All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andrew Cooper <amc96@srcf.net>
To: Jan Beulich <jbeulich@suse.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>
Cc: "Roger Pau Monné" <roger.pau@citrix.com>, "Wei Liu" <wl@xen.org>,
	Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH RFC 8/8] x86/boot: Check that permission restrictions have taken effect
Date: Mon, 6 Dec 2021 18:12:14 +0000	[thread overview]
Message-ID: <3f742d50-1b45-b0f0-d7ad-dc3d4763f5c7@srcf.net> (raw)
In-Reply-To: <282f884c-834e-caf7-4e09-6c7a662c666e@suse.com>

On 02/12/2021 13:33, Jan Beulich wrote:
> On 30.11.2021 11:04, Andrew Cooper wrote:
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> ---
>> CC: Jan Beulich <JBeulich@suse.com>
>> CC: Roger Pau Monné <roger.pau@citrix.com>
>> CC: Wei Liu <wl@xen.org>
>>
>> RFC.  I don't know if this is something we'd want to keep or not.
>>
>> Getting extable handling working for test_nx_data is proving tricky, and while
>> I can't spot anything that should stop the extable from working with NX
>> faults, from a security hardening perspective, there really ought to
>> be.
>>
>> (Spurious faults aside), there are no circumstances where an NX fault is
>> legitimate, and restricting extable's ability to interfere with the fatality
>> of an NX fault provides a better security posture.
> Gating the extable_fixup() invocation accordingly should be possible.
> A respective check could live even earlier, but the window between
> the !guest_mode() check and the function's invocation isn't very large
> anyway.
>
> Since we can't have both testability and such faults being uniformly
> fatal, but since otoh we use pre_extable quite sparingly, how about
> forcing the fixup to take that path by disabling interrupts around
> the test?

That feels like an abuse of an unrelated mechanism, not to mention fragile.

> In any event this touches the insufficient selectiveness of the fixup
> machinery again: Any kind of fault will be recovered from whenever a
> fixup record is attached to an insn.

There are multiple things here.  Yes, I agree that fixing up all faults
is suboptimal.

But even within #PF alone, things such as SMAP/SMEP faults are
programmer error with no hope of extable being able to adequately
resolve, and should be fatal.

I actually like the approach that Linux has recently taken, by
describing a fixup type rather than arbitrary logic, in an attempt to
keep the number of special cases from getting out of hand.  This
approach is quite easy to filter into specific exceptions.

~Andrew


      reply	other threads:[~2021-12-06 18:13 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-30 10:04 [PATCH 0/8] x86: Support for __ro_after_init Andrew Cooper
2021-11-30 10:04 ` [PATCH 1/8] x86/boot: Drop incorrect mapping at l2_xenmap[0] Andrew Cooper
2021-11-30 10:33   ` Jan Beulich
2021-11-30 11:14     ` Andrew Cooper
2021-11-30 11:22       ` Jan Beulich
2021-11-30 12:39         ` Andrew Cooper
2021-11-30 10:04 ` [PATCH 2/8] x86/boot: Better describe the pagetable relocation loops Andrew Cooper
2021-12-02 11:43   ` Jan Beulich
2021-11-30 10:04 ` [PATCH 3/8] x86/boot: Fix data placement around __high_start() Andrew Cooper
2021-12-02 11:49   ` Jan Beulich
2021-12-02 14:06     ` Andrew Cooper
2021-11-30 10:04 ` [PATCH 4/8] x86/mm: Drop bogus cacheability logic in update_xen_mappings() Andrew Cooper
2021-11-30 13:11   ` Andrew Cooper
2021-11-30 14:56     ` Andrew Cooper
2021-11-30 10:04 ` [PATCH 5/8] x86/boot: Drop xen_virt_end Andrew Cooper
2021-12-02 11:56   ` Jan Beulich
2021-12-02 14:07     ` Andrew Cooper
2021-11-30 10:04 ` [PATCH 6/8] x86/boot: Adjust .text/.rodata/etc permissions in one place Andrew Cooper
2021-12-02 12:15   ` Jan Beulich
2021-11-30 10:04 ` [PATCH 7/8] x86/boot: Support __ro_after_init Andrew Cooper
2021-12-02 13:10   ` Jan Beulich
2021-11-30 10:04 ` [PATCH RFC 8/8] x86/boot: Check that permission restrictions have taken effect Andrew Cooper
2021-12-02 13:33   ` Jan Beulich
2021-12-06 18:12     ` Andrew Cooper [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3f742d50-1b45-b0f0-d7ad-dc3d4763f5c7@srcf.net \
    --to=amc96@srcf.net \
    --cc=andrew.cooper3@citrix.com \
    --cc=jbeulich@suse.com \
    --cc=roger.pau@citrix.com \
    --cc=wl@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.