From: "Reshetova, Elena" <elena.reshetova@intel.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: "kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"luto@kernel.org" <luto@kernel.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"mingo@redhat.com" <mingo@redhat.com>,
"bp@alien8.de" <bp@alien8.de>,
"keescook@chromium.org" <keescook@chromium.org>,
"tytso@mit.edu" <tytso@mit.edu>
Subject: RE: [RFC PATCH] x86/entry/64: randomize kernel stack offset upon system call
Date: Fri, 8 Feb 2019 13:20:09 +0000 [thread overview]
Message-ID: <2236FBA76BA1254E88B949DDB74E612BA4BB7580@IRSMSX102.ger.corp.intel.com> (raw)
In-Reply-To: <20190208130544.GI32511@hirez.programming.kicks-ass.net>
> On Fri, Feb 08, 2019 at 02:15:49PM +0200, Elena Reshetova wrote:
> > 1) hackbench -s 4096 -l 2000 -g 15 -f 25 -P
> > base: Time: 12.243
> > random_offset: Time: 13.411
>
> > base:
> > 8.46% time [kernel.kallsyms] [k] crc32c_pcl_intel_update
> > 4.77% time [kernel.kallsyms] [k] ext4_mark_iloc_dirty
> > 4.14% time [kernel.kallsyms] [k] fsnotify
> >
> > random_offset:
> > 8.35% time [kernel.kallsyms] [k] crc32c_pcl_intel_update
> > 5.61% time [kernel.kallsyms] [k] get_random_u64
> > 4.88% time [kernel.kallsyms] [k] ext4_mark_iloc_dirty
>
> *ouch*
>
> > Notable differences from RANDKSTACK:
>
> > - random bits are taken from get_random_long() instead of
> > rdtsc() for a better randomness. This however has a big
> > performance impact (see above the numbers) and additionally
> > if we happen to hit a point when a generator needs to be
> > reseeded, we might have an issue. Alternatives can be to
> > make this feature dependent on CONFIG_RANDOM_TRUST_CPU,
> > which can solve some issues, but I doubt that all of them.
> > Of course rdtsc() can be a fallback if there is no way to
> > make calls for a proper randomness from the trampoline stack.
>
> http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.html
Oh, this seems to be a great write up, I will read this carefully,
thank you for the pointer!
Yes, I believe RANDKSTACK was using rdtsc() exactly because of
many issues get_random_* brings in addition to horrid performance.
This patch works with rdtsc() as well just fine, just wanted to show
the *full* randomness option first with the impact it brings.
>
> That would seem to suggest that the low bits of rdtsc would in fact be a
> fairly good source of random.
>
> Still, doing this on sysexit seems painful at best, syscall performance
> matters (and hopefully we'll get rid of meltdown 'soon').
I can measure the impact with rdtsc(), I think it is *very* small.
Btw, what should be the good measurement test?
I am not that happy with just looping on fopen-fclose, too
much noise.
>
> Why can't we change the stack offset periodically from an interrupt or
> so, and then have every later entry use that.
Hm... This sounds more complex conceptually - we cannot touch
stack when it is in use, so we have to periodically probe for a
good time (when process is in userspace I guess) to change it from an interrupt?
IMO trampoline stack provides such a good clean place for doing it and we
have stackleak there doing stack cleanup, so would make sense to keep
these features operating together.
Best Regards,
Elena.
next prev parent reply other threads:[~2019-02-08 13:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-08 12:15 [RFC PATCH] Early version of thread stack randomization Elena Reshetova
2019-02-08 12:15 ` [RFC PATCH] x86/entry/64: randomize kernel stack offset upon system call Elena Reshetova
2019-02-08 13:05 ` Peter Zijlstra
2019-02-08 13:20 ` Reshetova, Elena [this message]
2019-02-08 14:26 ` Peter Zijlstra
2019-02-09 11:13 ` Reshetova, Elena
2019-02-09 18:25 ` Andy Lutomirski
2019-02-11 6:39 ` Reshetova, Elena
2019-02-11 15:54 ` Andy Lutomirski
2019-02-12 10:16 ` Perla, Enrico
2019-02-14 7:52 ` Reshetova, Elena
2019-02-19 14:47 ` Jann Horn
2019-02-20 22:20 ` Kees Cook
2019-02-21 6:37 ` Andy Lutomirski
2019-02-21 13:20 ` Jann Horn
2019-02-21 15:49 ` Andy Lutomirski
2019-02-20 22:15 ` Kees Cook
2019-02-20 22:53 ` Kees Cook
2019-02-21 23:29 ` Kees Cook
2019-02-27 11:03 ` Reshetova, Elena
2019-02-21 9:35 ` Perla, Enrico
2019-02-21 17:23 ` Kees Cook
2019-02-21 17:48 ` Perla, Enrico
2019-02-21 19:18 ` Kees Cook
2019-02-20 21:51 ` Kees Cook
2019-02-08 15:15 ` Peter Zijlstra
2019-02-09 11:38 ` Reshetova, Elena
2019-02-09 12:09 ` Greg KH
2019-02-11 6:05 ` Reshetova, Elena
2019-02-08 16:34 ` Andy Lutomirski
2019-02-20 22:03 ` Kees Cook
2019-02-08 21:28 ` Kees Cook
2019-02-11 12:47 ` Reshetova, Elena
2019-02-20 22:04 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2236FBA76BA1254E88B949DDB74E612BA4BB7580@IRSMSX102.ger.corp.intel.com \
--to=elena.reshetova@intel.com \
--cc=bp@alien8.de \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).