From: Kees Cook <keescook@chromium.org>
To: Kevin Hilman <khilman@kernel.org>
Cc: info@kernelci.org,
Russell King - ARM Linux <linux@arm.linux.org.uk>,
Laura Abbott <labbott@fedoraproject.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>, Laura Abbott <labbott@redhat.com>,
Shuah Khan <shuahkh@osg.samsung.com>,
Tyler Baker <tyler.baker@linaro.org>
Subject: Re: [PATCH] arm: Use kernel mm when updating section permissions
Date: Fri, 6 Nov 2015 13:19:46 -0800 [thread overview]
Message-ID: <CAGXu5jJnjHkkX3y31y5LJFhNrP=A8_BASg2MUR5rwA5MLPeVQg@mail.gmail.com> (raw)
In-Reply-To: <7h8u6ahm7d.fsf@deeprootsystems.com>
On Fri, Nov 6, 2015 at 1:06 PM, Kevin Hilman <khilman@kernel.org> wrote:
> Kees Cook <keescook@chromium.org> writes:
>
>> On Fri, Nov 6, 2015 at 12:11 PM, Kevin Hilman <khilman@kernel.org> wrote:
>>> On Fri, Nov 6, 2015 at 11:12 AM, Kees Cook <keescook@chromium.org> wrote:
>>>
>>> [...]
>>>
>>>> Hi Kevin and Kernel CI folks,
>>>>
>>>> Could lkdtm get added to the kernel-CI workflows? Extracting and
>>>> validating Oops details when poking lkdtm would be extremely valuable
>>>> for these cases. :)
>>>
>>> Yeah, we can add that.
>>>
>>> What arches should we expect this to be working on? For starters
>>
>> This is a great question. ;) They're a mix of CONFIG and hardware
>> feature specific, so probably they should be run on all architectures
>> and we can figure out what's missing in each case.
>>
>> Everything built with CONFIG_DEBUG_RODATA should pass these:
>>
>> WRITE_RO
>> WRITE_KERN
>> EXEC_DATA
>> EXEC_STACK
>> EXEC_KMALLOC
>> EXEC_VMALLOC
>>
>> But architectures without CONFIG_DEBUG_RODATA should be shamed. ;)
>>
>> Passing EXEC_USERSPACE requires SMEP on x86, and PXN on arm64.
>> Passing ACCESS_USERSPACE rquires SMAP on x86, and PAN on arm64.
>>
>> The recent PAN emulation CONFIG_CPU_SW_DOMAIN_PAN on non-LPAE arm
>> should cover ACCESS_USERSPACE too, and maybe EXEC_USERSPACE, but I
>> haven't taken a close look.
>
> A quick test on arm32 and both ACCESS_ and EXEC_USERSPACE tests pass
> (meaning they trigger the WARNs).
I'd expect a full Oops, not a WARN, but maybe CONFIG_CPU_SW_DOMAIN_PAN
needs to use a bigger hammer.
Russell, what sort of trap is DOMAIN_PAN expected to be triggering?
>> It might be useful, frankly, to test everything in lkdtm.
>
> So I gave this a quick spin on an ARM board (qcom-apq8064-ifc6410)
> using a dumb script[1] (for now avoiding the tests that cause a lockup
> so I can test multiple features without a reboot.) Seems like most of
> them are producing a failure.
>
> However, this got me to thinking that one should probably write a
> kselftest for this feature, and catch quite a few issues with the ones
> that don't cause a hard lockup. One would just need to be a bit smarter
> than my script and do something to trap SIG* (or the parent catching
> SIGCHLD) in order to be able to help determine failure, then grab the
> dmesg and log it.
>
> Having these test integrated into kselftest, and maintained along with
> the the kernel features would be *way* better than trying to maintain a
> set of tests in kernel CI for this feature, since right now we're
> working just building/running all the selftests automatically.
>
> What do you think about coming up with a kselftest for this stuff? At
> least the non-lockup stuff?
Well, all the stuff I wrote tests for in lkdtm expect the kernel to
entirely Oops, and examining the Oops from outside is needed to verify
it was the correct type of Oops. I don't think testing via lkdtm can
be done from kselftest sensibly.
