From: Jeff Xu <jeffxu@google.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: "Stephen Röttger" <sroettger@google.com>,
jeffxu@chromium.org, luto@kernel.org, jorgelo@chromium.org,
keescook@chromium.org, groeck@chromium.org, jannh@google.com,
akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1
Date: Thu, 18 May 2023 13:20:06 -0700 [thread overview]
Message-ID: <CALmYWFuSTc5Q7Hrra8FijE11+Y1KiROa=xCZWL1D3ifthrrDMQ@mail.gmail.com> (raw)
In-Reply-To: <2b14036e-aed8-4212-bc0f-51ec4fe5a5c1@intel.com>
Hello Dave,
Thanks for your email.
On Thu, May 18, 2023 at 8:38 AM Dave Hansen <dave.hansen@intel.com> wrote:
>
> On 5/17/23 16:48, Jeff Xu wrote:
> > However, there are a few challenges I have not yet worked through.
> > First, the code needs to track when the first signaling entry occurs
> > (saving the PKRU register to the thread struct) and when it is last
> > returned (restoring the PKRU register from the thread struct).
>
> Would tracking signal "depth" work in the face of things like siglongjmp?
>
Thank you for your question! I am eager to learn more about this area
and I worry about blind spots. I will investigate and get back to you.
> Taking a step back...
>
> Here's my concern about this whole thing: it's headed down a rabbit hole
> which is *highly* specialized both in the apps that will use it and the
> attacks it will mitigate. It probably *requires* turning off a bunch of
> syscalls (like io_uring) that folks kinda like in general.
>
ChromeOS currently disabled io_uring, but it is not required to do so.
io_uring supports the IORING_OP_MADVICE operation, which calls the
do_madvise() function. This means that io_uring will have the same
pkey checks as the madvice() system call. From that perspective, we
will fully support io_uring for this feature.
> We're balancing that highly specialized mitigation with a feature that
> add new ABI, touches core memory management code and signal handling.
>
The ABI change uses the existing flag field in pkey_alloc() which is
reserved. The implementation is backward compatible with all existing
pkey usages in both kernel and user space. Or do you have other
concerns about ABI in mind ?
Yes, you are right about the risk of touching core mm code. To
minimize the risk, I try to control the scope of the change (it is
about 3 lines in mprotect, more in munmap but really just 3 effective
lines from syscall entry). I added new self-tests in mm to make sure
it doesn't regress in api behavior. I run those tests before and after
my kernel code change to make sure the behavior remains the same, I
tested it on 5.15 and 6.1 and 6.4-rc1. Actually, the testing
discovered a behavior change for mprotect() between 6.1 and 6.4 (not
from this patch, there are refactoring works going on in mm) see this
thread [1]
I hope those steps will help to mitigate the risk.
Agreed on signaling handling is a tough part: what do you think about
the approach (modifying PKRU from saved stack after XSAVE), is there a
blocker ?
> On the x86 side, PKRU is a painfully special snowflake. It's exposed in
> the "XSAVE" ABIs, but not actually managed *with* XSAVE in the kernel.
> This would be making it an even more special snowflake because it would
I admit I'm quite ignorant on XSAVE to understand the above
statement, and how that is related. Could you explain it to me please
? And what is in your mind that might improve the situation ?
> need new altstack ABI and handling.
>
I thought adding protected memory support to signaling handling is an
independent project with its own weight. As Jann Horn points out in
[2]: "we could prevent the attacker from corrupting the signal
context if we can protect the signal stack with a pkey." However,
the kernel will send SIGSEGV when the stack is protected by PKEY, so
there is a benefit to make this work. (Maybe Jann can share some more
thoughts on the benefits)
And I believe we could do this in a way with minimum ABI change, as below:
- allocate PKEY with a new flag (PKEY_ALTSTACK)
- at sigaltstack() call, detect the memory is PKEY_ALTSTACK protected,
(similar as what mprotect does in this patch) and save it along with
stack address/size.
