Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3384848rwb; Mon, 3 Oct 2022 14:15:32 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4x1qec7ZWt6I5dRvuIHbLj2Ci2fhWtdkIjJN3lOzQpEgYGXayAqCZ+fdVUG7QTThEMKkI2 X-Received: by 2002:a17:90b:3ec2:b0:202:b123:29cc with SMTP id rm2-20020a17090b3ec200b00202b12329ccmr14234704pjb.167.1664831731747; Mon, 03 Oct 2022 14:15:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664831731; cv=none; d=google.com; s=arc-20160816; b=knOpn7HMNkPu55VAvPTgm/uqpVLIP83cfaFCeU5DSIRbUJ6JMIDO0DJ7Vh8R5h7QAb f07LfS6GZmOA49cFKjKmld5KM75XtkMZQzokYxapwcqsRiuojAXEDQaFMea1eXb//jL2 YCHko3TTdelDAOhwbD9AkDekxq8R77iPNY/ZMKTD+W7P2ygTSF20Vb8jkZikhoMQiCW9 DgTwutC4uydQeOZMU8vsj2G12huxdpdUluIia1Kd6RsO5lMNRyaMlJhGMhlo2dj6fOyy gLP1lq+kIa1K/UBwr2x9Roi9ouOSco6Mmn+kZA/Mcpr2GK6tZFpXBsHELLx4xZDyfc46 jdQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=UodyUL7dOm8Q7N7U9Ydvp7ysSPhS96CREYV/Ly/CnWQ=; b=SzeUQMUz6Ae+Efi8vcCBLoUViE8O5LBOEY1DokbHSkiBJp1hk3GYI+xSJzM0kliQWi rtdHKxYA8VRtqiYr9fnmqKq/yjdXHNJGn9HwlX8Gtw/hKwD6TpmpIA6gmC0qnhHPzCWA VDebQyGRr2p4r4jmshvwb5z0KdrkKyn0pf7ztJ/wY5jcPQwG0o+Yj/vMJpuHm0aWWdJX BcErtNd7ImgdIbNBqnUeD4fuYIILE1G9qk/7Tt9Rk6NyvgmkyCtdEZ1OH96M/e4iPh3O JnjpTlMkcJaah20nEtSCi4Re8yJIfsy+m42D9tmAlC1ZmGdtaBCr/R2lQY5i8xZO/nLx 9F+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=bZMS2B7M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f73-20020a62384c000000b0052e57ed915asi10746986pfa.233.2022.10.03.14.15.19; Mon, 03 Oct 2022 14:15:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=bZMS2B7M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229981AbiJCVMv (ORCPT + 99 others); Mon, 3 Oct 2022 17:12:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56178 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229880AbiJCVL2 (ORCPT ); Mon, 3 Oct 2022 17:11:28 -0400 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F8EA5142D for ; Mon, 3 Oct 2022 14:07:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1664831221; x=1696367221; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=Q+A9j7rbet3l4iyEXFd7FCMMWn4NnBtOFkDeuOIybOw=; b=bZMS2B7MaejXuUFeeceuKsdEe/F6/EvSsVGRaDZt8KlsKwL6gDlIxVeU hGYpKn/fasOYyu5t4Q00HCR6kHKbseEt4AXl/KkI1ajo2unO88lc+Frgr YBAukXjRn3eNpjCMV9SxYY/PUBzHvxR45P8gkBmljR3H5pbW9aDiMC1vS N4bVgRQWFHHNVYac2Y6AX744GP5HKBKrclFWiA0Za0ox7lfDjEBxsNZpn gALMvPxZCi6emGSjfWh3ojHcNli98D7fpXPA1n1Y91f7xMt4EIKw4lYFL BmD1WwjwDn7Zz6+WcUMv38ZoWIO5JINKPsev7j4VB26tQxpr4VADyXTzw g==; X-IronPort-AV: E=McAfee;i="6500,9779,10489"; a="366858616" X-IronPort-AV: E=Sophos;i="5.93,366,1654585200"; d="scan'208";a="366858616" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Oct 2022 14:07:00 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10489"; a="749146590" X-IronPort-AV: E=Sophos;i="5.93,366,1654585200"; d="scan'208";a="749146590" Received: from viggo.jf.intel.com (HELO ray2.amr.corp.intel.com) ([10.54.77.144]) by orsmga004.jf.intel.com with ESMTP; 03 Oct 2022 14:07:00 -0700 From: Dave Hansen To: linux-kernel@vger.kernel.org Cc: Dave Hansen , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H. Peter Anvin" , Kees Cook , Peter Zijlstra Subject: [PATCH] x86/mm: Ease W^X enforcement back to just a warning Date: Mon, 3 Oct 2022 14:06:59 -0700 Message-Id: <20221003210659.3837868-1-dave.hansen@linux.intel.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I'd like to get to a point where we can turn on W^X enforcement and keep it on. But, we're not quite there yet. I'm planning on applying this to x86/mm before it goes to Linus during this merge window. Any objections? -- Currently, the "change_page_attr" (CPA) code refuses to create W+X mappings on 64-bit kernels. There have been reports both from 32-bit[1] and from BPF[2] users where this change kept the system from booting. These reports are showing up even after about a month of soak time in -next. To avoid breaking anything, never enforce W^X. Always warn and return the requested permissions even if a problem is detected. 1. https://lore.kernel.org/all/CAMj1kXHcF_iK_g0OZSkSv56Wmr=eQGQwNstcNjLEfS=mm7a06w@mail.gmail.com/ 2. https://lore.kernel.org/bpf/c84cc27c1a5031a003039748c3c099732a718aec.camel@kernel.org/T/#u Signed-off-by: Dave Hansen Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: x86@kernel.org Cc: "H. Peter Anvin" Cc: Kees Cook Cc: Peter Zijlstra --- arch/x86/mm/pat/set_memory.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index efe882c753ca..97342c42dda8 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -580,7 +580,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long start, } /* - * Validate and enforce strict W^X semantics. + * Validate strict W^X semantics. */ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long start, unsigned long pfn, unsigned long npg) @@ -595,7 +595,7 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long star if (IS_ENABLED(CONFIG_X86_32)) return new; - /* Only enforce when NX is supported: */ + /* Only verify when NX is supported: */ if (!(__supported_pte_mask & _PAGE_NX)) return new; @@ -606,13 +606,17 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned long star return new; end = start + npg * PAGE_SIZE - 1; - WARN_ONCE(1, "CPA refuse W^X violation: %016llx -> %016llx range: 0x%016lx - 0x%016lx PFN %lx\n", + WARN_ONCE(1, "CPA detected W^X violation: %016llx -> %016llx range: 0x%016lx - 0x%016lx PFN %lx\n", (unsigned long long)pgprot_val(old), (unsigned long long)pgprot_val(new), start, end, pfn); - /* refuse the transition into WX */ - return old; + /* + * For now, allow all permission change attempts by returning the + * attempted permissions. This can 'return old' to actively + * refuse the permission change at a later time. + */ + return new; } /* -- 2.34.1