Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4670352yba;
        Wed, 17 Apr 2019 17:01:11 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzDscMins/DWT2cs3khDUZDXtUgx45BjyIp8NbGw6oB1NlvGCxjGxFv1TDz8XcYQ3k9cgg0
X-Received: by 2002:a17:902:e382:: with SMTP id ch2mr89657829plb.94.1555545671851;
        Wed, 17 Apr 2019 17:01:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1555545671; cv=none;
        d=google.com; s=arc-20160816;
        b=BEttAMGnL60F7LxYUTfuKHfASinkY7TQkEK4mxFQK7oiHWBFhcXEVy82/YL5DE3cux
         Yy0PIftmNuDPdewMG8fePatjFgZuOnCL0T83VhmCuHl1YvX9N0MrzpI67zOG+4qqKZKv
         JZaMnWeFWjhHJK1ZFAHKnzDKHe5xtgzLdyqSGK8TAwci6euGuCtNGJ6vY0Aay9n7VpTi
         8+RqQyGTESz/Y6D62ESAFryGxx/i4o8InwXjsC6jxOFRd107ZilZr/Rf63nMYo1BqjHv
         x16RxSODnTfgVS/wpERNJjKRC81PUQ5OGsG8YxqdSyJRCYoU3dlat13ZoE6jQTTz+jZO
         x+hg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=+kn5mtINPt4na060bar/tC0RHNfqAb7J/PmuZQ0Dyi8=;
        b=CvdqCEV+99RXxxjG+J3q9oSfL7fB0onIogFytx+pkaI5m3smjnU8NUYxUMYoLPYEd3
         vJi0xWCHA62tdBH9vlFrLUB6oWsHlq970kBcsNPIpzrkdCVn0MuDK39vYg0vFj/hitZK
         utOuoEM+7pNYlp5KGIHgL4aPF9l+nhXRDR7SPsG7EmNORzjawF6KY+0C34SoRHxj3xpd
         eEWpO+zcZJcUqEvxiG+uQo5QpN4uIcu4B9G9mA9JCGOhe0DjyTMWOE3d6nD6D32E7B1B
         vkIDqZmzvCZ/GHYUoI79SWbZxzE1sx3RwOchn66jxerG9vYAqDMF54Pa1XmUZZSU8T+r
         ojnQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=IBLCLtPu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a186si248768pge.251.2019.04.17.17.00.56;
        Wed, 17 Apr 2019 17:01:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=IBLCLtPu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387586AbfDQX60 (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Wed, 17 Apr 2019 19:58:26 -0400
Received: from mail-lf1-f67.google.com ([209.85.167.67]:39361 "EHLO
        mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729331AbfDQX60 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 Apr 2019 19:58:26 -0400
Received: by mail-lf1-f67.google.com with SMTP id d12so145808lfk.6
        for <linux-kernel@vger.kernel.org>; Wed, 17 Apr 2019 16:58:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=+kn5mtINPt4na060bar/tC0RHNfqAb7J/PmuZQ0Dyi8=;
        b=IBLCLtPuOlIJGx6ETpn93rimEqBz5Au/0GjooFZAo0KIJTxoTsJPz413yAtvfmWoXY
         BqvjzirjujDpTm8Z8RGtzbE47EZiPUSxIfegDrH1aTumTX5oM8C5bVyiexfx7ifgxxPB
         UMawmkwQ/X7ZweYBYxIOjMj+Jba1Zio7Xb4vw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=+kn5mtINPt4na060bar/tC0RHNfqAb7J/PmuZQ0Dyi8=;
        b=g8xnzWLK1myzwx1ODUqPJtcvGk7AeAEd91EMIyG+mftn5SgbPDSXARQPtRVp1Rp7wg
         AYFhgCJqTwK6bq73BSjxpJfeQvaU1AmImyTA+K2InsGzE0hpKSa7jyRSBC7nAiH9sfxC
         UzBOkWN/Vvy8BqXXQz2csy8MJYuE1UwmaX2Jwdir0BVktUd/WyKdD7s5AQJr1bOf+ORo
         RGJoa1uf8wmkij6E25mpDCH0i7qEm9mo1Fj3n8lbVYSqoItizH3GubGsWsiySaXl6Lry
         /D65vWn9T7YLJ0dAfVgPFF34KKnEVDIFZSx/9ry40lhDCfG/YxX0spbxSrhaaWo/h4Jl
         KyLA==
X-Gm-Message-State: APjAAAWq9GXh6CGtN5RjvYseMyiuzGJQxdADY1a1hucmHAof85dNZtYO
        Ip0STa4hfVNn6PVMckv0Kdf+Kvg83Rk=
X-Received: by 2002:ac2:5085:: with SMTP id f5mr20948510lfm.71.1555545503580;
        Wed, 17 Apr 2019 16:58:23 -0700 (PDT)
Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com. [209.85.208.176])
        by smtp.gmail.com with ESMTPSA id p14sm83538lfk.6.2019.04.17.16.58.23
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 17 Apr 2019 16:58:23 -0700 (PDT)
Received: by mail-lj1-f176.google.com with SMTP id v22so255453lje.9
        for <linux-kernel@vger.kernel.org>; Wed, 17 Apr 2019 16:58:23 -0700 (PDT)
X-Received: by 2002:a2e:5dd2:: with SMTP id v79mr48356924lje.22.1555545190479;
