All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ard Biesheuvel <ardb@kernel.org>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Linux ARM <linux-arm-kernel@lists.infradead.org>,
	Marc Zyngier <maz@kernel.org>,  Will Deacon <will@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	 Anshuman Khandual <anshuman.khandual@arm.com>,
	Quentin Perret <qperret@google.com>,
	 Android Kernel Team <kernel-team@android.com>
Subject: Re: [PATCH 2/2] arm64: mm: use XN table mapping attributes for the linear region
Date: Fri, 5 Mar 2021 20:17:07 +0100	[thread overview]
Message-ID: <CAMj1kXGHz9bRneJkkEzirTjAuSsatoLMvc+aAXVxgrXbL2XXZg@mail.gmail.com> (raw)
In-Reply-To: <20210305190600.GK23855@arm.com>

On Fri, 5 Mar 2021 at 20:06, Catalin Marinas <catalin.marinas@arm.com> wrote:
>
> On Thu, Mar 04, 2021 at 06:11:45PM +0100, Ard Biesheuvel wrote:
> > The way the arm64 kernel virtual address space is constructed guarantees
> > that swapper PGD entries are never shared between the linear region on
> > the one hand, and the vmalloc region on the other, which is where all
> > kernel text, module text and BPF text mappings reside.
> >
> > This means that mappings in the linear region (which never require
> > executable permissions) never share any table entries at any level with
> > mappings that do require executable permissions, and so we can set the
> > table-level PXN/UXN attributes for all table entries that are created
> > while setting up mappings in the linear region. Since swapper's PGD
> > level page table is mapped r/o itself, this adds another layer of
> > robustness to the way the kernel manages its own page tables.
>
> In ARMv8.1 the architecture added the possibility of disabling the
> hierarchical page table permissions (FEAT_HPDS) so that we can use these
> bits for software.
>

Sure, but I don't think there is a shortage of software bits in table
descriptors, right? And we don't enable the feature in the first
place.

> Is there any big advantage to using the hierarchical permissions vs
> some sanity check in set_pte() for example?
>

There is a big advantage: the fact that the permissions are both
hierarchical and subtractive.

Sanity checks in set_pte() only cover page mappings that were created
in the correct way. But that does not help us if an attacker manages a
single 64-bit write that creates a page or table entry pointing to a
page under their control. Taking away the exec permissions at the
levels above makes it much more difficult to carry out such an attack,
especially given that the root level is not mapped read-write to begin
with.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

  reply	other threads:[~2021-03-05 19:19 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-04 17:11 [PATCH 0/2] arm64: use XN table mappings for the linear region Ard Biesheuvel
2021-03-04 17:11 ` [PATCH 1/2] arm64: mm: add missing P4D definitions and use them consistently Ard Biesheuvel
2021-03-04 17:39   ` Mark Rutland
2021-03-08  9:06   ` Anshuman Khandual
2021-03-08  9:07     ` Ard Biesheuvel
2021-03-04 17:11 ` [PATCH 2/2] arm64: mm: use XN table mapping attributes for the linear region Ard Biesheuvel
2021-03-04 17:39   ` Mark Rutland
2021-03-05  8:13     ` Ard Biesheuvel
2021-03-05 19:06   ` Catalin Marinas
2021-03-05 19:17     ` Ard Biesheuvel [this message]
2021-03-05 20:37       ` Catalin Marinas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAMj1kXGHz9bRneJkkEzirTjAuSsatoLMvc+aAXVxgrXbL2XXZg@mail.gmail.com \
    --to=ardb@kernel.org \
    --cc=anshuman.khandual@arm.com \
    --cc=catalin.marinas@arm.com \
    --cc=kernel-team@android.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=mark.rutland@arm.com \
    --cc=maz@kernel.org \
    --cc=qperret@google.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.