From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753300AbdLDQzV (ORCPT ); Mon, 4 Dec 2017 11:55:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:45526 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752020AbdLDQzT (ORCPT ); Mon, 4 Dec 2017 11:55:19 -0500 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CF6B7219A9 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org X-Google-Smtp-Source: AGs4zMZBSJuGSyM1FC8SSvsvAAK7skWSQj4lfp5/3UhVlh6QoD4hvvU1DXUMTNdjbnJavvI0wpG+4NzPEhNLP6gXIy0= MIME-Version: 1.0 In-Reply-To: <20171204150609.511885345@linutronix.de> References: <20171204140706.296109558@linutronix.de> <20171204150609.511885345@linutronix.de> From: Andy Lutomirski Date: Mon, 4 Dec 2017 08:54:57 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [patch 57/60] x86/mm/kpti: Add Kconfig To: Thomas Gleixner Cc: LKML , X86 ML , Linus Torvalds , Andy Lutomirsky , Peter Zijlstra , Dave Hansen , Borislav Petkov , Greg KH , Kees Cook , Hugh Dickins , Brian Gerst , Josh Poimboeuf , Denys Vlasenko , Rik van Riel , Boris Ostrovsky , Juergen Gross , David Laight , Eduardo Valentin , aliguori@amazon.com, Will Deacon , Daniel Gruss , Dave Hansen , Ingo Molnar , moritz.lipp@iaik.tugraz.at, "linux-mm@kvack.org" , Borislav Petkov , michael.schwarz@iaik.tugraz.at, richard.fellner@student.tugraz.at Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 4, 2017 at 6:08 AM, Thomas Gleixner wrote: > From: Dave Hansen > > Finally allow CONFIG_KERNEL_PAGE_TABLE_ISOLATION to be enabled. > > PARAVIRT generally requires that the kernel not manage its own page tables. > It also means that the hypervisor and kernel must agree wholeheartedly > about what format the page tables are in and what they contain. > KERNEL_PAGE_TABLE_ISOLATION, unfortunately, changes the rules and they > can not be used together. > > I've seen conflicting feedback from maintainers lately about whether they > want the Kconfig magic to go first or last in a patch series. It's going > last here because the partially-applied series leads to kernels that can > not boot in a bunch of cases. I did a run through the entire series with > CONFIG_KERNEL_PAGE_TABLE_ISOLATION=y to look for build errors, though. > > [ tglx: Removed SMP and !PARAVIRT dependencies as they not longer exist ] > > Signed-off-by: Dave Hansen > Signed-off-by: Ingo Molnar > Signed-off-by: Thomas Gleixner > Cc: Rik van Riel > Cc: keescook@google.com > Cc: Denys Vlasenko > Cc: moritz.lipp@iaik.tugraz.at > Cc: linux-mm@kvack.org > Cc: Peter Zijlstra > Cc: Brian Gerst > Cc: hughd@google.com > Cc: daniel.gruss@iaik.tugraz.at > Cc: Borislav Petkov > Cc: Andy Lutomirski > Cc: Josh Poimboeuf > Cc: michael.schwarz@iaik.tugraz.at > Cc: Linus Torvalds > Cc: richard.fellner@student.tugraz.at > Link: https://lkml.kernel.org/r/20171123003524.88C90659@viggo.jf.intel.com > > --- > security/Kconfig | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -54,6 +54,16 @@ config SECURITY_NETWORK > implement socket and networking access controls. > If you are unsure how to answer this question, answer N. > > +config KERNEL_PAGE_TABLE_ISOLATION > + bool "Remove the kernel mapping in user mode" > + depends on X86_64 && JUMP_LABEL select JUMP_LABEL perhaps? > + help > + This feature reduces the number of hardware side channels by > + ensuring that the majority of kernel addresses are not mapped > + into userspace. > + > + See Documentation/x86/pagetable-isolation.txt for more details. > + > config SECURITY_INFINIBAND > bool "Infiniband Security Hooks" > depends on SECURITY && INFINIBAND > > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f198.google.com (mail-pf0-f198.google.com [209.85.192.198]) by kanga.kvack.org (Postfix) with ESMTP id 271DE6B0280 for ; Mon, 4 Dec 2017 11:55:21 -0500 (EST) Received: by mail-pf0-f198.google.com with SMTP id t65so13542943pfe.22 for ; Mon, 04 Dec 2017 08:55:21 -0800 (PST) Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id bf4si10124945plb.142.2017.12.04.08.55.