Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp341138rdb; Thu, 15 Feb 2024 01:31:56 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUSkLaFWrlpgg+EAPguoS7KdUeNd5/wpEoBs5yosUMrzGrn2Q6obwoBUnDkxZhivtWxGdtJSzlw36293D/2uTlqVhLFv6ZeeDLXzjXj2Q== X-Google-Smtp-Source: AGHT+IE7OS7kRNoSs8C5VPZQafVydXzdD8H0oMopc+HlTbd4+oetX+9YCtRQtgzDNcWAJlUpk99l X-Received: by 2002:a17:906:fa16:b0:a3d:17be:8745 with SMTP id lo22-20020a170906fa1600b00a3d17be8745mr1104569ejb.2.1707989516010; Thu, 15 Feb 2024 01:31:56 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707989515; cv=pass; d=google.com; s=arc-20160816; b=BQTOOUMBVc8Sqy16FflIyTTlpQoo5j38ibx4hw247wRM5cYzeZdo+5KZDaj17dLhCG E5LbY2cnQu9Ms4tjiJeOzHooFfC26tgc9yE4oHcm0DiWnHStB+RkGbA5J/ukWY2+UVx/ Li8ZCn0J2AIvnreqDIhmVJqm/LuIZ2pePSdSAi1I6CeOVHkch2zdSmiWwhAaOFlfO2IJ CVdJiuIC1bWpAkr783/FeZ26MpwK3sRCTTo6HmOw/uBfkME1YXBrmUJd3mcf3FLhZfVm DfXDZUo1usP76IQVJzw4XNgibq/SAb2IAiFjljjRIPEMm3NvQE47XtrVSd3cl72dFE1J l11Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=dKEi4/z9hKMT6w7OFzhXiUpF0cBZZojtikynuA7xrqA=; fh=/HtUfym5StGNu5JE2utKQXWmB9QpijHwDiScV4qlcvU=; b=v43a0BhmfEYJnxSCY2U41n64AJIwMYDPvOwT/Jlu119GFvu4XHDoVh8CUa1BkkVulv sLpfR+QhcQmoy3CFRzBfNEyYThi6+p/sql8FwzOeEGz4LmXaYzrBkzdcAsyj5O4vENsU 3vMK7DsZgYXf6ayxzOtpQGG0zkLr9ftP3d9GVxnouVioItolAOCVSh8veU7BIi+ELyTX CuvzLQS7WP7dt4rCmOe90xvOhwmxzkdKfg9W66XhiiT6CQWo6GonH7UC7e/qJTiHTYxx xS0cO1k0AT6kKU3P2HRQ1s9wk3GNZSt6JCd1mhXcb9600Gny43wo5Em1asYiLEqnEYzI 2dcg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tesarici.cz header.s=mail header.b=HL3FvJFS; arc=pass (i=1 spf=pass spfdomain=tesarici.cz dkim=pass dkdomain=tesarici.cz dmarc=pass fromdomain=tesarici.cz); spf=pass (google.com: domain of linux-kernel+bounces-66547-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-66547-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tesarici.cz Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id c17-20020a170906695100b00a3d0188a986si442154ejs.19.2024.02.15.01.31.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Feb 2024 01:31:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-66547-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@tesarici.cz header.s=mail header.b=HL3FvJFS; arc=pass (i=1 spf=pass spfdomain=tesarici.cz dkim=pass dkdomain=tesarici.cz dmarc=pass fromdomain=tesarici.cz); spf=pass (google.com: domain of linux-kernel+bounces-66547-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-66547-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tesarici.cz Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 915A41F2163C for ; Thu, 15 Feb 2024 09:31:55 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 22942182DB; Thu, 15 Feb 2024 09:31:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=tesarici.cz header.i=@tesarici.cz header.b="HL3FvJFS" Received: from bee.tesarici.cz (bee.tesarici.cz [77.93.223.