From: Alexandre Chartre <alexandre.chartre@oracle.com>
To: pbonzini@redhat.com, rkrcmar@redhat.com, tglx@linutronix.de,
mingo@redhat.com, bp@alien8.de, hpa@zytor.com,
dave.hansen@linux.intel.com, luto@kernel.org,
peterz@infradead.org, kvm@vger.kernel.org, x86@kernel.org,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Cc: konrad.wilk@oracle.com, jan.setjeeilers@oracle.com,
liran.alon@oracle.com, jwadams@google.com, graf@amazon.de,
rppt@linux.vnet.ibm.com
Subject: Re: [RFC v2 00/27] Kernel Address Space Isolation
Date: Thu, 11 Jul 2019 16:40:50 +0200 [thread overview]
Message-ID: <426fe24d-2ae2-782e-fcc1-ad2ede9ee68b@oracle.com> (raw)
In-Reply-To: <1562855138-19507-1-git-send-email-alexandre.chartre@oracle.com>
And I've just noticed that I've messed up the subject of the cover letter.
There are 26 patches, not 27. So it should have been 00/26 not 00/27.
Sorry about that.
alex.
On 7/11/19 4:25 PM, Alexandre Chartre wrote:
> Hi,
>
> This is version 2 of the "KVM Address Space Isolation" RFC. The code
> has been completely changed compared to v1 and it now provides a generic
> kernel framework which provides Address Space Isolation; and KVM is now
> a simple consumer of that framework. That's why the RFC title has been
> changed from "KVM Address Space Isolation" to "Kernel Address Space
> Isolation".
>
> Kernel Address Space Isolation aims to use address spaces to isolate some
> parts of the kernel (for example KVM) to prevent leaking sensitive data
> between hyper-threads under speculative execution attacks. You can refer
> to the first version of this RFC for more context:
>
> https://lkml.org/lkml/2019/5/13/515
>
> The new code is still a proof of concept. It is much more stable than v1:
> I am able to run a VM with a full OS (and also a nested VM) with multiple
> vcpus. But it looks like there are still some corner cases which cause the
> system to crash/hang.
>
> I am looking for feedback about this new approach where address space
> isolation is provided by the kernel, and KVM is a just a consumer of this
> new framework.
>
>
> Changes
> =======
>
> - Address Space Isolation (ASI) is now provided as a kernel framework:
> interfaces for creating and managing an ASI are provided by the kernel,
> there are not implemented in KVM.
>
> - An ASI is associated with a page-table, we don't use mm anymore. Entering
> isolation is done by just updating CR3 to use the ASI page-table. Exiting
> isolation restores CR3 with the CR3 value present before entering isolation.
>
> - Isolation is exited at the beginning of any interrupt/exception handler,
> and on context switch.
>
> - Isolation doesn't disable interrupt, but if an interrupt occurs the
> interrupt handler will exit isolation.
>
> - The current stack is mapped when entering isolation and unmapped when
> exiting isolation.
>
> - The current task is not mapped by default, but there's an option to map it.
> In such a case, the current task is mapped when entering isolation and
> unmap when exiting isolation.
>
> - Kernel code mapped to the ASI page-table has been reduced to:
> . the entire kernel (I still need to test with only the kernel text)
> . the cpu entry area (because we need the GDT to be mapped)
> . the cpu ASI session (for managing ASI)
> . the current stack
>
> - Optionally, an ASI can request the following kernel mapping to be added:
> . the stack canary
> . the cpu offsets (this_cpu_off)
> . the current task
> . RCU data (rcu_data)
> . CPU HW events (cpu_hw_events).
>
> All these optional mappings are used for KVM isolation.
>
>
> Patches:
> ========
>
> The proposed patches provides a framework for creating an Address Space
> Isolation (ASI) (represented by a struct asi). The ASI has a page-table which
> can be populated by copying mappings from the kernel page-table. The ASI can
> then be entered/exited by switching between the kernel page-table and the
> ASI page-table. In addition, any interrupt, exception or context switch
> will automatically abort and exit the isolation. Finally patches use the
> ASI framework to implement KVM isolation.
>
> - 01-03: Core of the ASI framework: create/destroy ASI, enter/exit/abort
> isolation, ASI page-fault handler.
>
> - 04-14: Functions to manage, populate and clear an ASI page-table.
>
> - 15-20: ASI core mappings and optional mappings.
>
> - 21: Make functions to read cr3/cr4 ASI aware
>
> - 22-26: Use ASI in KVM to provide isolation for VMExit handlers.
>
>
> API Overview:
> =============
> Here is a short description of the main ASI functions provided by the framwork.
>
> struct asi *asi_create(int map_flags)
>
> Create an Address Space Isolation (ASI). map_flags can be used to specify
> optional kernel mapping to be added to the ASI page-table (for example,
> ASI_MAP_STACK_CANARY to map the stack canary).