 Wed, 17 Apr 2019 16:53:10 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1554248001.git.khalid.aziz@oracle.com> <f1ac3700970365fb979533294774af0b0dd84b3b.1554248002.git.khalid.aziz@oracle.com>
 <20190417161042.GA43453@gmail.com> <e16c1d73-d361-d9c7-5b8e-c495318c2509@oracle.com>
 <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com>
 <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com>
 <alpine.DEB.2.21.1904172317460.3174@nanos.tec.linutronix.de>
 <CAHk-=wgBMg9P-nYQR2pS0XwVdikPCBqLsMFqR9nk=wSmAd4_5g@mail.gmail.com> <alpine.DEB.2.21.1904180129000.3174@nanos.tec.linutronix.de>
In-Reply-To: <alpine.DEB.2.21.1904180129000.3174@nanos.tec.linutronix.de>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed, 17 Apr 2019 16:52:54 -0700
X-Gmail-Original-Message-ID: <CAHk-=whUwOjFW6RjHVM8kNOv1QVLJuHj2Dda0=mpLPdJ1UyatQ@mail.gmail.com>
Message-ID: <CAHk-=whUwOjFW6RjHVM8kNOv1QVLJuHj2Dda0=mpLPdJ1UyatQ@mail.gmail.com>
Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame
 Ownership (XPFO)
To:     Thomas Gleixner <tglx@linutronix.de>
Cc:     Nadav Amit <nadav.amit@gmail.com>, Ingo Molnar <mingo@kernel.org>,
        Khalid Aziz <khalid.aziz@oracle.com>, juergh@gmail.com,
        Tycho Andersen <tycho@tycho.ws>, jsteckli@amazon.de,
        Kees Cook <keescook@google.com>,
        Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
        Juerg Haefliger <juerg.haefliger@canonical.com>,
        deepa.srinivasan@oracle.com, chris.hyser@oracle.com,
        Tyler Hicks <tyhicks@canonical.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Andrew Cooper <andrew.cooper3@citrix.com>,
        Jon Masters <jcm@redhat.com>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        iommu <iommu@lists.linux-foundation.org>,
        X86 ML <x86@kernel.org>,
        "linux-alpha@vger.kernel.org" <linux-arm-kernel@lists.infradead.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        Khalid Aziz <khalid@gonehiking.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Andy Lutomirski <luto@kernel.org>,
        Peter Zijlstra <a.p.zijlstra@chello.nl>,
        Dave Hansen <dave@sr71.net>, Borislav Petkov <bp@alien8.de>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Arjan van de Ven <arjan@infradead.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 17, 2019 at 4:42 PM Thomas Gleixner <tglx@linutronix.de> wrote:
>
> On Wed, 17 Apr 2019, Linus Torvalds wrote:
>
> > With SMEP, user space pages are always NX.
>
> We talk past each other. The user space page in the ring3 valid virtual
> address space (non negative) is of course protected by SMEP.
>
> The attack utilizes the kernel linear mapping of the physical
> memory. I.e. user space address 0x43210 has a kernel equivalent at
> 0xfxxxxxxxxxx. So if the attack manages to trick the kernel to that valid
> kernel address and that is mapped X --> game over. SMEP does not help
> there.

Oh, agreed.

But that would simply be a kernel bug. We should only map kernel pages
executable when we have kernel code in them, and we should certainly
not allow those pages to be mapped writably in user space.

That kind of "executable in kernel, writable in user" would be a
horrendous and major bug.

So i think it's a non-issue.

> From the top of my head I'd say this is a non issue as those kernel address
> space mappings _should_ be NX, but we got bitten by _should_ in the past:)

I do agree that bugs can happen, obviously, and we might have missed something.

But in the context of XPFO, I would argue (*very* strongly) that the
likelihood of the above kind of bug is absolutely *miniscule* compared
to the likelihood that we'd have something wrong in the software
implementation of XPFO.

So if the argument is "we might have bugs in software", then I think
that's an argument _against_ XPFO rather than for it.

                Linus