* [PATCH] x86/pti: unpoison pgd for trusted boot
@ 2018-01-10 22:49 Dave Hansen
2018-01-10 22:53 ` Andrea Arcangeli
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dave Hansen @ 2018-01-10 22:49 UTC (permalink / raw)
To: linux-kernel
Cc: x86, Dave Hansen, ning.sun, tglx, mingo, hpa, tboot-devel,
aarcange, jcm, dwmw, pbonzini, gnomes, torvalds, andi, gregkh,
tim.c.chen, law, nickc, luto, peterz
Updated to make this on top of x86/pti.
--
From: Dave Hansen <dave.hansen@linux.intel.com>
The code in -tip potentially misses the pgd clearing if pud_alloc()
sets a PGD. It would also be nice to have that comment back.
Note that the -tip commit probably works in *practice* because for
two adjacent calls to map_tboot_page() that share a PGD entry, the
first will clear NX, *then* allocate and set the PGD (without NX
clear). The second call will *not* allocate but will clear the NX
bit.
This just defers the NX clearing to a point after it is known that
all top-level allocations have occurred. Add a comment to clarify
why.
Fixes: 262b6b30087 ("x86/tboot: Unbreak tboot with PTI enabled")
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Ning Sun <ning.sun@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Cc: tboot-devel@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org
Cc: Andrea Arcangeli <aarcange@redhat.com>
CC: Jon Masters <jcm@redhat.com>
Cc: "Woodhouse, David" <dwmw@amazon.co.uk>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
CC: "Tim Chen" <tim.c.chen@linux.intel.com>
Cc: Jeff Law <law@redhat.com>
Cc: Nick Clifton <nickc@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
---
b/arch/x86/kernel/tboot.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff -puN arch/x86/kernel/tboot.c~pti-tboot-fix arch/x86/kernel/tboot.c
--- a/arch/x86/kernel/tboot.c~pti-tboot-fix 2018-01-10 14:24:46.454544324 -0800
+++ b/arch/x86/kernel/tboot.c 2018-01-10 14:25:53.354544157 -0800
@@ -127,7 +127,6 @@ static int map_tboot_page(unsigned long
p4d = p4d_alloc(&tboot_mm, pgd, vaddr);
if (!p4d)
return -1;
- pgd->pgd &= ~_PAGE_NX;
pud = pud_alloc(&tboot_mm, p4d, vaddr);
if (!pud)
return -1;
@@ -139,6 +138,17 @@ static int map_tboot_page(unsigned long
return -1;
set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
pte_unmap(pte);
+
+ /*
+ * PTI poisons low addresses in the kernel page tables in the
+ * name of making them unusable for userspace. To execute
+ * code at such a low address, the poison must be cleared.
+ *
+ * Note: 'pgd' actually gets set in p4d_alloc() _or_
+ * pud_alloc() depending on 4/5-level paging.
+ */
+ pgd->pgd &= ~_PAGE_NX;
+
return 0;
}
_
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] x86/pti: unpoison pgd for trusted boot
2018-01-10 22:49 [PATCH] x86/pti: unpoison pgd for trusted boot Dave Hansen
@ 2018-01-10 22:53 ` Andrea Arcangeli
2018-01-10 23:34 ` [tip:x86/pti] x86/pti: Make unpoison of pgd for trusted boot work for real tip-bot for Dave Hansen
2018-01-11 23:22 ` tip-bot for Dave Hansen
2 siblings, 0 replies; 5+ messages in thread
From: Andrea Arcangeli @ 2018-01-10 22:53 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, x86, ning.sun, tglx, mingo, hpa, tboot-devel, jcm,
dwmw, pbonzini, gnomes, torvalds, andi, gregkh, tim.c.chen, law,
nickc, luto, peterz
On Wed, Jan 10, 2018 at 02:49:39PM -0800, Dave Hansen wrote:
>
> Updated to make this on top of x86/pti.