>
>
> void asi_destroy(struct asi *asi)
>
> Destroy an ASI.
>
>
> int asi_enter(struct asi *asi)
>
> Enter isolation for the specified ASI. This switches from the kernel page-table
> to the page-table associated with the ASI.
>
>
> void asi_exit(struct asi *asi)
>
> Exit isolation for the specified ASI. This switches back to the kernel
> page-table
>
>
> int asi_map(struct asi *asi, void *ptr, unsigned long size);
>
> Copy kernel mapping to the specified ASI page-table.
>
>
> void asi_unmap(struct asi *asi, void *ptr);
>
> Clear kernel mapping from the specified ASI page-table.
>
>
> ----
> Alexandre Chartre (23):
> mm/x86: Introduce kernel address space isolation
> mm/asi: Abort isolation on interrupt, exception and context switch
> mm/asi: Handle page fault due to address space isolation
> mm/asi: Functions to track buffers allocated for an ASI page-table
> mm/asi: Add ASI page-table entry offset functions
> mm/asi: Add ASI page-table entry allocation functions
> mm/asi: Add ASI page-table entry set functions
> mm/asi: Functions to populate an ASI page-table from a VA range
> mm/asi: Helper functions to map module into ASI
> mm/asi: Keep track of VA ranges mapped in ASI page-table
> mm/asi: Functions to clear ASI page-table entries for a VA range
> mm/asi: Function to copy page-table entries for percpu buffer
> mm/asi: Add asi_remap() function
> mm/asi: Handle ASI mapped range leaks and overlaps
> mm/asi: Initialize the ASI page-table with core mappings
> mm/asi: Option to map current task into ASI
> rcu: Move tree.h static forward declarations to tree.c
> rcu: Make percpu rcu_data non-static
> mm/asi: Add option to map RCU data
> mm/asi: Add option to map cpu_hw_events
> mm/asi: Make functions to read cr3/cr4 ASI aware
> KVM: x86/asi: Populate the KVM ASI page-table
> KVM: x86/asi: Map KVM memslots and IO buses into KVM ASI
>
> Liran Alon (3):
> KVM: x86/asi: Introduce address_space_isolation module parameter
> KVM: x86/asi: Introduce KVM address space isolation
> KVM: x86/asi: Switch to KVM address space on entry to guest
>
> arch/x86/entry/entry_64.S | 42 ++-
> arch/x86/include/asm/asi.h | 237 ++++++++
> arch/x86/include/asm/mmu_context.h | 20 +-
> arch/x86/include/asm/tlbflush.h | 10 +
> arch/x86/kernel/asm-offsets.c | 4 +
> arch/x86/kvm/Makefile | 3 +-
> arch/x86/kvm/mmu.c | 2 +-
> arch/x86/kvm/vmx/isolation.c | 231 ++++++++
> arch/x86/kvm/vmx/vmx.c | 14 +-
> arch/x86/kvm/vmx/vmx.h | 24 +
> arch/x86/kvm/x86.c | 68 +++-
> arch/x86/kvm/x86.h | 1 +
> arch/x86/mm/Makefile | 2 +
> arch/x86/mm/asi.c | 459 +++++++++++++++
> arch/x86/mm/asi_pagetable.c | 1077 ++++++++++++++++++++++++++++++++++++
> arch/x86/mm/fault.c | 7 +
> include/linux/kvm_host.h | 7 +
> kernel/rcu/tree.c | 56 ++-
> kernel/rcu/tree.h | 56 +--
> kernel/sched/core.c | 4 +
> security/Kconfig | 10 +
> 21 files changed, 2269 insertions(+), 65 deletions(-)
> create mode 100644 arch/x86/include/asm/asi.h
> create mode 100644 arch/x86/kvm/vmx/isolation.c
> create mode 100644 arch/x86/mm/asi.c
> create mode 100644 arch/x86/mm/asi_pagetable.c
>
next prev parent reply other threads:[~2019-07-11 14:42 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-11 14:25 [RFC v2 00/27] Kernel Address Space Isolation Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 01/26] mm/x86: Introduce kernel address space isolation Alexandre Chartre
2019-07-11 21:33 ` Thomas Gleixner
2019-07-11 21:33 ` Thomas Gleixner
2019-07-12 7:43 ` Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 02/26] mm/asi: Abort isolation on interrupt, exception and context switch Alexandre Chartre
2019-07-11 20:11 ` Andi Kleen
2019-07-11 20:11 ` Andi Kleen
2019-07-11 20:17 ` Mike Rapoport
2019-07-11 20:41 ` Alexandre Chartre
2019-07-12 0:05 ` Andy Lutomirski