-Kees
>
> I'm not volunteering to write up the kselftest, but I will guarantee
> that it get run on a broad range of boards once it exists. :)
>
> Kevin
>
> [1]
> #!/bin/sh
>
> crash_test_dummy() {
> echo $1> /sys/kernel/debug/provoke-crash/DIRECT
> }
>
> # Find all the tests that don't lockup
> TESTS=$(cat /sys/kernel/debug/provoke-crash/DIRECT |grep -v types| grep -v LOCK |grep -v PANIC)
>
> for test in $TESTS; do
> echo "Performing test: $test"
> crash_test_dummy $test &
> sleep 1
> done
--
Kees Cook
Chrome OS Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Kevin Hilman <khilman@kernel.org>
Cc: info@kernelci.org,
Russell King - ARM Linux <linux@arm.linux.org.uk>,
Laura Abbott <labbott@fedoraproject.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>, Laura Abbott <labbott@redhat.com>,
Shuah Khan <shuahkh@osg.samsung.com>,
Tyler Baker <tyler.baker@linaro.org>
Subject: Re: [PATCH] arm: Use kernel mm when updating section permissions
Date: Fri, 6 Nov 2015 13:19:46 -0800 [thread overview]
Message-ID: <CAGXu5jJnjHkkX3y31y5LJFhNrP=A8_BASg2MUR5rwA5MLPeVQg@mail.gmail.com> (raw)
In-Reply-To: <7h8u6ahm7d.fsf@deeprootsystems.com>
On Fri, Nov 6, 2015 at 1:06 PM, Kevin Hilman <khilman@kernel.org> wrote:
> Kees Cook <keescook@chromium.org> writes:
>
>> On Fri, Nov 6, 2015 at 12:11 PM, Kevin Hilman <khilman@kernel.org> wrote:
>>> On Fri, Nov 6, 2015 at 11:12 AM, Kees Cook <keescook@chromium.org> wrote:
>>>
>>> [...]
>>>
>>>> Hi Kevin and Kernel CI folks,
>>>>
>>>> Could lkdtm get added to the kernel-CI workflows? Extracting and
>>>> validating Oops details when poking lkdtm would be extremely valuable
>>>> for these cases. :)
>>>
>>> Yeah, we can add that.
>>>
>>> What arches should we expect this to be working on? For starters
>>
>> This is a great question. ;) They're a mix of CONFIG and hardware
>> feature specific, so probably they should be run on all architectures
>> and we can figure out what's missing in each case.
>>
>> Everything built with CONFIG_DEBUG_RODATA should pass these:
>>
>> WRITE_RO
>> WRITE_KERN
>> EXEC_DATA
>> EXEC_STACK
>> EXEC_KMALLOC
>> EXEC_VMALLOC
>>
>> But architectures without CONFIG_DEBUG_RODATA should be shamed. ;)
>>
>> Passing EXEC_USERSPACE requires SMEP on x86, and PXN on arm64.
>> Passing ACCESS_USERSPACE rquires SMAP on x86, and PAN on arm64.
>>
>> The recent PAN emulation CONFIG_CPU_SW_DOMAIN_PAN on non-LPAE arm
>> should cover ACCESS_USERSPACE too, and maybe EXEC_USERSPACE, but I
>> haven't taken a close look.
>
> A quick test on arm32 and both ACCESS_ and EXEC_USERSPACE tests pass
> (meaning they trigger the WARNs).
I'd expect a full Oops, not a WARN, but maybe CONFIG_CPU_SW_DOMAIN_PAN
needs to use a bigger hammer.
Russell, what sort of trap is DOMAIN_PAN expected to be triggering?
>> It might be useful, frankly, to test everything in lkdtm.
>
> So I gave this a quick spin on an ARM board (qcom-apq8064-ifc6410)
> using a dumb script[1] (for now avoiding the tests that cause a lockup
> so I can test multiple features without a reboot.) Seems like most of
> them are producing a failure.
>
> However, this got me to thinking that one should probably write a
> kselftest for this feature, and catch quite a few issues with the ones
> that don't cause a hard lockup. One would just need to be a bit smarter
> than my script and do something to trap SIG* (or the parent catching
> SIGCHLD) in order to be able to help determine failure, then grab the
> dmesg and log it.
>
> Having these test integrated into kselftest, and maintained along with
> the the kernel features would be *way* better than trying to maintain a
> set of tests in kernel CI for this feature, since right now we're
> working just building/running all the selftests automatically.
>
> What do you think about coming up with a kselftest for this stuff? At
> least the non-lockup stuff?
Well, all the stuff I wrote tests for in lkdtm expect the kernel to
entirely Oops, and examining the Oops from outside is needed to verify
it was the correct type of Oops. I don't think testing via lkdtm can
be done from kselftest sensibly.