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [tip:x86/pti] x86/pti: Make unpoison of pgd for trusted boot work for real
2018-01-10 22:49 [PATCH] x86/pti: unpoison pgd for trusted boot Dave Hansen
2018-01-10 22:53 ` Andrea Arcangeli
@ 2018-01-10 23:34 ` tip-bot for Dave Hansen
2018-01-11 23:22 ` tip-bot for Dave Hansen
2 siblings, 0 replies; 5+ messages in thread
From: tip-bot for Dave Hansen @ 2018-01-10 23:34 UTC (permalink / raw)
To: linux-tip-commits
Cc: hpa, dave.hansen, tim.c.chen, mingo, jcm, linux-kernel, aarcange, tglx
Commit-ID: 8a931d1e24bacf01f00a35d43bfe7917256c5c49
Gitweb: https://git.kernel.org/tip/8a931d1e24bacf01f00a35d43bfe7917256c5c49
Author: Dave Hansen <dave.hansen@linux.intel.com>
AuthorDate: Wed, 10 Jan 2018 14:49:39 -0800
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Thu, 11 Jan 2018 00:30:25 +0100
x86/pti: Make unpoison of pgd for trusted boot work for real
The inital fix for trusted boot and PTI potentially misses the pgd clearing
if pud_alloc() sets a PGD. It probably works in *practice* because for two
adjacent calls to map_tboot_page() that share a PGD entry, the first will
clear NX, *then* allocate and set the PGD (without NX clear). The second
call will *not* allocate but will clear the NX bit.
Defer the NX clearing to a point after it is known that all top-level
allocations have occurred. Add a comment to clarify why.
[ tglx: Massaged changelog ]
Fixes: 262b6b30087 ("x86/tboot: Unbreak tboot with PTI enabled")
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: "Tim Chen" <tim.c.chen@linux.intel.com>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: peterz@infradead.org
Cc: ning.sun@intel.com
Cc: tboot-devel@lists.sourceforge.net
Cc: andi@firstfloor.org
Cc: luto@kernel.org
Cc: law@redhat.com
Cc: pbonzini@redhat.com
Cc: torvalds@linux-foundation.org
Cc: gregkh@linux-foundation.org
Cc: dwmw@amazon.co.uk
Cc: nickc@redhat.com
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180110224939.2695CD47@viggo.jf.intel.com
---
arch/x86/kernel/tboot.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
index 75869a4..a2486f4 100644
--- a/arch/x86/kernel/tboot.c
+++ b/arch/x86/kernel/tboot.c
@@ -127,7 +127,6 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
p4d = p4d_alloc(&tboot_mm, pgd, vaddr);
if (!p4d)
return -1;
- pgd->pgd &= ~_PAGE_NX;
pud = pud_alloc(&tboot_mm, p4d, vaddr);
if (!pud)
return -1;
@@ -139,6 +138,17 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
return -1;
set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
pte_unmap(pte);
+
+ /*
+ * PTI poisons low addresses in the kernel page tables in the
+ * name of making them unusable for userspace. To execute
+ * code at such a low address, the poison must be cleared.
+ *
+ * Note: 'pgd' actually gets set in p4d_alloc() _or_
+ * pud_alloc() depending on 4/5-level paging.
+ */
+ pgd->pgd &= ~_PAGE_NX;
+
return 0;
}
^ permalink raw reply related [flat|nested] 5+ messages in thread* [tip:x86/pti] x86/pti: Make unpoison of pgd for trusted boot work for real
2018-01-10 22:49 [PATCH] x86/pti: unpoison pgd for trusted boot Dave Hansen
2018-01-10 22:53 ` Andrea Arcangeli
2018-01-10 23:34 ` [tip:x86/pti] x86/pti: Make unpoison of pgd for trusted boot work for real tip-bot for Dave Hansen
@ 2018-01-11 23:22 ` tip-bot for Dave Hansen
2 siblings, 0 replies; 5+ messages in thread
From: tip-bot for Dave Hansen @ 2018-01-11 23:22 UTC (permalink / raw)
To: linux-tip-commits
Cc: mingo, aarcange, hpa, jcm, linux-kernel, dave.hansen, tim.c.chen, tglx
Commit-ID: 445b69e3b75e42362a5bdc13c8b8f61599e2228a
Gitweb: https://git.kernel.org/tip/445b69e3b75e42362a5bdc13c8b8f61599e2228a
Author: Dave Hansen <dave.hansen@linux.intel.com>
AuthorDate: Wed, 10 Jan 2018 14:49:39 -0800
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Thu, 11 Jan 2018 23:36:59 +0100
x86/pti: Make unpoison of pgd for trusted boot work for real
The inital fix for trusted boot and PTI potentially misses the pgd clearing
if pud_alloc() sets a PGD. It probably works in *practice* because for two
adjacent calls to map_tboot_page() that share a PGD entry, the first will
clear NX, *then* allocate and set the PGD (without NX clear). The second
call will *not* allocate but will clear the NX bit.
Defer the NX clearing to a point after it is known that all top-level
allocations have occurred. Add a comment to clarify why.