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE89018037; Thu, 15 Feb 2024 09:31:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=77.93.223.253 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707989469; cv=none; b=J7Nl4ICy781xOomvGDcVxrEO/IBGsdpwH3nWQMaLMLP/0n09jeE77sA+sCoxam6LYIfFcf9QN5wYisseRs0wHaR6OkjPixJN2zjjxx2KhdlUVmdVVmTYDgzew6GQyE+4XzY/H7rME2TnfXBlnsg1e/ov+7MJcFdLZWw61CiQ1Zg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707989469; c=relaxed/simple; bh=IGUUgoQv8fEzz2nY3/U/CkDsbN0lZVUbVVLYQfpeQAI=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=UPf/kA8R9e1n64tolJCAx91+2rVODAtvEgtfPCqtssUANDGQ9EdoS6vB7UVzygyg9N2tkVdbgxiZZAazZMaRT0vqj/+uef09/FUkXIWHXrcyM6imjNf7gCsclB5Jo9BB7QU4CNOi12gVaR0DsuiKU6/mimqKQ8zoVaTdrDdCF0g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tesarici.cz; spf=pass smtp.mailfrom=tesarici.cz; dkim=pass (2048-bit key) header.d=tesarici.cz header.i=@tesarici.cz header.b=HL3FvJFS; arc=none smtp.client-ip=77.93.223.253 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tesarici.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=tesarici.cz Received: from meshulam.tesarici.cz (dynamic-2a00-1028-83b8-1e7a-4427-cc85-6706-c595.ipv6.o2.cz [IPv6:2a00:1028:83b8:1e7a:4427:cc85:6706:c595]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bee.tesarici.cz (Postfix) with ESMTPSA id 6DAC91A601E; Thu, 15 Feb 2024 10:30:59 +0100 (CET) Authentication-Results: mail.tesarici.cz; dmarc=fail (p=quarantine dis=none) header.from=tesarici.cz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tesarici.cz; s=mail; t=1707989460; bh=dKEi4/z9hKMT6w7OFzhXiUpF0cBZZojtikynuA7xrqA=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=HL3FvJFSNEEFF47AcfBwODUkLgp9ZS9Lm/nJwHw5qdhaOTSKSiq9y5yXF05yoUkai p07ETT8dae0IPABgfAtv6lR0MR1uGbZ9vOSCIb09WGCli5wLVuRZHmd+9BHqrQ6/cg DZWUAAPZQ4IzNjJCHQ8GhiwTyIBeVq9q8HSA2f/YM436ezs5ZcMcxIZT3cZqW+Ty0d imXFAdBer3Fwk85ODUaBRailji2nC8RR1b1dNNieT6t/0bhNtda2oQqm3CYI9mIodS xuIUzZA47sjRLwdXMaQ6Yvi67EBmRiHjexQK8hvEnkrXy9XGi8lhr50W5idNjkUsQA lz+8S/RS9tY4Q== Date: Thu, 15 Feb 2024 10:30:58 +0100 From: Petr =?UTF-8?B?VGVzYcWZw61r?= To: "H. Peter Anvin" , Roberto Sassu Cc: Xin Li , Dave Hansen , Petr Tesarik , Jonathan Corbet , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , Andy Lutomirski , Oleg Nesterov , Peter Zijlstra , Xin Li , Arnd Bergmann , Andrew Morton , Rick Edgecombe , Kees Cook , "Masami Hiramatsu (Google)" , Pengfei Xu , Josh Poimboeuf , Ze Gao , "Kirill A. Shutemov" , Kai Huang , David Woodhouse , Brian Gerst , Jason Gunthorpe , Joerg Roedel , "Mike Rapoport (IBM)" , Tina Zhang , Jacob Pan , "open list:DOCUMENTATION" , open list , Petr Tesarik Subject: Re: [PATCH v1 0/8] x86_64 SandBox Mode arch hooks Message-ID: <20240215103058.52461397@meshulam.tesarici.cz> In-Reply-To: <5434F240-2F74-4D9F-8BEE-220C8EC53C0F@zytor.com> References: <20240214113516.2307-1-petrtesarik@huaweicloud.com> <20240214192214.78734652@meshulam.tesarici.cz> <20240215075932.66fef954@meshulam.tesarici.cz> <5434F240-2F74-4D9F-8BEE-220C8EC53C0F@zytor.com> X-Mailer: Claws Mail 4.2.0 (GTK 3.24.39; x86_64-suse-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, 15 Feb 2024 00:16:13 -0800 "H. Peter Anvin" wrote: > On February 14, 2024 10:59:32 PM PST, "Petr Tesa=C5=99=C3=ADk" wrote: > >On Wed, 14 Feb 2024 10:52:47 -0800 > >Xin Li wrote: > > =20 > >> On 2/14/2024 10:22 AM, Petr Tesa=C5=99=C3=ADk wrote: =20 > >> > On Wed, 14 Feb 2024 06:52:53 -0800 > >> > Dave Hansen wrote: > >> > =20 > >> >> On 2/14/24 03:35, Petr Tesarik wrote: =20 > >> >>> This patch series implements x86_64 arch hooks for the generic San= dBox > >> >>> Mode infrastructure. =20 > >> >> > >> >> I think I'm missing a bit of context here. What does one _do_ with > >> >> SandBox