-Kees
>
> I'm not volunteering to write up the kselftest, but I will guarantee
> that it get run on a broad range of boards once it exists. :)
>
> Kevin
>
> [1]
> #!/bin/sh
>
> crash_test_dummy() {
> echo $1> /sys/kernel/debug/provoke-crash/DIRECT
> }
>
> # Find all the tests that don't lockup
> TESTS=$(cat /sys/kernel/debug/provoke-crash/DIRECT |grep -v types| grep -v LOCK |grep -v PANIC)
>
> for test in $TESTS; do
> echo "Performing test: $test"
> crash_test_dummy $test &
> sleep 1
> done
--
Kees Cook
Chrome OS Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] arm: Use kernel mm when updating section permissions
Date: Fri, 6 Nov 2015 13:19:46 -0800 [thread overview]
Message-ID: <CAGXu5jJnjHkkX3y31y5LJFhNrP=A8_BASg2MUR5rwA5MLPeVQg@mail.gmail.com> (raw)
In-Reply-To: <7h8u6ahm7d.fsf@deeprootsystems.com>
On Fri, Nov 6, 2015 at 1:06 PM, Kevin Hilman <khilman@kernel.org> wrote:
> Kees Cook <keescook@chromium.org> writes:
>
>> On Fri, Nov 6, 2015 at 12:11 PM, Kevin Hilman <khilman@kernel.org> wrote:
>>> On Fri, Nov 6, 2015 at 11:12 AM, Kees Cook <keescook@chromium.org> wrote:
>>>
>>> [...]
>>>
>>>> Hi Kevin and Kernel CI folks,
>>>>
>>>> Could lkdtm get added to the kernel-CI workflows? Extracting and
>>>> validating Oops details when poking lkdtm would be extremely valuable
>>>> for these cases. :)
>>>
>>> Yeah, we can add that.
>>>
>>> What arches should we expect this to be working on? For starters
>>
>> This is a great question. ;) They're a mix of CONFIG and hardware
>> feature specific, so probably they should be run on all architectures
>> and we can figure out what's missing in each case.
>>
>> Everything built with CONFIG_DEBUG_RODATA should pass these:
>>
>> WRITE_RO
>> WRITE_KERN
>> EXEC_DATA
>> EXEC_STACK
>> EXEC_KMALLOC
>> EXEC_VMALLOC
>>
>> But architectures without CONFIG_DEBUG_RODATA should be shamed. ;)
>>
>> Passing EXEC_USERSPACE requires SMEP on x86, and PXN on arm64.
>> Passing ACCESS_USERSPACE rquires SMAP on x86, and PAN on arm64.
>>
>> The recent PAN emulation CONFIG_CPU_SW_DOMAIN_PAN on non-LPAE arm
>> should cover ACCESS_USERSPACE too, and maybe EXEC_USERSPACE, but I
>> haven't taken a close look.
>
> A quick test on arm32 and both ACCESS_ and EXEC_USERSPACE tests pass
> (meaning they trigger the WARNs).
I'd expect a full Oops, not a WARN, but maybe CONFIG_CPU_SW_DOMAIN_PAN
needs to use a bigger hammer.
Russell, what sort of trap is DOMAIN_PAN expected to be triggering?
>> It might be useful, frankly, to test everything in lkdtm.
>
> So I gave this a quick spin on an ARM board (qcom-apq8064-ifc6410)
> using a dumb script[1] (for now avoiding the tests that cause a lockup
> so I can test multiple features without a reboot.) Seems like most of
> them are producing a failure.
>
> However, this got me to thinking that one should probably write a
> kselftest for this feature, and catch quite a few issues with the ones
> that don't cause a hard lockup. One would just need to be a bit smarter
> than my script and do something to trap SIG* (or the parent catching
> SIGCHLD) in order to be able to help determine failure, then grab the
> dmesg and log it.
>
> Having these test integrated into kselftest, and maintained along with
> the the kernel features would be *way* better than trying to maintain a
> set of tests in kernel CI for this feature, since right now we're
> working just building/running all the selftests automatically.
>
> What do you think about coming up with a kselftest for this stuff? At
> least the non-lockup stuff?
Well, all the stuff I wrote tests for in lkdtm expect the kernel to
entirely Oops, and examining the Oops from outside is needed to verify
it was the correct type of Oops. I don't think testing via lkdtm can
be done from kselftest sensibly.
