Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp838585rwe; Wed, 24 Aug 2022 09:45:31 -0700 (PDT) X-Google-Smtp-Source: AA6agR7vpOYyMPolCbfNq+awrltrObrQz2aPFXqW0t0HqO2hII0h787gPpNRnG87DmcBemPh6O8/ X-Received: by 2002:a17:90a:318f:b0:1fa:a374:f565 with SMTP id j15-20020a17090a318f00b001faa374f565mr9204481pjb.146.1661359531528; Wed, 24 Aug 2022 09:45:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661359531; cv=none; d=google.com; s=arc-20160816; b=0kUbI9hjxYCsOAej1XXQFjrsxxalFb4tVuEL1p5sbQs6HKXb3bV9/d/Hcg20oyLWp/ OVgQE9+GnToNIWF3vqpeau5P3clzHBHOTBaVjPDPCMjsh61xnhvkPhVXB/Avw8iPf8hc TpQcMstMlWQt/lr5eenBxrSTQ+7/TywjeTd2XZXZO9rjKa1agkpc9QQWdgkv8tJth7gw JCVGiUp9o/XLiHAIS0UWm6nJm0ZyISWcvIm2saDjUA6Y56n2QrgaJx1IlJQll/rHLbdx a9pem2fan9B8gZm66ZL3dyaig5h/SMudWOWCHWrJ4QBjvGuHgOU7sw/ReuHrqiRYOym7 ZeRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=3gTYkz+s5TeJSmr65MwaEuSgm/cUQ2m0KWs9bsRHj9s=; b=sNK63C9er4wxgbndd8BhmtUYRNU4WRh3CkrzgSiyAC0s6LaYriT5nAJOvZ7dKhaK2C mRX+Gi2HWDEj78FeTyHdUbV/v6ULFF3iFwU4yewELji3Y1fhgbsEx+dJJryfVU6yGCdi 2fgVjxkWJaNmWjQKGliPK4XTzhwIyrlBtZq5IzT6oR/3/pFKMHLb8GjWDl/2YOADwkJc gH6p14A3G3HxMYXGi7HBK9HrsRRlz22uj5tQ78zSS0aQzdp/mx35bcepL0aPfySIa2Ld s+iA/0jqf5WwHGooCrWNf8ufhpDHXnVyv8XZ5MJl2HzWL9bkFuU1sRWKxNbqcCO+iXYD lXLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=J1x+uMTQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s127-20020a632c85000000b00426eb824512si18233949pgs.784.2022.08.24.09.45.17; Wed, 24 Aug 2022 09:45:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=J1x+uMTQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239442AbiHXQ2Z (ORCPT + 99 others); Wed, 24 Aug 2022 12:28:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239418AbiHXQ2T (ORCPT ); Wed, 24 Aug 2022 12:28:19 -0400 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 44E5582F8D for ; Wed, 24 Aug 2022 09:28:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1661358498; x=1692894498; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=5gPvSM69EFABalYJ9JXoG8SIkAFvTVcfdVREF5gnBvo=; b=J1x+uMTQqgiLHhtCnArjldHwXD2xeGrYImVgBfxcxc1SUitP/IXt5pCW +g6PNJe9UyoIToFt1dmsl/pHe33DiygzdTz+q0kpDr59ETceebQP7lDhu A5n9jwA1JR7PUEqRjqtKnQHMM0Z8dV8sTaQKbc73vhKsRaws4ChhYBovl pIH62jfeewu51fDjUXVNW8U4qzDEPVtsDWqyrZZmOgUdUwvFo/axNK3IU lZhbDxSrAVo3avrU1o3qOf7XDzokvXa83bJ1EPFFbOjqwoaOMdYa9pWZw FzNxa2IDSp+hq3gXZ/ymomJ3K1S6FlNU8oN//wg2DhOE2OYRtGwRMDYpC g==; X-IronPort-AV: E=McAfee;i="6500,9779,10449"; a="294796109" X-IronPort-AV: E=Sophos;i="5.93,260,1654585200"; d="scan'208";a="294796109" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Aug 2022 09:28:17 -0700 X-IronPort-AV: E=Sophos;i="5.93,260,1654585200"; d="scan'208";a="937975167" Received: from skeshri-mobl.ger.corp.intel.com (HELO [10.212.154.182]) ([10.212.154.182]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Aug 2022 09:28:16 -0700 Message-ID: <69cfbf60-2583-1bdc-3313-3b1ab72968e0@intel.com> Date: Wed, 24 Aug 2022 09:28:17 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: PKU usage improvements for threads Content-Language: en-US To: =?UTF-8?Q?Stephen_R=c3=b6ttger?= , Andy Lutomirski Cc: Kees Cook , Dave Hansen , the arch/x86 maintainers , Linux Kernel Mailing List , Jann Horn References: <202208221331.71C50A6F@keescook> <26078f2a-67be-4aa1-bbb2-dcd1168c9d12@www.fastmail.com> From: Dave Hansen In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/24/22 01:51, Stephen Röttger wrote: >>> Yeah, that's something for which our defenses are quite weak. But, it >>> also calls for a very generic mm/ solution and not something specific at >>> all to pkeys. > We were also thinking about if this should be a more generic feature instead of > being tied to pkeys. I.e. the doc above has an alternative proposal to introduce > something like a memory seal/unseal syscall. > I was personally leaning towards using pkeys for this for a few reasons: > * intuitively it would make sense to me to extend PKEY_DISABLE_ACCESS > to also mean disable all changes to the memory, not just the data. It would make some sense, but we can't do it with the existing PKEY_DISABLE_ACCESS ABI. It would surely break existing users if they couldn't munmap() memory that was PKEY_DISABLE_ACCESS. But, making it part of the mprotect() ABI wouldn't be the worst thing in the world. Since we have a pkey_mprotect(), any mprotect()-based mechanism could even reuse the existing pkey syscalls. I do agree with Andy, though, that I'm not quite sure what the attack model is here. If an attacker can make arbitrary system calls, surely protecting one little altstack VMA isn't doing to help much.