2019-07-12 7:50 ` Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 03/26] mm/asi: Handle page fault due to address space isolation Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 04/26] mm/asi: Functions to track buffers allocated for an ASI page-table Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 05/26] mm/asi: Add ASI page-table entry offset functions Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 06/26] mm/asi: Add ASI page-table entry allocation functions Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 07/26] mm/asi: Add ASI page-table entry set functions Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 08/26] mm/asi: Functions to populate an ASI page-table from a VA range Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 09/26] mm/asi: Helper functions to map module into ASI Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 10/26] mm/asi: Keep track of VA ranges mapped in ASI page-table Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 11/26] mm/asi: Functions to clear ASI page-table entries for a VA range Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 12/26] mm/asi: Function to copy page-table entries for percpu buffer Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 13/26] mm/asi: Add asi_remap() function Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 14/26] mm/asi: Handle ASI mapped range leaks and overlaps Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 15/26] mm/asi: Initialize the ASI page-table with core mappings Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 16/26] mm/asi: Option to map current task into ASI Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 17/26] rcu: Move tree.h static forward declarations to tree.c Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 18/26] rcu: Make percpu rcu_data non-static Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 19/26] mm/asi: Add option to map RCU data Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 20/26] mm/asi: Add option to map cpu_hw_events Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 21/26] mm/asi: Make functions to read cr3/cr4 ASI aware Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 22/26] KVM: x86/asi: Introduce address_space_isolation module parameter Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 23/26] KVM: x86/asi: Introduce KVM address space isolation Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 24/26] KVM: x86/asi: Populate the KVM ASI page-table Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 25/26] KVM: x86/asi: Switch to KVM address space on entry to guest Alexandre Chartre
2019-07-11 14:25 ` [RFC v2 26/26] KVM: x86/asi: Map KVM memslots and IO buses into KVM ASI Alexandre Chartre
2019-07-11 14:40 ` Alexandre Chartre [this message]
2019-07-11 22:38 ` [RFC v2 00/27] Kernel Address Space Isolation Dave Hansen
2019-07-12 8:09 ` Alexandre Chartre
2019-07-12 13:51 ` Dave Hansen
2019-07-12 14:06 ` Alexandre Chartre
2019-07-12 15:23 ` Thomas Gleixner
2019-07-12 15:23 ` Thomas Gleixner
2019-07-12 10:44 ` Thomas Gleixner
2019-07-12 10:44 ` Thomas Gleixner
2019-07-12 11:56 ` Alexandre Chartre
2019-07-12 12:50 ` Peter Zijlstra
2019-07-12 13:43 ` Alexandre Chartre
2019-07-12 13:58 ` Dave Hansen
2019-07-12 14:36 ` Andy Lutomirski
2019-07-12 14:36 ` Andy Lutomirski
2019-07-14 18:17 ` Alexander Graf
2019-07-12 13:54 ` Dave Hansen
2019-07-12 15:20 ` Peter Zijlstra
2019-07-12 15:16 ` Thomas Gleixner
2019-07-12 15:16 ` Thomas Gleixner
2019-07-12 16:37 ` Alexandre Chartre
2019-07-12 16:45 ` Andy Lutomirski
2019-07-14 17:11 ` Mike Rapoport
2019-07-12 19:06 ` Peter Zijlstra
2019-07-14 15:06 ` Andy Lutomirski
2019-07-14 15:06 ` Andy Lutomirski
2019-07-15 10:33 ` Peter Zijlstra
2019-07-12 19:48 ` Thomas Gleixner
2019-07-12 19:48 ` Thomas Gleixner
2019-07-15 8:23 ` Alexandre Chartre
2019-07-15 8:28 ` Thomas Gleixner
2019-07-15 8:28 ` Thomas Gleixner
2019-07-12 16:00 ` Thomas Gleixner
2019-07-12 16:00 ` Thomas Gleixner
2019-07-12 11:44 ` Peter Zijlstra
2019-07-12 12:17 ` Alexandre Chartre
2019-07-12 12:36 ` Peter Zijlstra
2019-07-12 12:47 ` Alexandre Chartre
2019-07-12 13:07 ` Peter Zijlstra
2019-07-12 13:46 ` Alexandre Chartre
2019-07-31 16:31 ` Dario Faggioli
2019-07-31 16:31 ` Dario Faggioli
2019-08-22 12:31 ` Alexandre Chartre
2020-07-01 13:55 hackapple
2020-07-01 14:00 黄金海
2020-07-01 14:02 黄金海
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=426fe24d-2ae2-782e-fcc1-ad2ede9ee68b@oracle.com \
--to=alexandre.chartre@oracle.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=graf@amazon.de \
--cc=hpa@zytor.com \
--cc=jan.setjeeilers@oracle.com \
--cc=jwadams@google.com \
--cc=konrad.wilk@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=liran.alon@oracle.com \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rkrcmar@redhat.com \
--cc=rppt@linux.vnet.ibm.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.