Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp212259yba; Wed, 17 Apr 2019 23:16:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqxNQnnzYWOncFzs2oeRKJs+SFXbt+Ty2k6qSIGUGAz98Qa39ABoR40ZIQzGO7MIkJVF5XZM X-Received: by 2002:a17:902:27e6:: with SMTP id i35mr4181401plg.321.1555568169833; Wed, 17 Apr 2019 23:16:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555568169; cv=none; d=google.com; s=arc-20160816; b=sEzk/eGr20BOt7RqmCM4VkJQlml5682Wh1Oz+yd0djdOXJeVYO9q4kXjV0zt7Uh2a0 vZORxhALHGVFCKJEiLURGgPlnQcGzMelsXMc8Suoc22WMTxOOZG2fqypSgmCWTrMGQRk vYzV53xenOqJTTO493v0VhT6MFheh8YN3escoV4pdcgdioTFU1iaRjD5SPfnzFRO+2y6 7XhuKI9iioPQ/eJtRb2L/LBJBh0XK3Ve0rOYXLyfWOYgl1tW4ww+fcPkaYz3wLsb7Vpd R6HyNlHt8HM0RTro57kNToNlxO6YR3aOOF6Kog99MvOuGruYlAtIG08HoIzBovcPXJrd H2Mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=AMn+kcUfJh7LaZ1vzHC5xYrlRZ7RiJslkBC//gBom+A=; b=ZlRU8+3S/xtpcFEvXmSeHAllWdOSu1DFQTO85FFFiy1z3vlq1xJJw+ykkC4C9yW2CB lahqQBdOljOKoei6mUGNJkjq5W5cs+evBL+R6vVS0/qNbMFbL8+gmcXRGqbfh1grv9M8 5r+XJP3hZwI+ZYZshzF4cXZRBnKjGsK44qO4ZSKE8wkPbCU8/8aE/CZw3JR6TIRW2yZY sapt3qLMGAH/MBtkp78M/m8zXCkZhTcY2Bh303KeqY4gwkVIfmtKmJlCt259XHPNLOYm jSyCVG+X9fK3hXu3/HWCj3DG/HFB/jxKJXkO8oYLAmdh9CSLULYXhdWBeYilgy1P4y+P THwg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bg12si1196044plb.295.2019.04.17.23.15.54; Wed, 17 Apr 2019 23:16:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733151AbfDRGPG (ORCPT + 99 others); Thu, 18 Apr 2019 02:15:06 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:60359 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725773AbfDRGPF (ORCPT ); Thu, 18 Apr 2019 02:15:05 -0400 Received: from pd9ef12d2.dip0.t-ipconnect.de ([217.239.18.210] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hH0Jt-0006T4-RM; Thu, 18 Apr 2019 08:14:50 +0200 Date: Thu, 18 Apr 2019 08:14:48 +0200 (CEST) From: Thomas Gleixner To: Linus Torvalds cc: Nadav Amit , Ingo Molnar , Khalid Aziz , juergh@gmail.com, Tycho Andersen , jsteckli@amazon.de, Kees Cook , Konrad Rzeszutek Wilk , Juerg Haefliger , deepa.srinivasan@oracle.com, chris.hyser@oracle.com, Tyler Hicks , David Woodhouse , Andrew Cooper , Jon Masters , Boris Ostrovsky , iommu , X86 ML , "linux-alpha@vger.kernel.org" , "open list:DOCUMENTATION" , Linux List Kernel Mailing , Linux-MM , LSM List , Khalid Aziz , Andrew Morton , Andy Lutomirski , Peter Zijlstra , Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven , Greg Kroah-Hartman Subject: Re: [RFC PATCH v9 03/13] mm: Add support for eXclusive Page Frame Ownership (XPFO) In-Reply-To: Message-ID: References: <20190417161042.GA43453@gmail.com> <20190417170918.GA68678@gmail.com> <56A175F6-E5DA-4BBD-B244-53B786F27B7F@gmail.com> <20190417172632.GA95485@gmail.com> <063753CC-5D83-4789-B594-019048DE22D9@gmail.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 17 Apr 2019, Linus Torvalds wrote: > On Wed, Apr 17, 2019 at 4:42 PM Thomas Gleixner wrote: > > On Wed, 17 Apr 2019, Linus Torvalds wrote: > > > With SMEP, user space pages are always NX. > > > > We talk past each other. The user space page in the ring3 valid virtual > > address space (non negative) is of course protected by SMEP. > > > > The attack utilizes the kernel linear mapping of the physical > > memory. I.e. user space address 0x43210 has a kernel equivalent at > > 0xfxxxxxxxxxx. So if the attack manages to trick the kernel to that valid > > kernel address and that is mapped X --> game over. SMEP does not help > > there. > > Oh, agreed. > > But that would simply be a kernel bug. We should only map kernel pages > executable when we have kernel code in them, and we should certainly > not allow those pages to be mapped writably in user space. > > That kind of "executable in kernel, writable in user" would be a > horrendous and major bug. > > So i think it's a non-issue. Pretty much. > > From the top of my head I'd say this is a non issue as those kernel address > > space mappings _should_ be NX, but we got bitten by _should_ in the past:) > > I do agree that bugs can happen, obviously, and we might have missed something. > > But in the context of XPFO, I would argue (*very* strongly) that the > likelihood of the above kind of bug is absolutely *miniscule* compared > to the likelihood that we'd have something wrong in the software > implementation of XPFO. > > So if the argument is "we might have bugs in software", then I think > that's an argument _against_ XPFO rather than for it. No argument from my side. We better spend time to make sure that a bogus kernel side X mapping is caught, like we catch other things. Thanks, tglx