From: Nadav Amit <namit@vmware.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: <linux-kernel@vger.kernel.org>, Ingo Molnar <mingo@redhat.com>,
<x86@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
<linux-arch@vger.kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Nadav Amit <nadav.amit@gmail.com>,
Andy Lutomirski <luto@kernel.org>,
Kees Cook <keescook@chromium.org>,
Peter Zijlstra <peterz@infradead.org>,
Dave Hansen <dave.hansen@intel.com>,
Nadav Amit <namit@vmware.com>
Subject: [PATCH v2 2/6] x86/mm: temporary mm struct
Date: Sun, 2 Sep 2018 10:32:20 -0700 [thread overview]
Message-ID: <20180902173224.30606-3-namit@vmware.com> (raw)
In-Reply-To: <20180902173224.30606-1-namit@vmware.com>
From: Andy Lutomirski <luto@kernel.org>
Sometimes we want to set a temporary page-table entries (PTEs) in one of
the cores, without allowing other cores to use - even speculatively -
these mappings. There are two benefits for doing so:
(1) Security: if sensitive PTEs are set, temporary mm prevents their use
in other cores. This hardens the security as it prevents exploding a
dangling pointer to overwrite sensitive data using the sensitive PTE.
(2) Avoiding TLB shootdowns: the PTEs do not need to be flushed in
remote page-tables.
To do so a temporary mm_struct can be used. Mappings which are private
for this mm can be set in the userspace part of the address-space.
During the whole time in which the temporary mm is loaded, interrupts
must be disabled.
The first use-case for temporary PTEs, which will follow, is for poking
the kernel text.
[ Commit message was written by Nadav ]
Cc: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Nadav Amit <namit@vmware.com>
---
arch/x86/include/asm/mmu_context.h | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index eeeb9289c764..96afc8c0cf15 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -338,4 +338,24 @@ static inline unsigned long __get_current_cr3_fast(void)
return cr3;
}
+typedef struct {
+ struct mm_struct *prev;
+} temporary_mm_state_t;
+
+static inline temporary_mm_state_t use_temporary_mm(struct mm_struct *mm)
+{
+ temporary_mm_state_t state;
+
+ lockdep_assert_irqs_disabled();
+ state.prev = this_cpu_read(cpu_tlbstate.loaded_mm);
+ switch_mm_irqs_off(NULL, mm, current);
+ return state;
+}
+
+static inline void unuse_temporary_mm(temporary_mm_state_t prev)
+{
+ lockdep_assert_irqs_disabled();
+ switch_mm_irqs_off(NULL, prev.prev, current);
+}
+
#endif /* _ASM_X86_MMU_CONTEXT_H */
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Nadav Amit <namit@vmware.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
x86@kernel.org, Arnd Bergmann <arnd@arndb.de>,
linux-arch@vger.kernel.org,
Dave Hansen <dave.hansen@linux.intel.com>,
Nadav Amit <nadav.amit@gmail.com>,
Andy Lutomirski <luto@kernel.org>,
Kees Cook <keescook@chromium.org>,
Peter Zijlstra <peterz@infradead.org>,
Dave Hansen <dave.hansen@intel.com>,
Nadav Amit <namit@vmware.com>
Subject: [PATCH v2 2/6] x86/mm: temporary mm struct
Date: Sun, 2 Sep 2018 10:32:20 -0700 [thread overview]
Message-ID: <20180902173224.30606-3-namit@vmware.com> (raw)
In-Reply-To: <20180902173224.30606-1-namit@vmware.com>
From: Andy Lutomirski <luto@kernel.org>
Sometimes we want to set a temporary page-table entries (PTEs) in one of
the cores, without allowing other cores to use - even speculatively -
these mappings. There are two benefits for doing so:
(1) Security: if sensitive PTEs are set, temporary mm prevents their use
in other cores. This hardens the security as it prevents exploding a
dangling pointer to overwrite sensitive data using the sensitive PTE.
(2) Avoiding TLB shootdowns: the PTEs do not need to be flushed in
remote page-tables.
To do so a temporary mm_struct can be used. Mappings which are private
for this mm can be set in the userspace part of the address-space.
During the whole time in which the temporary mm is loaded, interrupts
must be disabled.
The first use-case for temporary PTEs, which will follow, is for poking
the kernel text.
[ Commit message was written by Nadav ]
Cc: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Nadav Amit <namit@vmware.com>
---
arch/x86/include/asm/mmu_context.h | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index eeeb9289c764..96afc8c0cf15 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -338,4 +338,24 @@ static inline unsigned long __get_current_cr3_fast(void)
return cr3;
}
+typedef struct {
+ struct mm_struct *prev;
+} temporary_mm_state_t;
+
+static inline temporary_mm_state_t use_temporary_mm(struct mm_struct *mm)
+{
+ temporary_mm_state_t state;
+
+ lockdep_assert_irqs_disabled();
+ state.prev = this_cpu_read(cpu_tlbstate.loaded_mm);
+ switch_mm_irqs_off(NULL, mm, current);
+ return state;
+}
+
+static inline void unuse_temporary_mm(temporary_mm_state_t prev)
+{
+ lockdep_assert_irqs_disabled();
+ switch_mm_irqs_off(NULL, prev.prev, current);
+}
+
#endif /* _ASM_X86_MMU_CONTEXT_H */
--
2.17.1
next prev parent reply other threads:[~2018-09-02 17:33 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-02 17:32 [PATCH v2 0/6] x86/alternatives: text_poke() fixes Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-02 17:32 ` [PATCH v2 1/6] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-06 19:40 ` Peter Zijlstra
2018-09-06 19:42 ` Nadav Amit
2018-09-06 19:53 ` Peter Zijlstra
2018-09-06 19:58 ` Nadav Amit
2018-09-06 20:25 ` Peter Zijlstra
2018-09-06 20:57 ` Nadav Amit
2018-09-06 21:41 ` Peter Zijlstra
2018-09-02 17:32 ` Nadav Amit [this message]
2018-09-02 17:32 ` [PATCH v2 2/6] x86/mm: temporary mm struct Nadav Amit
2018-09-02 17:32 ` [PATCH v2 3/6] fork: provide a function for copying init_mm Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-02 17:32 ` [PATCH v2 4/6] x86/alternatives: initializing temporary mm for patching Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-06 9:01 ` Peter Zijlstra
2018-09-07 20:52 ` Nadav Amit
2018-09-02 17:32 ` [PATCH v2 5/6] x86/alternatives: use temporary mm for text poking Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-02 17:32 ` [PATCH v2 6/6] x86/alternatives: remove text_poke() return value Nadav Amit
2018-09-02 17:32 ` Nadav Amit
2018-09-05 18:56 ` [PATCH v2 0/6] x86/alternatives: text_poke() fixes Peter Zijlstra
2018-09-05 19:02 ` Nadav Amit
2018-09-05 19:10 ` Nadav Amit
2018-09-06 8:13 ` Peter Zijlstra
2018-09-06 8:42 ` Peter Zijlstra
2018-09-06 9:18 ` Peter Zijlstra
2018-09-06 10:16 ` Peter Zijlstra
2018-09-06 17:01 ` Nadav Amit
2018-09-06 17:17 ` Peter Zijlstra
2018-09-06 17:58 ` Nadav Amit
2018-09-06 18:09 ` Andy Lutomirski
2018-09-06 18:31 ` Peter Zijlstra
2018-09-06 18:38 ` Nadav Amit
2018-09-06 19:19 ` Peter Zijlstra
2018-09-06 17:23 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180902173224.30606-3-namit@vmware.com \
--to=namit@vmware.com \
--cc=arnd@arndb.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.