From: Mark Rutland <mark.rutland@arm.com> To: kernel-hardening@lists.openwall.com Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-x86_64@vger.kernel.org, juerg.haefliger@hpe.com, vpk@cs.columbia.edu Subject: Re: [kernel-hardening] [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Date: Wed, 14 Sep 2016 10:36:34 +0100 [thread overview] Message-ID: <20160914093634.GB13121@leverpostej> (raw) In-Reply-To: <20160914071901.8127-1-juerg.haefliger@hpe.com> Hi, On Wed, Sep 14, 2016 at 09:18:58AM +0200, Juerg Haefliger wrote: > This patch series adds support for XPFO which protects against 'ret2dir' > kernel attacks. The basic idea is to enforce exclusive ownership of page > frames by either the kernel or userspace, unless explicitly requested by > the kernel. Whenever a page destined for userspace is allocated, it is > unmapped from physmap (the kernel's page table). When such a page is > reclaimed from userspace, it is mapped back to physmap. > Known issues/limitations: > - Only supports x86-64 (for now) > - Only supports 4k pages (for now) > - There are most likely some legitimate uses cases where the kernel needs > to access userspace which need to be made XPFO-aware > - Performance penalty > > Reference paper by the original patch authors: > http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Just to check, doesn't DEBUG_RODATA ensure that the linear mapping is non-executable on x86_64 (as it does for arm64)? For both arm64 and x86_64, DEBUG_RODATA is mandatory (or soon to be so). Assuming that implies a lack of execute permission for x86_64, that should provide a similar level of protection against erroneously branching to addresses in the linear map, without the complexity and overhead of mapping/unmapping pages. So to me it looks like this approach may only be useful for architectures without page-granular execute permission controls. Is this also intended to protect against erroneous *data* accesses to the linear map? Am I missing something? Thanks, Mark.
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com> To: kernel-hardening@lists.openwall.com Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-x86_64@vger.kernel.org, juerg.haefliger@hpe.com, vpk@cs.columbia.edu Subject: Re: [kernel-hardening] [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Date: Wed, 14 Sep 2016 10:36:34 +0100 [thread overview] Message-ID: <20160914093634.GB13121@leverpostej> (raw) In-Reply-To: <20160914071901.8127-1-juerg.haefliger@hpe.com> Hi, On Wed, Sep 14, 2016 at 09:18:58AM +0200, Juerg Haefliger wrote: > This patch series adds support for XPFO which protects against 'ret2dir' > kernel attacks. The basic idea is to enforce exclusive ownership of page > frames by either the kernel or userspace, unless explicitly requested by > the kernel. Whenever a page destined for userspace is allocated, it is > unmapped from physmap (the kernel's page table). When such a page is > reclaimed from userspace, it is mapped back to physmap. > Known issues/limitations: > - Only supports x86-64 (for now) > - Only supports 4k pages (for now) > - There are most likely some legitimate uses cases where the kernel needs > to access userspace which need to be made XPFO-aware > - Performance penalty > > Reference paper by the original patch authors: > http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Just to check, doesn't DEBUG_RODATA ensure that the linear mapping is non-executable on x86_64 (as it does for arm64)? For both arm64 and x86_64, DEBUG_RODATA is mandatory (or soon to be so). Assuming that implies a lack of execute permission for x86_64, that should provide a similar level of protection against erroneously branching to addresses in the linear map, without the complexity and overhead of mapping/unmapping pages. So to me it looks like this approach may only be useful for architectures without page-granular execute permission controls. Is this also intended to protect against erroneous *data* accesses to the linear map? Am I missing something? Thanks, Mark. