Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4082541ybi; Mon, 15 Jul 2019 03:35:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqwT+C+Ao3H/RG2OgEi3QTyjcJZcljVDCOzkiFi9JiVt8PLuNa7hTnMGbj/BlY6dLKw1/SYV X-Received: by 2002:a65:6256:: with SMTP id q22mr26005479pgv.408.1563186928111; Mon, 15 Jul 2019 03:35:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563186928; cv=none; d=google.com; s=arc-20160816; b=qYNAExlK+7Cq7KMau7b/PPboRaO4ZTcJd6hpVhOOaoUq1u37HWn5EObIcyeYBV/OhJ UtcrxcoSCzy0mDkD4ybVy7HmGyVMneDcBDrqsd6N3h8VfBXS1I6shwmPlZOYCWyhZDSW HWQwUHD4Q4t1AtS59zCJwOIvZSaBaT7lR/EFAmlRuCsbNhdogcGrSEc/YK5YrhP0qyjI Eq2l8XqnBxRsjK6plK7Acw5RkhR58HsUu467O7zCbIDHXCUcwhEalI3HyhWeyQ3FXn0j ZTmNJFYnA2PcwqZwBTEuTfjzNRANQmoejQJ4RK49AsexUFPCXpiU45iTyR249ymyC3Rj nEbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=/tb2YFKotIun+RrxUFkUJ3SPYjEiIEB8yDIasy299tI=; b=lYLu2Ak0DPIwABhE8yvXXLopOH2M5jiWfGZ9a43vCZCH7cHf2yIbIETzJ3UR301FRU iIckK/N2OGkYrowCgL/KRUgjBtGIT/5XIHl6POpJw+fGqGZ5YAsrUapAx6GLAReFDH93 NVxBypZa6V90Ip5XMv5a8Y6gpmONdTnBio/mMtyCyJ0RUOONw3fwb2fLRZOlrA9tEOPU R11CABptyVpwUec0NVcD9z9AS/mHvTLHKog2n26Vk3cdnHPrNN1JtDc3lJ22/9TBHFwU 2kv5nwsP/0ZwXXttIxb7NziH44KwOQMobytgX/imxUcLffGk5d4BICINJzfuMHdoyvhB Copw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=V5CMHU9S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z25si14946307pgv.418.2019.07.15.03.35.10; Mon, 15 Jul 2019 03:35:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=V5CMHU9S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729711AbfGOKe1 (ORCPT + 99 others); Mon, 15 Jul 2019 06:34:27 -0400 Received: from merlin.infradead.org ([205.233.59.134]:45504 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729530AbfGOKe1 (ORCPT ); Mon, 15 Jul 2019 06:34:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=/tb2YFKotIun+RrxUFkUJ3SPYjEiIEB8yDIasy299tI=; b=V5CMHU9SdBHFe0JHCPJ/DfQ9M whb9p82Se2ZevWYbvvkDuh9u+U8Uiaonxw43GBYwgQDNYEP3CSLvWClmBZIh3Lm+Ag21BXBcQk1Mb tgDnaHbBDgvqR/pGJQkjgPMBi8ydXL5TMB2U0D5aL+V/dJu7peXHwVcCgDtxjqnZvWk5TdtQ3tgPx IGTM4iWolBrZicJtBD0iROZpa0kB57IsFZqVCacCQtfX+9jji7DKttASvz4iWs+PWk4iVM7PXf/6Y Had9FeMPHZ0ajhZ94uJ2xDAy1FsLZzeKnZY3WncpD74MtSscMFXyqrGpbZ1cwCRW0KIHhvnq6mOlo gLv5bHwWA==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by merlin.infradead.org with esmtpsa (Exim 4.92 #3 (Red Hat Linux)) id 1hmyIt-0001jj-LI; Mon, 15 Jul 2019 10:33:55 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 01F3E20B29100; Mon, 15 Jul 2019 12:33:53 +0200 (CEST) Date: Mon, 15 Jul 2019 12:33:53 +0200 From: Peter Zijlstra To: Andy Lutomirski Cc: Alexandre Chartre , Thomas Gleixner , Dave Hansen , Paolo Bonzini , Radim Krcmar , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Dave Hansen , kvm list , X86 ML , Linux-MM , LKML , Konrad Rzeszutek Wilk , jan.setjeeilers@oracle.com, Liran Alon , Jonathan Adams , Alexander Graf , Mike Rapoport , Paul Turner Subject: Re: [RFC v2 00/27] Kernel Address Space Isolation Message-ID: <20190715103353.GC3419@hirez.programming.kicks-ass.net> References: <1562855138-19507-1-git-send-email-alexandre.chartre@oracle.com> <5cab2a0e-1034-8748-fcbe-a17cf4fa2cd4@intel.com> <61d5851e-a8bf-e25c-e673-b71c8b83042c@oracle.com> <20190712125059.GP3419@hirez.programming.kicks-ass.net> <3ca70237-bf8e-57d9-bed5-bc2329d17177@oracle.com> <20190712190620.GX3419@hirez.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 14, 2019 at 08:06:12AM -0700, Andy Lutomirski wrote: > On Fri, Jul 12, 2019 at 12:06 PM Peter Zijlstra wrote: > > > > On Fri, Jul 12, 2019 at 06:37:47PM +0200, Alexandre Chartre wrote: > > > On 7/12/19 5:16 PM, Thomas Gleixner wrote: > > > > > > Right. If we decide to expose more parts of the kernel mappings then that's > > > > just adding more stuff to the existing user (PTI) map mechanics. > > > > > > If we expose more parts of the kernel mapping by adding them to the existing > > > user (PTI) map, then we only control the mapping of kernel sensitive data but > > > we don't control user mapping (with ASI, we exclude all user mappings). > > > > > > How would you control the mapping of userland sensitive data and exclude them > > > from the user map? Would you have the application explicitly identify sensitive > > > data (like Andy suggested with a /dev/xpfo device)? > > > > To what purpose do you want to exclude userspace from the kernel > > mapping; that is, what are you mitigating against with that? > > Mutually distrusting user/guest tenants. Imagine an attack against a > VM hosting provider (GCE, for example). If the overall system is > well-designed, the host kernel won't possess secrets that are > important to the overall hosting network. The interesting secrets are > in the memory of other tenants running under the same host. So, if we > can mostly or completely avoid mapping one tenant's memory in the > host, we reduce the amount of valuable information that could leak via > a speculation (or wild read) attack to another tenant. > > The practicality of such a scheme is obviously an open question. Ah, ok. So it's some virt specific nonsense. I'll go on ignoring it then ;-)