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Dec 2017 08:55:19 -0800 (PST) Received: from mail-it0-f42.google.com (mail-it0-f42.google.com [209.85.214.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 91DAC219AE for ; Mon, 4 Dec 2017 16:55:19 +0000 (UTC) Received: by mail-it0-f42.google.com with SMTP id d137so8207122itc.2 for ; Mon, 04 Dec 2017 08:55:19 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20171204150609.511885345@linutronix.de> References: <20171204140706.296109558@linutronix.de> <20171204150609.511885345@linutronix.de> From: Andy Lutomirski Date: Mon, 4 Dec 2017 08:54:57 -0800 Message-ID: Subject: Re: [patch 57/60] x86/mm/kpti: Add Kconfig Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Thomas Gleixner Cc: LKML , X86 ML , Linus Torvalds , Andy Lutomirsky , Peter Zijlstra , Dave Hansen , Borislav Petkov , Greg KH , Kees Cook , Hugh Dickins , Brian Gerst , Josh Poimboeuf , Denys Vlasenko , Rik van Riel , Boris Ostrovsky , Juergen Gross , David Laight , Eduardo Valentin , aliguori@amazon.com, Will Deacon , Daniel Gruss , Dave Hansen , Ingo Molnar , moritz.lipp@iaik.tugraz.at, "linux-mm@kvack.org" , Borislav Petkov , michael.schwarz@iaik.tugraz.at, richard.fellner@student.tugraz.at On Mon, Dec 4, 2017 at 6:08 AM, Thomas Gleixner wrote: > From: Dave Hansen > > Finally allow CONFIG_KERNEL_PAGE_TABLE_ISOLATION to be enabled. > > PARAVIRT generally requires that the kernel not manage its own page tables. > It also means that the hypervisor and kernel must agree wholeheartedly > about what format the page tables are in and what they contain. > KERNEL_PAGE_TABLE_ISOLATION, unfortunately, changes the rules and they > can not be used together. > > I've seen conflicting feedback from maintainers lately about whether they > want the Kconfig magic to go first or last in a patch series. It's going > last here because the partially-applied series leads to kernels that can > not boot in a bunch of cases. I did a run through the entire series with > CONFIG_KERNEL_PAGE_TABLE_ISOLATION=y to look for build errors, though. > > [ tglx: Removed SMP and !PARAVIRT dependencies as they not longer exist ] > > Signed-off-by: Dave Hansen > Signed-off-by: Ingo Molnar > Signed-off-by: Thomas Gleixner > Cc: Rik van Riel > Cc: keescook@google.com > Cc: Denys Vlasenko > Cc: moritz.lipp@iaik.tugraz.at > Cc: linux-mm@kvack.org > Cc: Peter Zijlstra > Cc: Brian Gerst > Cc: hughd@google.com > Cc: daniel.gruss@iaik.tugraz.at > Cc: Borislav Petkov > Cc: Andy Lutomirski > Cc: Josh Poimboeuf > Cc: michael.schwarz@iaik.tugraz.at > Cc: Linus Torvalds > Cc: richard.fellner@student.tugraz.at > Link: https://lkml.kernel.org/r/20171123003524.88C90659@viggo.jf.intel.com > > --- > security/Kconfig | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -54,6 +54,16 @@ config SECURITY_NETWORK > implement socket and networking access controls. > If you are unsure how to answer this question, answer N. > > +config KERNEL_PAGE_TABLE_ISOLATION > + bool "Remove the kernel mapping in user mode" > + depends on X86_64 && JUMP_LABEL select JUMP_LABEL perhaps? > + help > + This feature reduces the number of hardware side channels by > + ensuring that the majority of kernel addresses are not mapped > + into userspace. > + > + See Documentation/x86/pagetable-isolation.txt for more details. > + > config SECURITY_INFINIBAND > bool "Infiniband Security Hooks" > depends on SECURITY && INFINIBAND > > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org