Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp735837yba; Fri, 26 Apr 2019 07:58:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqwuiKD6RMM2CKQgn5603mHMG2LUMYlYEFaSrKXvB2dnL/uF+ifjWwI4Q4Pf660qI4s3Xhuz X-Received: by 2002:a63:8dc8:: with SMTP id z191mr7971283pgd.9.1556290732054; Fri, 26 Apr 2019 07:58:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556290732; cv=none; d=google.com; s=arc-20160816; b=nPubjvTapbbnclI6GjxpHVovHWn5/MQCfIMrAO0uvEvOZNdH0RGqGQFhLHyajoHxt4 4j70vPemb2/5LWlHE6wd0kosCvvFkbkGINBTcLN+Mwye2gWDPuS8CnI+9ApXjdcg/Yfo DlxZrJGToQImC2AJZHNs8u6sBtw/VqQyPcB89YmoyPcYUhPwak4HthX+FGP8/YSwS9eT E4d3dTaGX+GtYt5MKTjw8uYyv1nBxKRb1WWfYsxSHIdSgk5nwAFbEeZ04wTJzYheEkCR KKJNTYW643/6O/ng5Ek/URFO0fVwDu6wr9kunqC8SkexFu3PdP1vrEHpbuQvynVxmvZA 7yxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:dkim-signature; bh=6p8CjruhjRNbBQYEm03bK5FWvpGTt1RHALQOrOT1VD4=; b=0EHZvGHJDUjGwO5rrG2RPJB7FM/K9QLH7T6ecGUBZeObUtxTqh9jCYR1mz2mBugYop 7yPx/MPs000XAbzxC3jY8sDd6Yrd6bum6qcOtY/OJyI9+4fdp9hsGMOZ1CekpvK8cpYk x3cduqsgPyjOsHhywm0Kgx7GRC/aMVqN/EeB462FaVAa0oFfuorEf5hTiCni656GK17B 4xIjZjq1gEiYPUb01J8JACWMWgWstDtha6oGChzIj5I4YMejabav3FTFrWkbXoAcLHzm Fko+IVeIvOlg/L53qaH4MiLwQb7FXQeqqLPa6Zi/qHcr+aH1k4wpUT+fGcRRvV5bZnMX +NDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=qaIDOuC8; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=IIFGf7Gv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e14si23369200pgv.210.2019.04.26.07.58.36; Fri, 26 Apr 2019 07:58:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=qaIDOuC8; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=IIFGf7Gv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726495AbfDZO5m (ORCPT + 99 others); Fri, 26 Apr 2019 10:57:42 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:49228 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726120AbfDZO5l (ORCPT ); Fri, 26 Apr 2019 10:57:41 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 1D8068EE121; Fri, 26 Apr 2019 07:57:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1556290660; bh=MZ013Ph+lwQOoeohYQwwAPYLitvi2p0CBYiqPPjHpqI=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=qaIDOuC8aei1p/7IP9m9Fe7r3xqglUB9MVs7PdBCgZ558WNyEKGsDorTWf6PNNGxB BTCy/bnugUhZTtol9nQJKxUOW5moxnmy6Gtwb+BQs14FYokmStzrgIUIm+keNdtkd3 r5f9oNC6yUkycIj3GOuPJLi7exfOyTK4AX48QUlM= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hitVsonP8-dL; Fri, 26 Apr 2019 07:57:39 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 2A3368EE079; Fri, 26 Apr 2019 07:57:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1556290659; bh=MZ013Ph+lwQOoeohYQwwAPYLitvi2p0CBYiqPPjHpqI=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=IIFGf7GvQu8MCRHZXr1XtGW4XmqGJGBhgBm0P/VIYkiYQnktRNLrbXtK7lNWiswf4 CKM8fUqVlquzGGDbVl94Z804nFWX6K13cOYwj/7elY9L73iANUBV0998IYN5LsYoUi OS2d0wMqqxyLuYMsxisTCzOk+GuvidU3cUz4dVWY= Message-ID: <1556290658.2833.28.camel@HansenPartnership.com> Subject: Re: [RFC PATCH 2/7] x86/sci: add core implementation for system call isolation From: James Bottomley To: Dave Hansen , Mike Rapoport , linux-kernel@vger.kernel.org Cc: Alexandre Chartre , Andy Lutomirski , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Ingo Molnar , Jonathan Adams , Kees Cook , Paul Turner , Peter Zijlstra , Thomas Gleixner , linux-mm@kvack.org, linux-security-module@vger.kernel.org, x86@kernel.org Date: Fri, 26 Apr 2019 07:57:38 -0700 In-Reply-To: <627d9321-466f-c4ed-c658-6b8567648dc6@intel.com> References: <1556228754-12996-1-git-send-email-rppt@linux.ibm.com> <1556228754-12996-3-git-send-email-rppt@linux.ibm.com> <627d9321-466f-c4ed-c658-6b8567648dc6@intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2019-04-26 at 07:46 -0700, Dave Hansen wrote: > On 4/25/19 2:45 PM, Mike Rapoport wrote: > > After the isolated system call finishes, the mappings created > > during its execution are cleared. > > Yikes. I guess that stops someone from calling write() a bunch of > times on every filesystem using every block device driver and all the > DM code to get a lot of code/data faulted in. But, it also means not > even long-running processes will ever have a chance of behaving > anything close to normally. > > Is this something you think can be rectified or is there something > fundamental that would keep SCI page tables from being cached across > different invocations of the same syscall? There is some work being done to look at pre-populating the isolated address space with the expected execution footprint of the system call, yes. It lessens the ROP gadget protection slightly because you might find a gadget in the pre-populated code, but it solves a lot of the overhead problem. James