- at signaling handling, use the saved info to fill in PKRU.
The ABI change is similar to PKEY_ENFORCE_API, and there is no
backward compatibility issue.
Will these mentioned help our case ? What do you think ?
(Stephan has more info on gains, as far as I know, V8 engineers have
worked/thought really hard to come to a suitable solution to make
chrome browser safer)
[1] https://lore.kernel.org/linux-mm/20230516165754.pocx4kaagn3yyw3r@revolver/T/
[2] https://docs.google.com/document/d/1OlnJbR5TMoaOAJsf4hHOc-FdTmYK2aDUI7d2hfCZSOo/edit?resourcekey=0-v9UJXONYsnG5PlCBbcYqIw#
Thanks!
Best regards,
-Jeff
next prev parent reply other threads:[~2023-05-18 20:20 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-15 13:05 [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1 jeffxu
2023-05-15 13:05 ` [PATCH 1/6] PKEY: Introduce PKEY_ENFORCE_API flag jeffxu
2023-05-16 23:14 ` Dave Hansen
2023-05-16 23:55 ` Jeff Xu
2023-05-17 11:07 ` Stephen Röttger
2023-05-15 13:05 ` [PATCH 2/6] PKEY: Add arch_check_pkey_enforce_api() jeffxu
2023-05-18 21:43 ` Dave Hansen
2023-05-18 22:51 ` Jeff Xu
2023-05-19 0:00 ` Dave Hansen
2023-05-19 11:22 ` Stephen Röttger
2023-05-15 13:05 ` [PATCH 3/6] PKEY: Apply PKEY_ENFORCE_API to mprotect jeffxu
2023-05-16 20:07 ` Kees Cook
2023-05-16 22:23 ` Jeff Xu
2023-05-16 23:18 ` Dave Hansen
2023-05-16 23:36 ` Jeff Xu
2023-05-17 4:50 ` Jeff Xu
2023-05-15 13:05 ` [PATCH 4/6] PKEY:selftest pkey_enforce_api for mprotect jeffxu
2023-05-15 13:05 ` [PATCH 5/6] KEY: Apply PKEY_ENFORCE_API to munmap jeffxu
2023-05-16 20:06 ` Kees Cook
2023-05-16 22:24 ` Jeff Xu
2023-05-16 23:23 ` Dave Hansen
2023-05-17 0:08 ` Jeff Xu
2023-05-15 13:05 ` [PATCH 6/6] PKEY:selftest pkey_enforce_api for munmap jeffxu
2023-05-15 14:28 ` [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1 Dave Hansen
2023-05-15 15:03 ` Stephen Röttger
2023-05-16 7:06 ` Stephen Röttger
2023-05-16 22:41 ` Dave Hansen
2023-05-17 10:51 ` Stephen Röttger
2023-05-17 15:07 ` Dave Hansen
2023-05-17 15:21 ` Jeff Xu
2023-05-17 15:29 ` Dave Hansen
2023-05-17 23:48 ` Jeff Xu
2023-05-18 15:37 ` Dave Hansen
2023-05-18 20:20 ` Jeff Xu [this message]
2023-05-18 21:04 ` Dave Hansen
2023-05-19 11:13 ` Stephen Röttger
2023-05-24 20:15 ` Jeff Xu
2023-06-01 1:39 ` Jeff Xu
2023-06-01 16:16 ` Dave Hansen
2023-05-31 23:02 ` Jeff Xu
2023-05-16 20:08 ` Kees Cook
2023-05-16 22:17 ` Jeff Xu
2023-05-16 22:30 ` Dave Hansen
2023-05-16 23:39 ` Jeff Xu
2023-05-17 10:49 ` Stephen Röttger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALmYWFuSTc5Q7Hrra8FijE11+Y1KiROa=xCZWL1D3ifthrrDMQ@mail.gmail.com' \
--to=jeffxu@google.com \
--cc=akpm@linux-foundation.org \
--cc=dave.hansen@intel.com \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=sroettger@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.