From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x225qvvdr0GQAHxTnN/LE7KRRwxqo91PyGdBAmF5IwKsVXXiU9HGXoMo5pu90wQ2MmLvosTWz ARC-Seal: i=1; a=rsa-sha256; t=1518485146; cv=none; d=google.com; s=arc-20160816; b=S6AyjgwPyLyku9gvqrJ6LnX0CKLxJOn97+ptw6MwwzXsWkZLTNE0ud0oUMIvPmPZag CGcCVTWxWdaP5aviSfrpEBwl1C305Ul2mYCrd1VIymcUOlZgjVfELDvudjjnzNq6SZUE v+k9gaDbuT4eWZqLbvJ4YU6GB/Aiir14aMPHZKMGP99f18kkUygOtfTznNniiiqLt0NJ ZK+Y0tum5Nzhi+X73FO9uHShAJv+2w0Hig2pFQS6P6WMRLQ+eCEEiV65uyt76+enRHCz 7zV/ghFv1eiVwwgXGvM9WfpDAcmLnUEYOtNcHSQXAP/mbdiviS312RCOCqex0RMnVOgq W4iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:references:in-reply-to:sender :mime-version:dkim-signature:dkim-signature:delivered-to:list-id :list-subscribe:list-unsubscribe:list-help:list-post:precedence :mailing-list:arc-authentication-results; bh=bUv7XZpsNUhzGfg0e/df4BF6V/ipu316ovCjJT2tb98=; b=dxkWBiUfFbAQXizeoBpC9v/DGki2KyucNVOggDbTgRkEWt8SnSzFEfqPGie8lv2bGg SZQPWeqcye8IAfLopueO1Egxu3nEe+hXIiySmboYn6a5y1U272fQ+l/dD9MdCL4xJbcB my1/EB1G6HEKlZ7bme6j10orYRsPZrmpAQ5HsgChFFtyUh84bFJwM7bHIdkwU+wDuLi0 tgHEb1/AiTe84rq3XinvR7E/G92Xq2nnT+DBsH2xDX5iBbtebGxTNwTXd4E97L3LAUko aNed9rBnrZKxpr9yCZdESuiNbrDBmthPFNM3H8jBX1fL/KVBgpopGBkHInow8YwvWOrT /VMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=M4to1MsG; dkim=pass header.i=@chromium.org header.s=google header.b=UsUQg6R6; spf=pass (google.com: domain of kernel-hardening-return-11741-gregkh=linuxfoundation.org@lists.openwall.com designates 195.42.179.200 as permitted sender) smtp.mailfrom=kernel-hardening-return-11741-gregkh=linuxfoundation.org@lists.openwall.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=M4to1MsG; dkim=pass header.i=@chromium.org header.s=google header.b=UsUQg6R6; spf=pass (google.com: domain of kernel-hardening-return-11741-gregkh=linuxfoundation.org@lists.openwall.com designates 195.42.179.200 as permitted sender) smtp.mailfrom=kernel-hardening-return-11741-gregkh=linuxfoundation.org@lists.openwall.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: MIME-Version: 1.0 Sender: keescook@google.com In-Reply-To: <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> From: Kees Cook Date: Mon, 12 Feb 2018 17:25:25 -0800 X-Google-Sender-Auth: t_zQAGZf1JlztdpxU0DT1uP6b5Y Message-ID: Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory To: Laura Abbott Cc: Igor Stoppa , Boris Lukashev , Christopher Lameter , Matthew Wilcox , Jann Horn , Jerome Glisse , Michal Hocko , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , Kernel Hardening Content-Type: text/plain; charset="UTF-8" X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1590497635371449856?= X-GMAIL-MSGID: =?utf-8?q?1592247081165831918?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On Mon, Feb 12, 2018 at 4:40 PM, Laura Abbott wrote: > On 02/12/2018 03:27 PM, Kees Cook wrote: >> >> On Sun, Feb 4, 2018 at 7:05 AM, Igor Stoppa >> wrote: >>> >>> On 04/02/18 00:29, Boris Lukashev wrote: >>>> >>>> On Sat, Feb 3, 2018 at 3:32 PM, Igor Stoppa >>>> wrote: >>> >>> >>> [...] >>> >>>>> What you are suggesting, if I have understood it correctly, is that, >>>>> when the pool is protected, the addresses already given out, will >>>>> become >>>>> traps that get resolved through a lookup table that is built based on >>>>> the content of each allocation. >>>>> >>>>> That seems to generate a lot of overhead, not to mention the fact that >>>>> it might not play very well with the MMU. >>>> >>>> >>>> That is effectively what i'm suggesting - as a form of protection for >>>> consumers against direct reads of data which may have been corrupted >>>> by some irrelevant means. In the context of pmalloc, it would probably >>>> be a separate type of ro+verified pool >>> >>> ok, that seems more like an extension though. >>> >>> ATM I am having problems gaining traction to get even the basic merged >>> :-) >>> >>> I would consider this as a possibility for future work, unless it is >>> said that it's necessary for pmalloc to be accepted ... >> >> >> I would agree: let's get basic functionality in first. Both >> verification and the physmap part can be done separately, IMO. > > > Skipping over physmap leaves a pretty big area of exposure that could > be difficult to solve later. I appreciate this might block basic > functionality but I don't think we should just gloss over it without > at least some idea of what we would do. What's our exposure on physmap for other regions? e.g. things that are executable, or made read-only later (like __ro_after_init)? -Kees -- Kees Cook Pixel Security From mboxrd@z Thu Jan 1 00:00:00 1970 From: keescook@chromium.org (Kees Cook) Date: Mon, 12 Feb 2018 17:25:25 -0800 Subject: [kernel-hardening] [PATCH 4/6] Protectable Memory In-Reply-To: <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> Message-ID: To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Mon, Feb 12, 2018 at 4:40 