From: Juerg Haefliger <juerg.haefliger@hpe.com>
To: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com,
linux-x86_64@vger.kernel.org
Cc: vpk@cs.columbia.edu, juerg.haefliger@hpe.com
Subject: [RFC PATCH v3 0/2] Add support for eXclusive Page Frame Ownership (XPFO)
Date: Fri, 4 Nov 2016 15:45:32 +0100 [thread overview]
Message-ID: <20161104144534.14790-1-juerg.haefliger@hpe.com> (raw)
In-Reply-To: <20160914071901.8127-1-juerg.haefliger@hpe.com>
Changes from:
v2 -> v3:
- Removed 'depends on DEBUG_KERNEL' and 'select DEBUG_TLBFLUSH'.
These are left-overs from the original patch and are not required.
- Make libata XPFO-aware, i.e., properly handle pages that were
unmapped by XPFO. This takes care of the temporary hack in v2 that
forced the use of a bounce buffer in block/blk-map.c.
v1 -> v2:
- Moved the code from arch/x86/mm/ to mm/ since it's (mostly)
arch-agnostic.
- Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO
for x86.
- Use page_ext for the additional per-page data.
- Removed the clearing of pages. This can be accomplished by using
PAGE_POISONING.
- Split up the patch into multiple patches.
- Fixed additional issues identified by reviewers.
This patch series adds support for XPFO which protects against 'ret2dir'
kernel attacks. The basic idea is to enforce exclusive ownership of page
frames by either the kernel or userspace, unless explicitly requested by
the kernel. Whenever a page destined for userspace is allocated, it is
unmapped from physmap (removed from the kernel's page table). When such a
page is reclaimed from userspace, it is mapped back to physmap.
Additional fields in the page_ext struct are used for XPFO housekeeping.
Specifically two flags to distinguish user vs. kernel pages and to tag
unmapped pages and a reference counter to balance kmap/kunmap operations
and a lock to serialize access to the XPFO fields.
Known issues/limitations:
- Only supports x86-64 (for now)
- Only supports 4k pages (for now)
- There are most likely some legitimate uses cases where the kernel needs
to access userspace which need to be made XPFO-aware
- Performance penalty
Reference paper by the original patch authors:
http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
Juerg Haefliger (2):
Add support for eXclusive Page Frame Ownership (XPFO)
xpfo: Only put previous userspace pages into the hot cache
arch/x86/Kconfig | 3 +-
arch/x86/mm/init.c | 2 +-
drivers/ata/libata-sff.c | 4 +-
include/linux/highmem.h | 15 +++-
include/linux/page_ext.h | 7 ++
include/linux/xpfo.h | 41 +++++++++
lib/swiotlb.c | 3 +-
mm/Makefile | 1 +
mm/page_alloc.c | 10 ++-
mm/page_ext.c | 4 +
mm/xpfo.c | 214 +++++++++++++++++++++++++++++++++++++++++++++++
security/Kconfig | 19 +++++
12 files changed, 315 insertions(+), 8 deletions(-)
create mode 100644 include/linux/xpfo.h
create mode 100644 mm/xpfo.c
--
2.10.1
WARNING: multiple messages have this Message-ID (diff)
From: Juerg Haefliger <juerg.haefliger@hpe.com>
To: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com,
linux-x86_64@vger.kernel.org
Cc: vpk@cs.columbia.edu, juerg.haefliger@hpe.com
Subject: [RFC PATCH v3 0/2] Add support for eXclusive Page Frame Ownership (XPFO)
Date: Fri, 4 Nov 2016 15:45:32 +0100 [thread overview]
Message-ID: <20161104144534.14790-1-juerg.haefliger@hpe.com> (raw)
In-Reply-To: <20160914071901.8127-1-juerg.haefliger@hpe.com>
Changes from:
v2 -> v3:
- Removed 'depends on DEBUG_KERNEL' and 'select DEBUG_TLBFLUSH'.
These are left-overs from the original patch and are not required.
- Make libata XPFO-aware, i.e., properly handle pages that were
unmapped by XPFO. This takes care of the temporary hack in v2 that
forced the use of a bounce buffer in block/blk-map.c.
v1 -> v2:
- Moved the code from arch/x86/mm/ to mm/ since it's (mostly)
arch-agnostic.
- Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO
for x86.
- Use page_ext for the additional per-page data.
- Removed the clearing of pages. This can be accomplished by using
PAGE_POISONING.
- Split up the patch into multiple patches.
- Fixed additional issues identified by reviewers.
This patch series adds support for XPFO which protects against 'ret2dir'
kernel attacks. The basic idea is to enforce exclusive ownership of page
frames by either the kernel or userspace, unless explicitly requested by
the kernel. Whenever a page destined for userspace is allocated, it is
unmapped from physmap (removed from the kernel's page table). When such a
page is reclaimed from userspace, it is mapped back to physmap.
Additional fields in the page_ext struct are used for XPFO housekeeping.
Specifically two flags to distinguish user vs. kernel pages and to tag
unmapped pages and a reference counter to balance kmap/kunmap operations
and a lock to serialize access to the XPFO fields.