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-09-14 9:36 UTC|newest] Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-02-26 14:21 [RFC PATCH] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger 2016-02-26 14:21 ` Juerg Haefliger 2016-03-01 1:31 ` Laura Abbott 2016-03-01 1:31 ` Laura Abbott 2016-03-21 8:37 ` Juerg Haefliger 2016-03-21 8:37 ` Juerg Haefliger 2016-03-28 19:29 ` Laura Abbott 2016-03-28 19:29 ` Laura Abbott 2016-03-01 2:10 ` Balbir Singh 2016-03-01 2:10 ` Balbir Singh 2016-03-21 8:44 ` Juerg Haefliger 2016-03-21 8:44 ` Juerg Haefliger 2016-04-01 0:21 ` Balbir Singh 2016-04-01 0:21 ` Balbir Singh 2016-09-02 11:39 ` [RFC PATCH v2 0/3] " Juerg Haefliger 2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` Juerg Haefliger 2016-09-02 11:39 ` [RFC PATCH v2 1/3] " Juerg Haefliger 2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` Juerg Haefliger 2016-09-02 11:39 ` [RFC PATCH v2 2/3] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger 2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` Juerg Haefliger 2016-09-02 20:39 ` Dave Hansen 2016-09-02 20:39 ` [kernel-hardening] " Dave Hansen 2016-09-02 20:39 ` Dave Hansen 2016-09-05 11:54 ` Juerg Haefliger 2016-09-05 11:54 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` [RFC PATCH v2 3/3] block: Always use a bounce buffer when XPFO is enabled Juerg Haefliger 2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger 2016-09-02 11:39 ` Juerg Haefliger 2016-09-14 7:18 ` [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger 2016-09-14 7:18 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 7:18 ` Juerg Haefliger 2016-09-14 7:18 ` [RFC PATCH v2 1/3] " Juerg Haefliger 2016-09-14 7:18 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 7:18 ` Juerg Haefliger 2016-09-14 7:19 ` [RFC PATCH v2 2/3] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger 2016-09-14 7:19 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 7:19 ` Juerg Haefliger 2016-09-14 14:33 ` [kernel-hardening] " Dave Hansen 2016-09-14 14:33 ` Dave Hansen 2016-09-14 14:40 ` Juerg Haefliger 2016-09-14 14:48 ` Dave Hansen 2016-09-14 14:48 ` Dave Hansen 2016-09-21 5:32 ` Juerg Haefliger 2016-09-14 7:19 ` [RFC PATCH v2 3/3] block: Always use a bounce buffer when XPFO is enabled Juerg Haefliger 2016-09-14 7:19 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 7:19 ` Juerg Haefliger 2016-09-14 7:33 ` Christoph Hellwig 2016-09-14 7:33 ` [kernel-hardening] " Christoph Hellwig 2016-09-14 7:33 ` Christoph Hellwig 2016-09-14 7:23 ` [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger 2016-09-14 7:23 ` [kernel-hardening] " Juerg Haefliger 2016-09-14 9:36 ` Mark Rutland [this message] 2016-09-14 9:36 ` [kernel-hardening] " Mark Rutland 2016-09-14 9:49 ` Mark Rutland 2016-09-14 9:49 ` Mark Rutland 2016-11-04 14:45 ` [RFC PATCH v3 0/2] " Juerg Haefliger 2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger 2016-11-04 14:45 ` Juerg Haefliger 2016-11-04 14:45 ` [RFC PATCH v3 1/2] " Juerg Haefliger 2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger 2016-11-04 14:45 ` Juerg Haefliger 2016-11-04 14:50 ` Christoph Hellwig 2016-11-04 14:50 ` [kernel-hardening] " Christoph Hellwig 2016-11-04 14:50 ` Christoph Hellwig 2016-11-10 5:53 ` [kernel-hardening] " ZhaoJunmin Zhao(Junmin) 2016-11-10 5:53 ` ZhaoJunmin Zhao(Junmin) 2016-11-10 5:53 ` ZhaoJunmin Zhao(Junmin) 2016-11-10 19:11 ` Kees Cook 2016-11-10 19:11 ` [kernel-hardening] " Kees Cook 2016-11-10 19:11 ` Kees Cook 2016-11-15 11:15 ` Juerg Haefliger 2016-11-15 11:15 ` [kernel-hardening] " Juerg Haefliger 2016-11-15 11:15 ` Juerg Haefliger 2016-11-10 19:24 ` Kees Cook 2016-11-10 19:24 ` [kernel-hardening] " Kees Cook 2016-11-10 19:24 ` Kees Cook 2016-11-15 11:18 ` Juerg Haefliger 2016-11-15 11:18 ` [kernel-hardening] " Juerg Haefliger 2016-11-15 11:18 ` Juerg Haefliger 2016-11-24 10:56 ` AKASHI Takahiro 2016-11-24 10:56 ` [kernel-hardening] " AKASHI Takahiro 2016-11-24 10:56 ` AKASHI Takahiro 2016-11-28 11:15 ` Juerg Haefliger 2016-11-28 11:15 ` [kernel-hardening] " Juerg Haefliger 2016-12-09 9:02 ` AKASHI Takahiro 2016-12-09 9:02 ` [kernel-hardening] " AKASHI Takahiro 2016-12-09 9:02 ` AKASHI Takahiro 2016-11-04 14:45 ` [RFC PATCH v3 2/2] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger 2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger 2016-11-04 14:45 ` Juerg Haefliger
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20160914093634.GB13121@leverpostej \ --to=mark.rutland@arm.com \ --cc=juerg.haefliger@hpe.com \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=linux-x86_64@vger.kernel.org \ --cc=vpk@cs.columbia.edu \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.