From: Juerg Haefliger <juerg.haefliger@hpe.com> To: Kees Cook <keescook@chromium.org> Cc: LKML <linux-kernel@vger.kernel.org>, Linux-MM <linux-mm@kvack.org>, "kernel-hardening@lists.openwall.com" <kernel-hardening@lists.openwall.com>, linux-x86_64@vger.kernel.org, vpk@cs.columbia.edu Subject: Re: [RFC PATCH v3 1/2] Add support for eXclusive Page Frame Ownership (XPFO) Date: Tue, 15 Nov 2016 12:15:14 +0100 [thread overview] Message-ID: <cdec912a-3e28-b610-31b9-105384867bbf@hpe.com> (raw) In-Reply-To: <CAGXu5jKY56q3Kp+dB0i-jgo7UrujCqnqhzw80+n_7keioKxWkQ@mail.gmail.com> [-- Attachment #1.1: Type: text/plain, Size: 2123 bytes --] Sorry for the late reply, I just found your email in my cluttered inbox. On 11/10/2016 08:11 PM, Kees Cook wrote: > On Fri, Nov 4, 2016 at 7:45 AM, Juerg Haefliger <juerg.haefliger@hpe.com> wrote: >> This patch adds support for XPFO which protects against 'ret2dir' kernel >> attacks. The basic idea is to enforce exclusive ownership of page frames >> by either the kernel or userspace, unless explicitly requested by the >> kernel. Whenever a page destined for userspace is allocated, it is >> unmapped from physmap (the kernel's page table). When such a page is >> reclaimed from userspace, it is mapped back to physmap. >> >> Additional fields in the page_ext struct are used for XPFO housekeeping. >> Specifically two flags to distinguish user vs. kernel pages and to tag >> unmapped pages and a reference counter to balance kmap/kunmap operations >> and a lock to serialize access to the XPFO fields. > > Thanks for keeping on this! I'd really like to see it land and then > get more architectures to support it. Good to hear :-) >> Known issues/limitations: >> - Only supports x86-64 (for now) >> - Only supports 4k pages (for now) >> - There are most likely some legitimate uses cases where the kernel needs >> to access userspace which need to be made XPFO-aware >> - Performance penalty > > In the Kconfig you say "slight", but I'm curious what kinds of > benchmarks you've done and if there's a more specific cost we can > declare, just to give people more of an idea what the hit looks like? > (What workloads would trigger a lot of XPFO unmapping, for example?) That 'slight' wording is based on the performance numbers published in the referenced paper. So far I've only run kernel compilation tests. For that workload, the big performance hit comes from disabling >4k page sizes (around 10%). Adding XPFO on top causes 'only' another 0.5% performance penalty. I'm currently looking into adding support for larger page sizes to see what the real impact is and then generate some more relevant numbers. ...Juerg > Thanks! > > -Kees > [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 801 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Juerg Haefliger <juerg.haefliger@hpe.com> To: Kees Cook <keescook@chromium.org> Cc: LKML <linux-kernel@vger.kernel.org>, Linux-MM <linux-mm@kvack.org>, "kernel-hardening@lists.openwall.com" <kernel-hardening@lists.openwall.com>, linux-x86_64@vger.kernel.org, vpk@cs.columbia.edu Subject: [kernel-hardening] Re: [RFC PATCH v3 1/2] Add support for eXclusive Page Frame Ownership (XPFO) Date: Tue, 15 Nov 2016 12:15:14 +0100 [thread overview] Message-ID: <cdec912a-3e28-b610-31b9-105384867bbf@hpe.com> (raw) In-Reply-To: <CAGXu5jKY56q3Kp+dB0i-jgo7UrujCqnqhzw80+n_7keioKxWkQ@mail.gmail.com> [-- Attachment #1.1: Type: text/plain, Size: 2123 bytes --] Sorry for the late reply, I just found your email in my cluttered inbox. On 11/10/2016 08:11 PM, Kees Cook wrote: > On Fri, Nov 4, 2016 at 7:45 AM, Juerg Haefliger <juerg.haefliger@hpe.com> wrote: >> This patch adds support for XPFO which protects against 'ret2dir' kernel >> attacks. The basic idea is to enforce exclusive ownership of page frames >> by either the kernel or userspace, unless explicitly requested by the >> kernel. Whenever a page destined for userspace is allocated, it is >> unmapped from physmap (the kernel's page table). When such a page is >> reclaimed from userspace, it is mapped back to physmap. >> >> Additional fields in the page_ext struct are used for XPFO housekeeping. >> Specifically two flags to distinguish user vs. kernel pages and to tag >> unmapped pages and a reference counter to balance kmap/kunmap operations >> and a lock to serialize access to the XPFO fields. > > Thanks for keeping on this! I'd really like to see it land and then > get more architectures to support it. Good to hear :-) >> Known issues/limitations: >> - Only supports x86-64 (for now) >> - Only supports 4k pages (for now) >> - There are most likely some legitimate uses cases where the kernel needs >> to access userspace which need to be made XPFO-aware >> - Performance penalty > > In the Kconfig you say "slight", but I'm curious what kinds of > benchmarks you've done and if there's a more specific cost we can > declare, just to give people more of an idea what the hit looks like? > (What workloads would trigger a lot of XPFO unmapping, for example?) That 'slight' wording is based on the performance numbers published in the referenced paper. So far I've only run kernel compilation tests. For that workload, the big performance hit comes from disabling >4k page sizes (around 10%). Adding XPFO on top causes 'only' another 0.5% performance penalty. I'm currently looking into adding support for larger page sizes to see what the real impact is and then generate some more relevant numbers. ...Juerg > Thanks! > > -Kees > [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 801 bytes --]
