Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp716181rwe; Thu, 25 Aug 2022 08:03:53 -0700 (PDT) X-Google-Smtp-Source: AA6agR7yX9TdW2bXcifB26ElO/wzniIzp5w5MRueV62Wh00C/0NSB8KZHmClcAzhyLYivYRvRnlO X-Received: by 2002:a05:6402:1f12:b0:447:775f:3b7 with SMTP id b18-20020a0564021f1200b00447775f03b7mr3526552edb.317.1661439833141; Thu, 25 Aug 2022 08:03:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661439833; cv=none; d=google.com; s=arc-20160816; b=zLQVz8J4t9XIITtwM8Li+4Wxw+sZRfb5GtCGGV69cIMaH45xVIv5iWa5e7zUgqF9ud Ff0Df+ESe16l+IzVsnlvljAgpjLuDurTrX687KF6RUMfXBjG93Sdt3XCrFl/xGSdX0uc h92wSCCCHqT43h7FzGuYR6+UQos+ARTogzNspzRWFv5QEujjnDohdrLYEwyXxf3dTpEt h+BXq9KSNzOjZ2ITC4cz+b1MFFoLCwPvtYB/5A1HK+0e3tfDCJsfjjs6+Wk2cu9BA7mT YlyG+CruH7nyljKVOfM967naaqZT9UhunGWoFQ+ur9DV9DilolxZsn5O7RCZNhPHHKHm 6srw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=z6CQnvKiQfnFG2AkfqUerb1vKoShwCNmyO7Ctjyndls=; b=clqOuSOsVBp+Ks8aca+E78u0QYmEvIn2NQhAcbs2OaNAax3FMW5ej3jSiHFfvI1/ym bNzXWAaN+UN3gunOcUFk/v/2b9J2euKqlwiGypbcqWv0PaC55lkoMK1EetMeK9naRkxa xevi6HkJ9KbjAARgS/+qT17jYtwYJ6kIyVlcbOQ0a35uE91buYDwF2ylA7lTrBAuqSjz Iw+X/GQawUzWPF74q2vAfqsoznJjRsgIV+oi5dsXZIDFZJ8N4lPA33SqjP2UnTAc6D/2 Eo1CeFhvxYZ4u333BUrmR25QIRMEnJIFyLaiTqwXQSo+N0sZ0H9NxXuxtUQ+EUBKOYM1 qvhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="UXK/iNNa"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nc22-20020a1709071c1600b007263a6115adsi4526540ejc.893.2022.08.25.08.03.26; Thu, 25 Aug 2022 08:03:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="UXK/iNNa"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242141AbiHYOh0 (ORCPT + 99 others); Thu, 25 Aug 2022 10:37:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36036 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242190AbiHYOhJ (ORCPT ); Thu, 25 Aug 2022 10:37:09 -0400 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2F094B4E80 for ; Thu, 25 Aug 2022 07:36:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1661438210; x=1692974210; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=dmrRfDKFYvaqDCd7Z0UVB2+tu1U+7ChjMCLoAWvf3BM=; b=UXK/iNNaby6pfzXVMUfzF4Q04mWyxMRdMoHr3TFxaIy+p8dkUfshm8ih 1zEfMGuWdwfMlDwPI5C8qBX0l5OLn4A8FFBqTiwxIEzVH/i0fUGdK/0lA 6Wsm3lWZSrkDWOL/rJTQt2o6anfuacQilS75bKR3fp4AmkfI2woxBeIH4 wZKce9rSC6/NZnbDRM4EWIj0HzrPRGFdpIkejP2CqJQOar72g1l63nTTv bikCTuAjAJHjq7FKt+onexWlDnK/O0Xbx1wGpuOdaVvYuJ0NA9jHUqbDv DATH/EzfU3SKvcsAPfWf8/4wGiA615PwJMMSKQ7ijxSN2r503+FxTbF/3 Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10450"; a="274646649" X-IronPort-AV: E=Sophos;i="5.93,263,1654585200"; d="scan'208";a="274646649" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Aug 2022 07:36:49 -0700 X-IronPort-AV: E=Sophos;i="5.93,263,1654585200"; d="scan'208";a="752504924" Received: from rnaraya1-mobl1.amr.corp.intel.com (HELO [10.212.254.160]) ([10.212.254.160]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Aug 2022 07:36:48 -0700 Message-ID: Date: Thu, 25 Aug 2022 07:36:49 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: PKU usage improvements for threads Content-Language: en-US To: =?UTF-8?Q?Stephen_R=c3=b6ttger?= , Andy Lutomirski Cc: Kees Cook , Dave Hansen , the arch/x86 maintainers , Linux Kernel Mailing List , Jann Horn References: <202208221331.71C50A6F@keescook> <26078f2a-67be-4aa1-bbb2-dcd1168c9d12@www.fastmail.com> From: Dave Hansen In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/25/22 05:30, Stephen Röttger wrote: >>> We were also thinking about if this should be a more generic feature instead of >>> being tied to pkeys. I.e. the doc above has an alternative proposal to introduce >>> something like a memory seal/unseal syscall. >>> I was personally leaning towards using pkeys for this for a few reasons: >>> * intuitively it would make sense to me to extend PKEY_DISABLE_ACCESS >>> to also mean disable all changes to the memory, not just the data. >> It would make some sense, but we can't do it with the existing >> PKEY_DISABLE_ACCESS ABI. It would surely break existing users if they >> couldn't munmap() memory that was PKEY_DISABLE_ACCESS. > Our thought was that this could be opt-in with a prctl(). So, today, you have this: foo = malloc(PAGE_SIZE); pkey_mprotect(foo, PAGE_SIZE, READ|WRITE, pkey=1); munmap(foo); // <-- works fine mmap(hint=foo, ...); // now attacker controls &foo Which is problematic. What you want instead is something like this: prctl(PR_ARCH_NO_MUNMAP_ON_PKEY); // or whatever foo = malloc(PAGE_SIZE); pkey_mprotect(foo, PAGE_SIZE, READ|WRITE, pkey=1); wrpkru(PKEY_DISABLE_ACCESS<