Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp4397307pxb; Tue, 10 Nov 2020 15:46:34 -0800 (PST) X-Google-Smtp-Source: ABdhPJyxGsbPM0PpljwEqSOgcxH1P00EdMmensXj9ouR1952LNg1vG7SN9uQG2aqRDx9C00GEIHn X-Received: by 2002:a17:906:3b91:: with SMTP id u17mr9435213ejf.499.1605051994029; Tue, 10 Nov 2020 15:46:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605051994; cv=none; d=google.com; s=arc-20160816; b=HN4VrPQttqOQKkKjLX6Qgmlj0kyYrURtB2gzngnYA1yGf5PUCtE+yOyTOpH7N/HlcM q87EIAw7FBo5TCgm3qp5skDLIIQeS2wkUTWrL04/gryiDmJCiboukjPC3bWzOnIjId/S crnTKM0DAuKyiONwAlbx4XGXvzkN/SqoZrxGb6eEHhG0RaCEn26fxgePH6Ht8a43a7oQ yaeNlINS9ZgxTiY0ugWR4nBH8Gpvjez2LbX3Dc97VWyongcG6/wTX3TlFtwL8LEBsEtq IAFaGH0/XOXYOOgqkgDVNfm1E1VY+wgRb682BPGx8dQPWfEoSOsXWFYnicaWAg3KwqgV NqVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=vP9Wu8elj1EjHmdlev8FX3SwEeYPqgcrwW7YJdbph/8=; b=Bru9TvSn/TB05PnRQJ9ICKPETLJ1rJDgbdl3GU4rhqHKFRFcsGQWgNt0EED2bJZmoz QIbJCyg+h/CX5/iAUiGgq0s2/i3NnkXkcHjQh/yI/wRcL3UsvZWVZ71W37wbHLdHskuk NkMeYnAHJSxLOocgQHsIeqXEvDXYvRM5F8nqePdSQnqG1CxJMLz6jW2qRa7pzaGzVDhP LaNJi5fZKssKipg1+PThkbTl9CNkKSSvyVjLX7LvJehhLFw6dNmLt5ar0eRTytysIEXS u+G5w0LYmgFDbSRYDtpau1Q2SfeX0p5bSbNSuKPWZvdFwX/Lj41beDoK1mWFz4Q2PfSb +V8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=X1mKbI85; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z10si83427eje.564.2020.11.10.15.46.03; Tue, 10 Nov 2020 15:46:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=X1mKbI85; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732174AbgKJXkA (ORCPT + 99 others); Tue, 10 Nov 2020 18:40:00 -0500 Received: from mail.kernel.org ([198.145.29.99]:45064 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726706AbgKJXj6 (ORCPT ); Tue, 10 Nov 2020 18:39:58 -0500 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 771E7216C4 for ; Tue, 10 Nov 2020 23:39:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1605051597; bh=vP9Wu8elj1EjHmdlev8FX3SwEeYPqgcrwW7YJdbph/8=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=X1mKbI858L3Ju6cKsCrDVUrisca1p76TX0NeubgFVdJaVdL1bG8munaGwvbkb7P8m eUCyIB0xowCjZcBVAJEOncV3IwRXqglxX6u/GEo6CDjW+ak+S4H/Q0ESp2vBbb9vQ8 zFR1prT3OcqCFIEhd5pvP02Q1cH/XwjHuaBW83ok= Received: by mail-wm1-f42.google.com with SMTP id a3so107653wmb.5 for ; Tue, 10 Nov 2020 15:39:57 -0800 (PST) X-Gm-Message-State: AOAM531speReVyKu6/e8FUWiQMqXOTQ3uYZMVhy9CDQgpUof7T2RyHQh zArha68IwgOhzKr1m1Oo1IufBTN8c4yoWB0pKZShvw== X-Received: by 2002:a1c:9c56:: with SMTP id f83mr576089wme.49.1605051595859; Tue, 10 Nov 2020 15:39:55 -0800 (PST) MIME-Version: 1.0 References: <20201109144425.270789-1-alexandre.chartre@oracle.com> <20201109144425.270789-14-alexandre.chartre@oracle.com> In-Reply-To: From: Andy Lutomirski Date: Tue, 10 Nov 2020 15:39:43 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC][PATCH 13/24] x86/pti: Extend PTI user mappings To: Alexandre Chartre Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , X86 ML , Dave Hansen , Andrew Lutomirski , Peter Zijlstra , LKML , Tom Lendacky , Joerg Roedel , Konrad Rzeszutek Wilk , jan.setjeeilers@oracle.com, Junaid Shahid , oweisse@google.com, Mike Rapoport , Alexander Graf , mgross@linux.intel.com, kuzuno@gmail.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 9, 2020 at 11:54 AM Alexandre Chartre wrote: > > > [Copying the reply to Andy in the thread with the right email addresses] > > On 11/9/20 6:28 PM, Andy Lutomirski wrote: > > On Mon, Nov 9, 2020 at 3:22 AM Alexandre Chartre > > wrote: > >> > >> Extend PTI user mappings so that more kernel entry code can be executed > >> with the user page-table. To do so, we need to map syscall and interrupt > >> entry code, > > > > Probably fine. > > > >> per cpu offsets (__per_cpu_offset, which is used some in > >> entry code), > > > > This likely already leaks due to vulnerable CPUs leaking address space > > layout info. > > I forgot to update the comment, I am not mapping __per_cpu_offset anymore. > > However, if we do map __per_cpu_offset then we don't need to enforce the > ordering in paranoid_entry to switch CR3 before GS. I'm okay with mapping __per_cpu_offset. > > > > >> the stack canary, > > > > That's going to be a very tough sell. > > > > I can get rid of this, but this will require to disable stack-protector for > any function that we can call while using the user page-table, like already > done in patch 21 (x86/entry: Disable stack-protector for IST entry C handlers). > You could probably get away with using a different stack protector canary before and after the CR3 switch as long as you are careful to have the canary restored when you return from whatever function is involved.