PM, Laura Abbott wrote: > On 02/12/2018 03:27 PM, Kees Cook wrote: >> >> On Sun, Feb 4, 2018 at 7:05 AM, Igor Stoppa >> wrote: >>> >>> On 04/02/18 00:29, Boris Lukashev wrote: >>>> >>>> On Sat, Feb 3, 2018 at 3:32 PM, Igor Stoppa >>>> wrote: >>> >>> >>> [...] >>> >>>>> What you are suggesting, if I have understood it correctly, is that, >>>>> when the pool is protected, the addresses already given out, will >>>>> become >>>>> traps that get resolved through a lookup table that is built based on >>>>> the content of each allocation. >>>>> >>>>> That seems to generate a lot of overhead, not to mention the fact that >>>>> it might not play very well with the MMU. >>>> >>>> >>>> That is effectively what i'm suggesting - as a form of protection for >>>> consumers against direct reads of data which may have been corrupted >>>> by some irrelevant means. In the context of pmalloc, it would probably >>>> be a separate type of ro+verified pool >>> >>> ok, that seems more like an extension though. >>> >>> ATM I am having problems gaining traction to get even the basic merged >>> :-) >>> >>> I would consider this as a possibility for future work, unless it is >>> said that it's necessary for pmalloc to be accepted ... >> >> >> I would agree: let's get basic functionality in first. Both >> verification and the physmap part can be done separately, IMO. > > > Skipping over physmap leaves a pretty big area of exposure that could > be difficult to solve later. I appreciate this might block basic > functionality but I don't think we should just gloss over it without > at least some idea of what we would do. What's our exposure on physmap for other regions? e.g. things that are executable, or made read-only later (like __ro_after_init)? -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vk0-f72.google.com (mail-vk0-f72.google.com [209.85.213.72]) by kanga.kvack.org (Postfix) with ESMTP id E8BFC6B000A for ; Mon, 12 Feb 2018 20:25:28 -0500 (EST) Received: by mail-vk0-f72.google.com with SMTP id p2so10028465vke.6 for ; Mon, 12 Feb 2018 17:25:28 -0800 (PST) Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41]) by mx.google.com with SMTPS id m18sor3885942uab.288.2018.02.12.17.25.27 for (Google Transport Security); Mon, 12 Feb 2018 17:25:27 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> References: <20180124175631.22925-1-igor.stoppa@huawei.com> <20180124175631.22925-5-igor.stoppa@huawei.com> <20180126053542.GA30189@bombadil.infradead.org> <8818bfd4-dd9f-f279-0432-69b59531bd41@huawei.com> <17e5b515-84c8-dca2-1695-cdf819834ea2@huawei.com> <414027d3-dd73-cf11-dc2a-e8c124591646@redhat.com> From: Kees Cook Date: Mon, 12 Feb 2018 17:25:25 -0800 Message-ID: Subject: Re: [kernel-hardening] [PATCH 4/6] Protectable Memory Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Laura Abbott Cc: Igor Stoppa , Boris Lukashev , Christopher Lameter , Matthew Wilcox , Jann Horn , Jerome Glisse , Michal Hocko , Christoph Hellwig , linux-security-module , Linux-MM , kernel list , Kernel Hardening On Mon, Feb 12, 2018 at 4:40 PM, Laura Abbott wrote: > On 02/12/2018 03:27 PM, Kees Cook wrote: >> >> On Sun, Feb 4, 2018 at 7:05 AM, Igor Stoppa >> wrote: >>> >>> On 04/02/18 00:29, Boris Lukashev wrote: >>>> >>>> On Sat, Feb 3, 2018 at 3:32 PM, Igor Stoppa >>>> wrote: >>> >>> >>> [...] >>> >>>>> What you are suggesting, if I have understood it correctly, is that, >>>>> when the pool is protected, the addresses already given out, will >>>>> become >>>>> traps that get resolved through a lookup table that is built based on >>>>> the content of each allocation. >>>>> >>>>> That seems to generate a lot of overhead, not to mention the fact that >>>>> it might not play very well with the MMU. >>>> >>>> >>>> That is effectively what i'm suggesting - as a form of protection for >>>> consumers against direct reads of data which may have been corrupted >>>> by some irrelevant means. In the context of pmalloc, it would probably >>>> be a separate type of ro+verified pool >>> >>> ok, that seems more like an extension though. >>> >>> ATM I am having problems gaining traction to get even the basic merged >>> :-) >>> >>> I would consider this as a possibility for future work, unless it is >>> said that it's necessary for pmalloc to be accepted ... >> >> >> I would agree: let's get basic functionality in first. Both >> verification and the physmap part can be done separately, IMO. > > > Skipping over physmap leaves a pretty big area of exposure that could > be difficult to solve later. I appreciate this might block basic > functionality but I don't think we should just gloss over it without > at least some idea of what we would do. What's our exposure on physmap for other regions? e.g. things that are executable, or made read-only later (like __ro_after_init)? -Kees -- Kees Cook Pixel Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org