[ tglx: Massaged changelog ]
Fixes: 262b6b30087 ("x86/tboot: Unbreak tboot with PTI enabled")
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: "Tim Chen" <tim.c.chen@linux.intel.com>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: peterz@infradead.org
Cc: ning.sun@intel.com
Cc: tboot-devel@lists.sourceforge.net
Cc: andi@firstfloor.org
Cc: luto@kernel.org
Cc: law@redhat.com
Cc: pbonzini@redhat.com
Cc: torvalds@linux-foundation.org
Cc: gregkh@linux-foundation.org
Cc: dwmw@amazon.co.uk
Cc: nickc@redhat.com
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180110224939.2695CD47@viggo.jf.intel.com
---
arch/x86/kernel/tboot.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
index 75869a4..a2486f4 100644
--- a/arch/x86/kernel/tboot.c
+++ b/arch/x86/kernel/tboot.c
@@ -127,7 +127,6 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
p4d = p4d_alloc(&tboot_mm, pgd, vaddr);
if (!p4d)
return -1;
- pgd->pgd &= ~_PAGE_NX;
pud = pud_alloc(&tboot_mm, p4d, vaddr);
if (!pud)
return -1;
@@ -139,6 +138,17 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
return -1;
set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
pte_unmap(pte);
+
+ /*
+ * PTI poisons low addresses in the kernel page tables in the
+ * name of making them unusable for userspace. To execute
+ * code at such a low address, the poison must be cleared.
+ *
+ * Note: 'pgd' actually gets set in p4d_alloc() _or_
+ * pud_alloc() depending on 4/5-level paging.
+ */
+ pgd->pgd &= ~_PAGE_NX;
+
return 0;
}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH] x86/pti: unpoison pgd for trusted boot
@ 2018-01-10 21:11 Dave Hansen
0 siblings, 0 replies; 5+ messages in thread
From: Dave Hansen @ 2018-01-10 21:11 UTC (permalink / raw)
To: linux-kernel
Cc: x86, Dave Hansen, ning.sun, tglx, mingo, hpa, tboot-devel,
aarcange, jcm, dwmw, pbonzini, gnomes, torvalds, andi, gregkh,
tim.c.chen, law, nickc, luto, peterz
I believe this should replace 262b6b30087 in -tip.
The patch in -tip potentially misses the pgd clearing if pud_alloc()
sets a PGD. It would also be nice to have that comment back.
Note that the -tip commit probably works in *practice* because for
two adjacent calls to map_tboot_page() that share a PGD entry, the
first will clear NX, *then* allocate and set the PGD (without NX
clear). The second call will *not* allocate but will clear the NX
bit.
--
From: Dave Hansen <dave.hansen@linux.intel.com>
This is another case similar to what EFI does: create a new set of
page tables, map some code at a low address, and jump to it. PTI
mistakes this low address for userspace and mistakenly marks it
non-executable in an effort to make it unusable for userspace. Undo
the poison to allow execution.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Ning Sun <ning.sun@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Cc: tboot-devel@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org
Cc: Andrea Arcangeli <aarcange@redhat.com>
CC: Jon Masters <jcm@redhat.com>
Cc: "Woodhouse, David" <dwmw@amazon.co.uk>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Greg Kroah-Hartman <gregkh@linux-foundation.org>
CC: "Tim Chen" <tim.c.chen@linux.intel.com>
Cc: Jeff Law <law@redhat.com>
Cc: Nick Clifton <nickc@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
---
b/arch/x86/kernel/tboot.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff -puN arch/x86/kernel/tboot.c~pti-tboot-fix arch/x86/kernel/tboot.c
--- a/arch/x86/kernel/tboot.c~pti-tboot-fix 2018-01-09 17:12:49.776734656 -0800
+++ b/arch/x86/kernel/tboot.c 2018-01-09 17:12:49.784734656 -0800
@@ -138,6 +138,17 @@ static int map_tboot_page(unsigned long
return -1;
set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
pte_unmap(pte);
+
+ /*
+ * PTI poisons low addresses in the kernel page tables in the
+ * name of making them unusable for userspace. To execute
+ * code at such a low address, the poison must be cleared.
+ *
+ * Note: 'pgd' actually gets set in p4d_alloc() _or_
+ * pud_alloc() depending on 4/5-level paging.
+ */
+ pgd->pgd &= ~_PAGE_NX;
+
return 0;
}
_
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-01-11 23:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-10 22:49 [PATCH] x86/pti: unpoison pgd for trusted boot Dave Hansen
2018-01-10 22:53 ` Andrea Arcangeli
2018-01-10 23:34 ` [tip:x86/pti] x86/pti: Make unpoison of pgd for trusted boot work for real tip-bot for Dave Hansen
2018-01-11 23:22 ` tip-bot for Dave Hansen
-- strict thread matches above, loose matches on Subject: below --
2018-01-10 21:11 [PATCH] x86/pti: unpoison pgd for trusted boot Dave Hansen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.