Known issues/limitations:
- Only supports x86-64 (for now)
- Only supports 4k pages (for now)
- There are most likely some legitimate uses cases where the kernel needs
to access userspace which need to be made XPFO-aware
- Performance penalty
Reference paper by the original patch authors:
http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
Juerg Haefliger (2):
Add support for eXclusive Page Frame Ownership (XPFO)
xpfo: Only put previous userspace pages into the hot cache
arch/x86/Kconfig | 3 +-
arch/x86/mm/init.c | 2 +-
drivers/ata/libata-sff.c | 4 +-
include/linux/highmem.h | 15 +++-
include/linux/page_ext.h | 7 ++
include/linux/xpfo.h | 41 +++++++++
lib/swiotlb.c | 3 +-
mm/Makefile | 1 +
mm/page_alloc.c | 10 ++-
mm/page_ext.c | 4 +
mm/xpfo.c | 214 +++++++++++++++++++++++++++++++++++++++++++++++
security/Kconfig | 19 +++++
12 files changed, 315 insertions(+), 8 deletions(-)
create mode 100644 include/linux/xpfo.h
create mode 100644 mm/xpfo.c
--
2.10.1
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Juerg Haefliger <juerg.haefliger@hpe.com>
To: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com,
linux-x86_64@vger.kernel.org
Cc: vpk@cs.columbia.edu, juerg.haefliger@hpe.com
Subject: [kernel-hardening] [RFC PATCH v3 0/2] Add support for eXclusive Page Frame Ownership (XPFO)
Date: Fri, 4 Nov 2016 15:45:32 +0100 [thread overview]
Message-ID: <20161104144534.14790-1-juerg.haefliger@hpe.com> (raw)
In-Reply-To: <20160914071901.8127-1-juerg.haefliger@hpe.com>
Changes from:
v2 -> v3:
- Removed 'depends on DEBUG_KERNEL' and 'select DEBUG_TLBFLUSH'.
These are left-overs from the original patch and are not required.
- Make libata XPFO-aware, i.e., properly handle pages that were
unmapped by XPFO. This takes care of the temporary hack in v2 that
forced the use of a bounce buffer in block/blk-map.c.
v1 -> v2:
- Moved the code from arch/x86/mm/ to mm/ since it's (mostly)
arch-agnostic.
- Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO
for x86.
- Use page_ext for the additional per-page data.
- Removed the clearing of pages. This can be accomplished by using
PAGE_POISONING.
- Split up the patch into multiple patches.
- Fixed additional issues identified by reviewers.
This patch series adds support for XPFO which protects against 'ret2dir'
kernel attacks. The basic idea is to enforce exclusive ownership of page
frames by either the kernel or userspace, unless explicitly requested by
the kernel. Whenever a page destined for userspace is allocated, it is
unmapped from physmap (removed from the kernel's page table). When such a
page is reclaimed from userspace, it is mapped back to physmap.
Additional fields in the page_ext struct are used for XPFO housekeeping.
Specifically two flags to distinguish user vs. kernel pages and to tag
unmapped pages and a reference counter to balance kmap/kunmap operations
and a lock to serialize access to the XPFO fields.
Known issues/limitations:
- Only supports x86-64 (for now)
- Only supports 4k pages (for now)
- There are most likely some legitimate uses cases where the kernel needs
to access userspace which need to be made XPFO-aware
- Performance penalty
Reference paper by the original patch authors:
http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
Juerg Haefliger (2):
Add support for eXclusive Page Frame Ownership (XPFO)
xpfo: Only put previous userspace pages into the hot cache
arch/x86/Kconfig | 3 +-
arch/x86/mm/init.c | 2 +-
drivers/ata/libata-sff.c | 4 +-
include/linux/highmem.h | 15 +++-
include/linux/page_ext.h | 7 ++
include/linux/xpfo.h | 41 +++++++++
lib/swiotlb.c | 3 +-
mm/Makefile | 1 +
mm/page_alloc.c | 10 ++-
mm/page_ext.c | 4 +
mm/xpfo.c | 214 +++++++++++++++++++++++++++++++++++++++++++++++
security/Kconfig | 19 +++++
12 files changed, 315 insertions(+), 8 deletions(-)
create mode 100644 include/linux/xpfo.h
create mode 100644 mm/xpfo.c
--
2.10.1
next prev parent reply other threads:[~2016-11-04 14:45 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-26 14:21 [RFC PATCH] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger
2016-02-26 14:21 ` Juerg Haefliger
2016-03-01 1:31 ` Laura Abbott
2016-03-01 1:31 ` Laura Abbott
2016-03-21 8:37 ` Juerg Haefliger
2016-03-21 8:37 ` Juerg Haefliger
2016-03-28 19:29 ` Laura Abbott
