should_ be NX, but we got bitten by _should_ in the past:) I do agree that bugs can happen, obviously, and we might have missed something. But in the context of XPFO, I would argue (*very* strongly) that the likelihood of the above kind of bug is absolutely *miniscule* compared to the likelihood that we'd have something wrong in the software implementation of XPFO. So if the argument is "we might have bugs in software", then I think that's an argument _against_ XPFO rather than for it. Linus