From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965881AbdGTRPj (ORCPT ); Thu, 20 Jul 2017 13:15:39 -0400 Received: from mail-io0-f170.google.com ([209.85.223.170]:36618 "EHLO mail-io0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934961AbdGTRPf (ORCPT ); Thu, 20 Jul 2017 13:15:35 -0400 MIME-Version: 1.0 In-Reply-To: <20170720091106.kigtr6zy7pjgk2s6@gmail.com> References: <1500422614-94821-1-git-send-email-keescook@chromium.org> <20170720091106.kigtr6zy7pjgk2s6@gmail.com> From: Kees Cook Date: Thu, 20 Jul 2017 10:15:33 -0700 X-Google-Sender-Auth: Y7_cdHTuXKMsF_KVaCjWKkkZoSg Message-ID: Subject: Re: [PATCH v6 0/2] x86: Implement fast refcount overflow protection To: Ingo Molnar Cc: Peter Zijlstra , Josh Poimboeuf , Christoph Hellwig , "Eric W. Biederman" , Andrew Morton , Jann Horn , Eric Biggers , Elena Reshetova , Hans Liljestrand , Greg KH , Alexey Dobriyan , "Serge E. Hallyn" , arozansk@redhat.com, Davidlohr Bueso , Manfred Spraul , "axboe@kernel.dk" , James Bottomley , "x86@kernel.org" , Arnd Bergmann , "David S. Miller" , Rik van Riel , LKML , linux-arch , "kernel-hardening@lists.openwall.com" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 20, 2017 at 2:11 AM, Ingo Molnar wrote: > Could you please also create a tabulated quick-comparison of the three variants, > of all key properties, about behavior, feature and tradeoff differences? > > Something like: > > !ARCH_HAS_REFCOUNT ARCH_HAS_REFCOUNT=y REFCOUNT_FULL=y > > avg fast path instructions: 5 3 10 > behavior on overflow: unsafe, silent safe, verbose safe, verbose > behavior on underflow: unsafe, silent unsafe, verbose unsafe, verbose > ... > > etc. - note that this table is just a quick mockup with wild guesses. (Please add > more comparisons of other aspects as well.) > > Such a comparison would make it easier for arch, subsystem and distribution > maintainers to decide on which variant to use/enable. Sure, I can write this up. I'm not sure "safe"/"unsafe" is quite that clean. The differences between -full and -fast are pretty subtle, but I think I can describe it using the updated LKDTM tests I've written to compare the two. There are conditions that -fast doesn't catch, but those cases aren't actually useful for the overflow defense. As for "avg fast path instructions", do you mean the resulting assembly for each refcount API function? I think it's going to look something like "1 2 45", but I'll write it up. -Kees -- Kees Cook Pixel Security From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kees Cook Subject: Re: [PATCH v6 0/2] x86: Implement fast refcount overflow protection Date: Thu, 20 Jul 2017 10:15:33 -0700 Message-ID: References: <1500422614-94821-1-git-send-email-keescook@chromium.org> <20170720091106.kigtr6zy7pjgk2s6@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Return-path: Received: from mail-io0-f169.google.com ([209.85.223.169]:38223 "EHLO mail-io0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933714AbdGTRPf (ORCPT ); Thu, 20 Jul 2017 13:15:35 -0400 Received: by mail-io0-f169.google.com with SMTP id g13so13989788ioj.5 for ; Thu, 20 Jul 2017 10:15:35 -0700 (PDT) In-Reply-To: <20170720091106.kigtr6zy7pjgk2s6@gmail.com> Sender: linux-arch-owner@vger.kernel.org List-ID: To: Ingo Molnar Cc: Peter Zijlstra , Josh Poimboeuf , Christoph Hellwig , "Eric W. Biederman" , Andrew Morton , Jann Horn , Eric Biggers , Elena Reshetova , Hans Liljestrand , Greg KH , Alexey Dobriyan , "Serge E. Hallyn" , arozansk@redhat.com, Davidlohr Bueso , Manfred Spraul , "axboe@kernel.dk" , James Bottomley , "x86@kernel.org" , Arnd Bergmann , "David S. Miller" On Thu, Jul 20, 2017 at 2:11 AM, Ingo Molnar wrote: > Could you please also create a tabulated quick-comparison of the three variants, > of all key properties, about behavior, feature and tradeoff differences? > > Something like: > > !ARCH_HAS_REFCOUNT ARCH_HAS_REFCOUNT=y REFCOUNT_FULL=y > > avg fast path instructions: 5 3 10 > behavior on overflow: unsafe, silent safe, verbose safe, verbose > behavior on underflow: unsafe, silent unsafe, verbose unsafe, verbose > ... > > etc. - note that this table is just a quick mockup with wild guesses. (Please add > more comparisons of other aspects as well.) > > Such a comparison would make it easier for arch, subsystem and distribution > maintainers to decide on which variant to use/enable. Sure, I can write this up. I'm not sure "safe"/"unsafe" is quite that clean. The differences between -full and -fast are pretty subtle, but I think I can describe it using the updated LKDTM tests I've written to compare the two. There are conditions that -fast doesn't catch, but those cases aren't actually useful for the overflow defense. As for "avg fast path instructions", do you mean the resulting assembly for each refcount API function? I think it's going to look something like "1 2 45", but