-Kees
>
> I'm not volunteering to write up the kselftest, but I will guarantee
> that it get run on a broad range of boards once it exists. :)
>
> Kevin
>
> [1]
> #!/bin/sh
>
> crash_test_dummy() {
> echo $1> /sys/kernel/debug/provoke-crash/DIRECT
> }
>
> # Find all the tests that don't lockup
> TESTS=$(cat /sys/kernel/debug/provoke-crash/DIRECT |grep -v types| grep -v LOCK |grep -v PANIC)
>
> for test in $TESTS; do
> echo "Performing test: $test"
> crash_test_dummy $test &
> sleep 1
> done
--
Kees Cook
Chrome OS Security
next prev parent reply other threads:[~2015-11-06 21:19 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-05 1:00 [PATCH] arm: Use kernel mm when updating section permissions Laura Abbott
2015-11-05 1:00 ` Laura Abbott
2015-11-05 1:00 ` Laura Abbott
2015-11-05 1:06 ` Kees Cook
2015-11-05 1:06 ` Kees Cook
2015-11-05 1:06 ` Kees Cook
2015-11-05 1:13 ` Kees Cook
2015-11-05 1:13 ` Kees Cook
2015-11-05 1:13 ` Kees Cook
2015-11-05 9:46 ` Russell King - ARM Linux
2015-11-05 9:46 ` Russell King - ARM Linux
2015-11-05 9:46 ` Russell King - ARM Linux
2015-11-05 16:20 ` Laura Abbott
2015-11-05 16:20 ` Laura Abbott
2015-11-05 16:20 ` Laura Abbott
2015-11-05 16:27 ` Russell King - ARM Linux
2015-11-05 16:27 ` Russell King - ARM Linux
2015-11-05 16:27 ` Russell King - ARM Linux
2015-11-06 1:05 ` Laura Abbott
2015-11-06 1:05 ` Laura Abbott
2015-11-06 1:05 ` Laura Abbott
2015-11-06 1:15 ` Kees Cook
2015-11-06 1:15 ` Kees Cook
2015-11-06 1:15 ` Kees Cook
2015-11-06 18:44 ` Laura Abbott
2015-11-06 18:44 ` Laura Abbott
2015-11-06 18:44 ` Laura Abbott
2015-11-06 19:08 ` Kees Cook
2015-11-06 19:08 ` Kees Cook
2015-11-06 19:08 ` Kees Cook
2015-11-06 19:12 ` Kees Cook
2015-11-06 19:12 ` Kees Cook
2015-11-06 19:12 ` Kees Cook
2015-11-06 20:11 ` Kevin Hilman
2015-11-06 20:11 ` Kevin Hilman
2015-11-06 20:11 ` Kevin Hilman
2015-11-06 20:28 ` Kees Cook
2015-11-06 20:28 ` Kees Cook
2015-11-06 20:28 ` Kees Cook
2015-11-06 21:06 ` Kevin Hilman
2015-11-06 21:06 ` Kevin Hilman
2015-11-06 21:06 ` Kevin Hilman
2015-11-06 21:19 ` Kees Cook [this message]
2015-11-06 21:19 ` Kees Cook
2015-11-06 21:19 ` Kees Cook
2015-11-06 22:37 ` Kevin Hilman
2015-11-06 22:37 ` Kevin Hilman
2015-11-06 22:37 ` Kevin Hilman
2015-11-06 23:05 ` Kevin Hilman
2015-11-06 23:05 ` Kevin Hilman
2015-11-06 23:05 ` Kevin Hilman
2015-11-06 23:47 ` Kees Cook
2015-11-06 23:47 ` Kees Cook
2015-11-06 23:47 ` Kees Cook
2015-11-06 20:46 ` Russell King - ARM Linux
2015-11-06 20:46 ` Russell King - ARM Linux
2015-11-06 20:46 ` Russell King - ARM Linux
2015-11-06 23:41 ` Laura Abbott
2015-11-06 23:41 ` Laura Abbott
2015-11-06 23:41 ` Laura Abbott
2015-11-06 23:49 ` Kees Cook
2015-11-06 23:49 ` Kees Cook
2015-11-06 23:49 ` Kees Cook
2015-11-07 0:20 ` Laura Abbott
2015-11-07 0:20 ` Laura Abbott
2015-11-07 0:20 ` Laura Abbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jJnjHkkX3y31y5LJFhNrP=A8_BASg2MUR5rwA5MLPeVQg@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=catalin.marinas@arm.com \
--cc=info@kernelci.org \
--cc=khilman@kernel.org \
--cc=labbott@fedoraproject.org \
--cc=labbott@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux@arm.linux.org.uk \
--cc=shuahkh@osg.samsung.com \
--cc=tyler.baker@linaro.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.