Mode? Why is it useful? =20 > >> >=20 > >> > I see, I split the patch series into the base infrastructure and the > >> > x86_64 implementation, but I forgot to merge the two recipient lists. > >> > :-( > >> >=20 > >> > Anyway, in the long term I would like to work on gradual decompositi= on > >> > of the kernel into a core part and many self-contained components. > >> > Sandbox mode is a useful tool to enforce isolation. > >> >=20 > >> > In its current form, sandbox mode is too limited for that, but I'm > >> > trying to find some balance between "publish early" and reaching a > >> > feature level where some concrete examples can be shown. I'd rather > >> > fail fast than maintain hundreds of patches in an out-of-tree branch > >> > before submitting (and failing anyway). > >> >=20 > >> > Petr T > >> > =20 > >>=20 > >> What you're proposing sounds a gigantic thing, which could potentially > >> impact all subsystems. =20 > > > >True. Luckily, sandbox mode allows me to move gradually, one component > >at a time. > > =20 > >> Unless you prove it has big advantages with real > >> world usages, I guess nobody even wants to look into the patches. > >>=20 > >> BTW, this seems another attempt to get the idea of micro-kernel into > >> Linux. =20 > > > >We know it's not feasible to convert Linux to a micro-kernel. AFAICS > >that would require some kind of big switch, affecting all subsystems at > >once. > > > >But with a growing code base and more or less constant bug-per-LOC rate, > >people will continue to come up with some ideas how to limit the > >potential impact of each bug. Logically, one of the concepts that come > >to mind is decomposition. > > > >If my attempt helps to clarify how such decomposition should be done to > >be acceptable, it is worthwile. If nothing else, I can summarize the > >situation and ask Jonathan if he would kindly accept it as a LWN > >article... > > > >Petr T > > =20 >=20 > I have been thinking more about this, and I'm more than ever convinced th= at exposing kernel memory to *any* kind of user space is a really, really b= ad idea. It is not a door we ever want to open; once that line gets muddled= , the attack surface opens up dramatically. Would you mind elaborating on this a bit more? For one thing, sandbox mode is *not* user mode. Sure, my proposed x86-64 implementation runs with the same CPU privilege level as user mode, but it is isolated from user mode with just as strong mechanisms as any two user mode processes are isolated from each other. Are you saying that process isolation in Linux is not all that strong after all? Don't get me wrong. I'm honestly trying to understand what exactly makes the idea so bad. I have apparently not considered something that you have, and I would be glad if you could reveal it. > And, in fact, we already have a sandbox mode in the kernel =E2=80=93 it i= s called eBPF.=20 Sure. The difference is that eBPF is a platform of its own (with its own consistency model, machine code etc.). Rewriting code for eBPF may need a bit more effort. Besides, Roberto wrote a PGP key parser as an eBPF program at some point, and I believe it was rejected for that reason. So, it seems there are situations where eBPF is not an alternative. Roberto, can you remember and share some details? Petr T