From: "Reshetova, Elena" <elena.reshetova@intel.com>
To: Colin Vidal <colin@cvidal.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Cc: Kees Cook <keescook@chromium.org>, David Windsor <dave@progbits.org>
Subject: RE: [kernel-hardening] [RFC v2 PATCH 00/13] HARDENED_ATOMIC
Date: Wed, 26 Oct 2016 09:46:49 +0000 [thread overview]
Message-ID: <2236FBA76BA1254E88B949DDB74E612B41BF8D57@IRSMSX102.ger.corp.intel.com> (raw)
In-Reply-To: <1477471489.2263.107.camel@cvidal.org>
>Hi Elena,
Hi Colin!
> > Perhaps the cleaner solution would be to define prototypes (of real
> > functions, not macros) of atomic64_*_wrap functions in asm-
> > generic/atomic64.h. If the arch has its own implementation of
> > atomic64, no problems (asm-generic/atomic64.h is not >included), and
> > if
> > CONFIG_GENERIC_ATOMIC64 is set, we just need to implements atomic64_*_wrap functions (in a arch/lib/atomic64.c, for instance).
>
> Why not in lib/atomic64.c? Because this is what would be used in the case when CONFIG_GENERIC_ATOMIC is set. Also, when you say "implement", do you mean actually provide "protected" versions of wrap functions or just wrap functions themselves operating on wrap_t types but providing no difference from non-wrap functions?
>
>The point is if CONFIG_GENERIC_ATOMIC64 is unset, asm- generic/atomic64.h and lib/atomic64.c (see lib/Makefile) are not included in compilation, therefore we don't care about that: the architecture has its own implementation of atomic64 (protected >and wrap version).
I would still break this case into two cases to have full picture:
(1) CONFIG_GENERIC_ATOMIC64 is unset, architecture has its own implementation of atomic64, but no protected and wrap versions (yet), CONFIG_ARCH_HARDENED_ATOMIC is unset and cannot be set.
(2) CONFIG_GENERIC_ATOMIC64 is unset, architecture has its own implementation of atomic64, with protected and wrap version, CONFIG_ARCH_HARDENED_ATOMIC can be both set and unset.
The latter case is supported for x86 and work is going for arm and arm64 now.
The first case still requires that *_wrap functions are defined in one way or another and since we cannot rely on all arch. to provide them, they are currently defined in linux/atomic.h and simply redirect to non-wrap functions.
I guess we all agree with the above behavior?
>If CONFIG_GENERIC_ATOMIC64 is set, the common implementation is in lib/atomic64.c. Therefore, any functions in lib/atomic64.c should be renamed to be suffixed by _wrap (unprotected versions), and prototypes with _wrap suffix should be added in asm-generic/atomic64.h.
So, again for clarity, let's break this case into two cases also:
(3) CONFIG_GENERIC_ATOMIC64 is set, architecture does not provide any atomic64 implementations, CONFIG_ARCH_HARDENED_ATOMIC is set
(4) CONFIG_GENERIC_ATOMIC64 is set, architecture does not provide any atomic64 implementations, CONFIG_ARCH_HARDENED_ATOMIC is unset
The current implementation what we have in the hardened_atomic_on_next branch actually treats both of these cases in the same way (this is what Hans was explaining before): it does define atomic64*_wrap functions in both cases, but they point to the same normal functions. So, no protection provided in any case. Based on the current thread it seems that we might want to have protection in the case (3) after all, which is not really straightforward (maybe that's why grsecurity didn't have support for it).
Also, what's why we first wanted to know how common this case (3) would be in practice? Should we just merge first the common cases and for example as Colin was proposing make it impossible for now to select CONFIG_HARDENED_ATOMIC for the case (3)? Actually I believe it is not even really possible to select it now in this case, or am I wrong? IMO we don't have anything providing CONFIG_ARCH_HARDENED_ATOMIC in this case.
>The protected versions of functions depends of each architecture, therefore they can't be generic. That why I propose to add implements them in arch/lib/atomic64.c (or even arch/lib/atomic64_wrap.c, it is much clear).
>And yes, by "implement" I means write "protected" versions. Err... Yes, in that case, we don't have the "examples" implemented in PAX. But the other solution would be leave GENERIC_ATOMIC64 unprotected, which is really unclear from the "user" point->of-view.
>If CONFIG_GENERIC_ATOMIC64 is set and CONFIG_HARDENED_ATOMIC is unset, the implementations in arch/lib/atomic64_wrap.c just does not include the overflow test on the add/sub operations, like the current protected
>arm/x64 implementations.
Not sure I fully follow here... In x86 case rch-specific atomic64* functions are defined in arch/x86/include/asm/atomic64_32/64.h. What location would correspond to arch/lib/atomic64.c in that case?