2016-03-28 19:29 ` Laura Abbott
2016-03-01 2:10 ` Balbir Singh
2016-03-01 2:10 ` Balbir Singh
2016-03-21 8:44 ` Juerg Haefliger
2016-03-21 8:44 ` Juerg Haefliger
2016-04-01 0:21 ` Balbir Singh
2016-04-01 0:21 ` Balbir Singh
2016-09-02 11:39 ` [RFC PATCH v2 0/3] " Juerg Haefliger
2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` Juerg Haefliger
2016-09-02 11:39 ` [RFC PATCH v2 1/3] " Juerg Haefliger
2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` Juerg Haefliger
2016-09-02 11:39 ` [RFC PATCH v2 2/3] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger
2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` Juerg Haefliger
2016-09-02 20:39 ` Dave Hansen
2016-09-02 20:39 ` [kernel-hardening] " Dave Hansen
2016-09-02 20:39 ` Dave Hansen
2016-09-05 11:54 ` Juerg Haefliger
2016-09-05 11:54 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` [RFC PATCH v2 3/3] block: Always use a bounce buffer when XPFO is enabled Juerg Haefliger
2016-09-02 11:39 ` [kernel-hardening] " Juerg Haefliger
2016-09-02 11:39 ` Juerg Haefliger
2016-09-14 7:18 ` [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger
2016-09-14 7:18 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 7:18 ` Juerg Haefliger
2016-09-14 7:18 ` [RFC PATCH v2 1/3] " Juerg Haefliger
2016-09-14 7:18 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 7:18 ` Juerg Haefliger
2016-09-14 7:19 ` [RFC PATCH v2 2/3] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger
2016-09-14 7:19 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 7:19 ` Juerg Haefliger
2016-09-14 14:33 ` [kernel-hardening] " Dave Hansen
2016-09-14 14:33 ` Dave Hansen
2016-09-14 14:40 ` Juerg Haefliger
2016-09-14 14:48 ` Dave Hansen
2016-09-14 14:48 ` Dave Hansen
2016-09-21 5:32 ` Juerg Haefliger
2016-09-14 7:19 ` [RFC PATCH v2 3/3] block: Always use a bounce buffer when XPFO is enabled Juerg Haefliger
2016-09-14 7:19 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 7:19 ` Juerg Haefliger
2016-09-14 7:33 ` Christoph Hellwig
2016-09-14 7:33 ` [kernel-hardening] " Christoph Hellwig
2016-09-14 7:33 ` Christoph Hellwig
2016-09-14 7:23 ` [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO) Juerg Haefliger
2016-09-14 7:23 ` [kernel-hardening] " Juerg Haefliger
2016-09-14 9:36 ` [kernel-hardening] " Mark Rutland
2016-09-14 9:36 ` Mark Rutland
2016-09-14 9:49 ` Mark Rutland
2016-09-14 9:49 ` Mark Rutland
2016-11-04 14:45 ` Juerg Haefliger [this message]
2016-11-04 14:45 ` [kernel-hardening] [RFC PATCH v3 0/2] " Juerg Haefliger
2016-11-04 14:45 ` Juerg Haefliger
2016-11-04 14:45 ` [RFC PATCH v3 1/2] " Juerg Haefliger
2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger
2016-11-04 14:45 ` Juerg Haefliger
2016-11-04 14:50 ` Christoph Hellwig
2016-11-04 14:50 ` [kernel-hardening] " Christoph Hellwig
2016-11-04 14:50 ` Christoph Hellwig
2016-11-10 5:53 ` [kernel-hardening] " ZhaoJunmin Zhao(Junmin)
2016-11-10 5:53 ` ZhaoJunmin Zhao(Junmin)
2016-11-10 5:53 ` ZhaoJunmin Zhao(Junmin)
2016-11-10 19:11 ` Kees Cook
2016-11-10 19:11 ` [kernel-hardening] " Kees Cook
2016-11-10 19:11 ` Kees Cook
2016-11-15 11:15 ` Juerg Haefliger
2016-11-15 11:15 ` [kernel-hardening] " Juerg Haefliger
2016-11-15 11:15 ` Juerg Haefliger
2016-11-10 19:24 ` Kees Cook
2016-11-10 19:24 ` [kernel-hardening] " Kees Cook
2016-11-10 19:24 ` Kees Cook
2016-11-15 11:18 ` Juerg Haefliger
2016-11-15 11:18 ` [kernel-hardening] " Juerg Haefliger
2016-11-15 11:18 ` Juerg Haefliger
2016-11-24 10:56 ` AKASHI Takahiro
2016-11-24 10:56 ` [kernel-hardening] " AKASHI Takahiro
2016-11-24 10:56 ` AKASHI Takahiro
2016-11-28 11:15 ` Juerg Haefliger
2016-11-28 11:15 ` [kernel-hardening] " Juerg Haefliger
2016-12-09 9:02 ` AKASHI Takahiro
2016-12-09 9:02 ` [kernel-hardening] " AKASHI Takahiro
2016-12-09 9:02 ` AKASHI Takahiro
2016-11-04 14:45 ` [RFC PATCH v3 2/2] xpfo: Only put previous userspace pages into the hot cache Juerg Haefliger
2016-11-04 14:45 ` [kernel-hardening] " Juerg Haefliger
2016-11-04 14:45 ` Juerg Haefliger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161104144534.14790-1-juerg.haefliger@hpe.com \
--to=juerg.haefliger@hpe.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-x86_64@vger.kernel.org \
--cc=vpk@cs.columbia.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.