next prev parent reply other threads:[~2016-11-15 11:15 UTC|newest] Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-02-26 14:21 [RFC PATCH] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger 2016-02-26 14:21 ` Juerg Haefliger 2016-03-01 1:31 ` Laura Abbott 2016-03-01 1:31 ` Laura Abbott 2016-03-21 8:37 ` Juerg Haefliger 2016-03-21 8:37 ` Juerg Haefliger 2016-03-28 19:29 ` Laura Abbott 2016-03-28 19:29 ` Laura Abbott 2016-03-01 2:10 ` Balbir Singh 2016-03-01 2:10 ` Balbir Singh 2016-03-21 8:44 ` Juerg Haefliger 2016-03-21 8:44 ` Juerg Haefliger 2016-04-01 0:21 ` Balbir Singh 2016-04-01 0:21 ` Balbir Singh 2016-09-02 11:39 ` [RFC PATCH v2 0/3] " Juerg Haefliger 2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` Juerg Haefliger 2016-09-02 11:39 ` [RFC PATCH v2 1/3] " Juerg Haefliger 2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` Juerg Haefliger 2016-09-02 11:39 ` [RFC PATCH v2 2/3] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger 2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` Juerg Haefliger 2016-09-02 20:39 ` Dave Hansen 2016-09-02 20:39 ` [kernel-hardening] " Dave Hansen 2016-09-02 20:39 ` Dave Hansen 2016-09-05 11:54 ` Juerg Haefliger 2016-09-05 11:54 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` [RFC PATCH v2 3/3] block: Always use a bounce buffer when XPFO is enabled Juerg Haefliger 2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` Juerg Haefliger 2016-09-14 7:18 ` [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger 2016-09-14 7:18 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 7:18 ` Juerg Haefliger 2016-09-14 7:18 ` [RFC PATCH v2 1/3] " Juerg Haefliger 2016-09-14 7:18 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 7:18 ` Juerg Haefliger 2016-09-14 7:19 ` [RFC PATCH v2 2/3] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger 2016-09-14 7:19 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 7:19 ` Juerg Haefliger 2016-09-14 14:33 ` [kernel-hardening] " Dave Hansen 2016-09-14 14:33 ` Dave Hansen 2016-09-14 14:40 ` Juerg Haefliger 2016-09-14 14:48 ` Dave Hansen 2016-09-14 14:48 ` Dave Hansen 2016-09-21 5:32 ` Juerg Haefliger 2016-09-14 7:19 ` [RFC PATCH v2 3/3] block: Always use a bounce buffer when XPFO is enabled Juerg Haefliger 2016-09-14 7:19 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 7:19 ` Juerg Haefliger 2016-09-14 7:33 ` Christoph Hellwig 2016-09-14 7:33 ` [kernel-hardening] " Christoph Hellwig 2016-09-14 7:33 ` Christoph Hellwig 2016-09-14 7:23 ` [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger 2016-09-14 7:23 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 9:36 ` [kernel-hardening] " Mark Rutland 2016-09-14 9:36 ` Mark Rutland 2016-09-14 9:49 ` Mark Rutland 2016-09-14 9:49 ` Mark Rutland 2016-11-04 14:45 ` [RFC PATCH v3 0/2] " Juerg Haefliger 2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger 2016-11-04 14:45 ` Juerg Haefliger 2016-11-04 14:45 ` [RFC PATCH v3 1/2] " Juerg Haefliger 2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger 2016-11-04 14:45 ` Juerg Haefliger 2016-11-04 14:50 ` Christoph Hellwig 2016-11-04 14:50 ` [kernel-hardening] " Christoph Hellwig 2016-11-04 14:50 ` Christoph Hellwig 2016-11-10 5:53 ` [kernel-hardening] " ZhaoJunmin Zhao(Junmin) 2016-11-10 5:53 ` ZhaoJunmin Zhao(Junmin) 2016-11-10 5:53 ` ZhaoJunmin Zhao(Junmin) 2016-11-10 19:11 ` Kees Cook 2016-11-10 19:11 ` [kernel-hardening] " Kees Cook 2016-11-10 19:11 ` Kees Cook 2016-11-15 11:15 ` Juerg Haefliger [this message] 2016-11-15 11:15 ` [kernel-hardening] " Juerg Haefliger 2016-11-15 11:15 ` Juerg Haefliger 2016-11-10 19:24 ` Kees Cook 2016-11-10 19:24 ` [kernel-hardening] " Kees Cook 2016-11-10 19:24 ` Kees Cook 2016-11-15 11:18 ` Juerg Haefliger 2016-11-15 11:18 ` [kernel-hardening] " Juerg Haefliger 2016-11-15 11:18 ` Juerg Haefliger 2016-11-24 10:56 ` AKASHI Takahiro 2016-11-24 10:56 ` [kernel-hardening] " AKASHI Takahiro 2016-11-24 10:56 ` AKASHI Takahiro 2016-11-28 11:15 ` Juerg Haefliger 2016-11-28 11:15 ` [kernel-hardening] " Juerg Haefliger 2016-12-09 9:02 ` AKASHI Takahiro 2016-12-09 9:02 ` [kernel-hardening] " AKASHI Takahiro 2016-12-09 9:02 ` AKASHI Takahiro 2016-11-04 14:45 ` [RFC PATCH v3 2/2] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger 2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger 2016-11-04 14:45 ` Juerg Haefliger
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=cdec912a-3e28-b610-31b9-105384867bbf@hpe.com \ --to=juerg.haefliger@hpe.com \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=linux-x86_64@vger.kernel.org \ --cc=vpk@cs.columbia.edu \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.