I'll write it up. -Kees -- Kees Cook Pixel Security From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-f169.google.com ([209.85.223.169]:38223 "EHLO mail-io0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933714AbdGTRPf (ORCPT ); Thu, 20 Jul 2017 13:15:35 -0400 Received: by mail-io0-f169.google.com with SMTP id g13so13989788ioj.5 for ; Thu, 20 Jul 2017 10:15:35 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20170720091106.kigtr6zy7pjgk2s6@gmail.com> References: <1500422614-94821-1-git-send-email-keescook@chromium.org> <20170720091106.kigtr6zy7pjgk2s6@gmail.com> From: Kees Cook Date: Thu, 20 Jul 2017 10:15:33 -0700 Message-ID: Subject: Re: [PATCH v6 0/2] x86: Implement fast refcount overflow protection Content-Type: text/plain; charset="UTF-8" Sender: linux-arch-owner@vger.kernel.org List-ID: To: Ingo Molnar Cc: Peter Zijlstra , Josh Poimboeuf , Christoph Hellwig , "Eric W. Biederman" , Andrew Morton , Jann Horn , Eric Biggers , Elena Reshetova , Hans Liljestrand , Greg KH , Alexey Dobriyan , "Serge E. Hallyn" , arozansk@redhat.com, Davidlohr Bueso , Manfred Spraul , "axboe@kernel.dk" , James Bottomley , "x86@kernel.org" , Arnd Bergmann , "David S. Miller" , Rik van Riel , LKML , linux-arch , "kernel-hardening@lists.openwall.com" Message-ID: <20170720171533.fNeWSDRYhN6BGRbNCRvpeNEuq1V-pN3_Xy8TmFZdEto@z> On Thu, Jul 20, 2017 at 2:11 AM, Ingo Molnar wrote: > Could you please also create a tabulated quick-comparison of the three variants, > of all key properties, about behavior, feature and tradeoff differences? > > Something like: > > !ARCH_HAS_REFCOUNT ARCH_HAS_REFCOUNT=y REFCOUNT_FULL=y > > avg fast path instructions: 5 3 10 > behavior on overflow: unsafe, silent safe, verbose safe, verbose > behavior on underflow: unsafe, silent unsafe, verbose unsafe, verbose > ... > > etc. - note that this table is just a quick mockup with wild guesses. (Please add > more comparisons of other aspects as well.) > > Such a comparison would make it easier for arch, subsystem and distribution > maintainers to decide on which variant to use/enable. Sure, I can write this up. I'm not sure "safe"/"unsafe" is quite that clean. The differences between -full and -fast are pretty subtle, but I think I can describe it using the updated LKDTM tests I've written to compare the two. There are conditions that -fast doesn't catch, but those cases aren't actually useful for the overflow defense. As for "avg fast path instructions", do you mean the resulting assembly for each refcount API function? I think it's going to look something like "1 2 45", but I'll write it up. -Kees -- Kees Cook Pixel Security From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 Sender: keescook@google.com In-Reply-To: <20170720091106.kigtr6zy7pjgk2s6@gmail.com> References: <1500422614-94821-1-git-send-email-keescook@chromium.org> <20170720091106.kigtr6zy7pjgk2s6@gmail.com> From: Kees Cook Date: Thu, 20 Jul 2017 10:15:33 -0700 Message-ID: Content-Type: text/plain; charset="UTF-8" Subject: [kernel-hardening] Re: [PATCH v6 0/2] x86: Implement fast refcount overflow protection To: Ingo Molnar Cc: Peter Zijlstra , Josh Poimboeuf , Christoph Hellwig , "Eric W. Biederman" , Andrew Morton , Jann Horn , Eric Biggers , Elena Reshetova , Hans Liljestrand , Greg KH , Alexey Dobriyan , "Serge E. Hallyn" , arozansk@redhat.com, Davidlohr Bueso , Manfred Spraul , "axboe@kernel.dk" , James Bottomley , "x86@kernel.org" , Arnd Bergmann , "David S. Miller" , Rik van Riel , LKML , linux-arch , "kernel-hardening@lists.openwall.com" List-ID: On Thu, Jul 20, 2017 at 2:11 AM, Ingo Molnar wrote: > Could you please also create a tabulated quick-comparison of the three variants, > of all key properties, about behavior, feature and tradeoff differences? > > Something like: > > !ARCH_HAS_REFCOUNT ARCH_HAS_REFCOUNT=y REFCOUNT_FULL=y > > avg fast path instructions: 5 3 10 > behavior on overflow: unsafe, silent safe, verbose safe, verbose > behavior on underflow: unsafe, silent unsafe, verbose unsafe, verbose > ... > > etc. - note that this table is just a quick mockup with wild guesses. (Please add > more comparisons of other aspects as well.) > > Such a comparison would make it easier for arch, subsystem and distribution > maintainers to decide on which variant to use/enable. Sure, I can write this up. I'm not sure "safe"/"unsafe" is quite that clean. The differences between -full and -fast are pretty subtle, but I think I can describe it using the updated LKDTM tests I've written to compare the two. There are conditions that -fast doesn't catch, but those cases aren't actually useful for the overflow defense. As for "avg fast path instructions", do you mean the resulting assembly for each refcount API function? I think it's going to look something like "1 2 45", but I'll write it up. -Kees -- Kees Cook Pixel Security