> Overall, I agree, there is no magic, but IMO definitions are so confusing even without wrap added (local_t and its functions is a good example), that tracking them all down is a pain.
> At some point we used this table to track functions and their
> definition:
> https://docs.google.com/spreadsheets/d/12wX-csPY8tnHpQVRKVFPSOoV8o6WXt
> AwKKTAkx8uUIQ/edit?usp=sharing Maybe it can be extended to include
> more info that people would like to see there.
>That would be useful and avoid numerous post-it on my desk :-) Thanks!
So, what info do you want to see there? :) Should I make one more table with different CONFIG on/off options and link where function is defined/implemented in that case?
Best Regards,
Elena.
next prev parent reply other threads:[~2016-10-26 9:46 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-20 10:25 [kernel-hardening] [RFC v2 PATCH 00/13] HARDENED_ATOMIC Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 01/13] Add architecture independent hardened atomic base Elena Reshetova
2016-10-24 23:04 ` [kernel-hardening] " Kees Cook
2016-10-25 0:28 ` Kees Cook
2016-10-25 7:57 ` [kernel-hardening] " Reshetova, Elena
2016-10-25 8:51 ` [kernel-hardening] " AKASHI Takahiro
2016-10-25 9:46 ` Hans Liljestrand
2016-10-26 7:38 ` AKASHI Takahiro
2016-10-27 13:47 ` Hans Liljestrand
2016-10-25 18:20 ` Reshetova, Elena
2016-10-25 22:18 ` Kees Cook
2016-10-26 10:27 ` Reshetova, Elena
2016-10-26 20:44 ` Kees Cook
2016-10-25 22:16 ` Kees Cook
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 02/13] percpu-refcount: leave atomic counter unprotected Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 03/13] kernel: identify wrapping atomic usage Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 04/13] mm: " Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 05/13] fs: " Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 06/13] net: " Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 07/13] net: atm: " Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 08/13] security: " Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 09/13] drivers: identify wrapping atomic usage (part 1/2) Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 10/13] drivers: identify wrapping atomic usage (part 2/2) Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 11/13] x86: identify wrapping atomic usage Elena Reshetova
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 12/13] x86: implementation for HARDENED_ATOMIC Elena Reshetova
2016-10-26 5:06 ` AKASHI Takahiro
2016-10-26 6:55 ` David Windsor
2016-10-26 11:15 ` Reshetova, Elena
2016-10-26 20:51 ` Kees Cook
2016-10-26 21:48 ` David Windsor
2016-10-26 21:52 ` Kees Cook
2016-10-20 10:25 ` [kernel-hardening] [RFC v2 PATCH 13/13] lkdtm: add tests for atomic over-/underflow Elena Reshetova
2016-10-24 23:14 ` Kees Cook
2016-10-25 8:56 ` AKASHI Takahiro
2016-10-25 9:04 ` Colin Vidal
2016-10-25 9:11 ` Hans Liljestrand
2016-10-25 18:30 ` Kees Cook
2016-10-20 13:13 ` [kernel-hardening] [RFC v2 PATCH 00/13] HARDENED_ATOMIC Hans Liljestrand
2016-10-24 22:38 ` Kees Cook
2016-10-25 9:05 ` Hans Liljestrand
2016-10-25 17:18 ` Colin Vidal
2016-10-25 17:51 ` David Windsor
2016-10-25 20:53 ` Colin Vidal
2016-10-26 8:17 ` Reshetova, Elena
2016-10-26 8:44 ` Colin Vidal
2016-10-26 9:46 ` Reshetova, Elena [this message]
2016-10-26 18:52 ` Colin Vidal
2016-10-26 19:47 ` Colin Vidal
2016-10-26 19:52 ` Kees Cook
2016-10-26 20:07 ` Colin Vidal
2016-10-27 7:35 ` Reshetova, Elena
2016-10-27 12:00 ` Reshetova, Elena
[not found] ` <CAEXv5_jDAPAqHp7vfOzU+WqN_h3g00_VUOz2_xxp9nJNzzFjxg@mail.gmail.com>
2016-10-27 13:03 ` David Windsor
2016-10-28 13:02 ` Reshetova, Elena
2016-10-28 15:20 ` David Windsor
2016-10-28 19:51 ` Reshetova, Elena
2016-10-29 5:27 ` David Windsor
2016-10-29 10:31 ` Reshetova, Elena
2016-10-29 11:48 ` David Windsor
2016-10-29 17:56 ` Reshetova, Elena
2016-10-29 18:05 ` David Windsor
2016-10-29 18:08 ` Reshetova, Elena
2016-10-28 8:37 ` Colin Vidal
2016-10-26 19:49 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2236FBA76BA1254E88B949DDB74E612B41BF8D57@IRSMSX102.ger.corp.intel.com \
--to=elena.reshetova@intel.com \
--cc=colin@cvidal.org \
--cc=dave@progbits.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.