[PATCH] x86/pti: unpoison pgd for trusted boot

From: Dave Hansen <dave.hansen@linux.intel.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, Dave Hansen <dave.hansen@linux.intel.com>,
	ning.sun@intel.com, tglx@linutronix.de, mingo@redhat.com,
	hpa@zytor.com, tboot-devel@lists.sourceforge.net,
	aarcange@redhat.com, jcm@redhat.com, dwmw@amazon.co.uk,
	pbonzini@redhat.com, gnomes@lxorguk.ukuu.org.uk,
	torvalds@linux-foundation.org, andi@firstfloor.org,
	gregkh@linux-foundation.org, tim.c.chen@linux.intel.com,
	law@redhat.com, nickc@redhat.com, luto@kernel.org,
	peterz@infradead.org
Subject: [PATCH] x86/pti: unpoison pgd for trusted boot
Date: Wed, 10 Jan 2018 13:11:18 -0800	[thread overview]
Message-ID: <20180110211118.A314040D@viggo.jf.intel.com> (raw)


I believe this should replace 262b6b30087 in -tip.

The patch in -tip potentially misses the pgd clearing if pud_alloc()
sets a PGD.  It would also be nice to have that comment back.

Note that the -tip commit probably works in *practice* because for
two adjacent calls to map_tboot_page() that share a PGD entry, the
first will clear NX, *then* allocate and set the PGD (without NX
clear).  The second call will *not* allocate but will clear the NX
bit.

--

From: Dave Hansen <dave.hansen@linux.intel.com>

This is another case similar to what EFI does: create a new set of
page tables, map some code at a low address, and jump to it.  PTI
mistakes this low address for userspace and mistakenly marks it
non-executable in an effort to make it unusable for userspace.  Undo
the poison to allow execution.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Ning Sun <ning.sun@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Cc: tboot-devel@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org
Cc: Andrea Arcangeli <aarcange@redhat.com>
CC: Jon Masters <jcm@redhat.com>
Cc: "Woodhouse, David" <dwmw@amazon.co.uk>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
CC: "Tim Chen" <tim.c.chen@linux.intel.com>
Cc: Jeff Law <law@redhat.com>
Cc: Nick Clifton <nickc@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
---

 b/arch/x86/kernel/tboot.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

diff -puN arch/x86/kernel/tboot.c~pti-tboot-fix arch/x86/kernel/tboot.c

--- a/arch/x86/kernel/tboot.c~pti-tboot-fix	2018-01-09 17:12:49.776734656 -0800
+++ b/arch/x86/kernel/tboot.c	2018-01-09 17:12:49.784734656 -0800
@@ -138,6 +138,17 @@ static int map_tboot_page(unsigned long
 		return -1;
 	set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
 	pte_unmap(pte);
+
+	/*
+	 * PTI poisons low addresses in the kernel page tables in the
+	 * name of making them unusable for userspace.  To execute
+	 * code at such a low address, the poison must be cleared.
+	 *
+	 * Note: 'pgd' actually gets set in p4d_alloc() _or_
+	 * pud_alloc() depending on 4/5-level paging.
+	 */
+	pgd->pgd &= ~_PAGE_NX;
+
 	return 0;
 }
 
_
