From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54EFFC433E0 for ; Fri, 5 Mar 2021 19:19:12 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CDE056502A for ; Fri, 5 Mar 2021 19:19:11 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CDE056502A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=9ouZKFyMoMzpETX6g6fJX5wzCETcypIbkVts1xPtviM=; b=QfcQRSzx8rRbkvR+uGk9KGeag U8pUrfXhcdKUOCXTDGGTEkD7v9RjhnTzhCJ94Ouc5hKb01XyKIwBrONChOgm8IpGZ8XxYXwKVBB24 3PoL/JGGUqug/478PiFwcC4u5xjjwokF9OwPNxDgyIp+srMnRClwuXyLqWmR+Plqk7RygYFBSpACM +bHPQ/xZHRhc1Lmv9R7Tckr2wxk6GYzOpmhJYcAP4pECkCEqhmYN2Ia4/IOdR1+Mius8y7lCdGkaR SkzmV0K/o/+EFvXvuMBwd4IgxM12DuxgJldI7r6UMsKRszqpCZEwNOSvO8qTORbstDVqUNbyMjc0t meCjtssqA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lIFx8-00G9j5-5m; Fri, 05 Mar 2021 19:17:34 +0000 Received: from mail.kernel.org ([198.145.29.99]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lIFww-00G9fU-EK for linux-arm-kernel@lists.infradead.org; Fri, 05 Mar 2021 19:17:24 +0000 Received: by mail.kernel.org (Postfix) with ESMTPSA id 5B22D650A6 for ; Fri, 5 Mar 2021 19:17:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1614971839; bh=/Mu4d9DmnA91qvHsh8hyrwCMgLBokKXTpvj4eC161uw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=ZukqAEk+w5qRF1seE5SWJMIumwyR1ujwIm7QpWgTbuHtuBD/wtc2Wyyo0dLgkFCO9 yb3XUCISlUoaqVPOQZLRP+oFJgT0SecrJz/JLCbLvvVxtkf1GbqjAVs3Oo5OHHJu5M b7xfNGG0ifgQUcohZlM9fruYWpfrbNjDglGprGY5J/sXOCNKXfNfFQmwpOplbq/zdO A7M8nlNFIZYOn2+AGVSOHxsnuXRQC+3++Nts2VJzI44HzhMtVWjCcoQgkkQh2tyMb+ jFFlx7QeflgSPR3x5rEIlcjsfIxRBtDQ3kVugBl4+r0RIJKuwsX1cH9qJ38ec+bimi eG+PQuZDHq2lA== Received: by mail-oi1-f178.google.com with SMTP id d20so3649975oiw.10 for ; Fri, 05 Mar 2021 11:17:19 -0800 (PST) X-Gm-Message-State: AOAM530G1GfpRBctLosAyNAB0bcbgjKqZN2eib6BN+U5vvExx+HSbSfU ReW1S9Hj3jKhsRPmBw5nlTsjK9wuaOmJE4bD+ks= X-Google-Smtp-Source: ABdhPJy4RcOwibQSBUV56ayTJ0+8RNy0f0xArFeBlOVxasFJwsX4ih04ZjtuyqJcLaknMHWFtTiRTDxwHDAtd6IvP08= X-Received: by 2002:a05:6808:10ca:: with SMTP id s10mr8308660ois.33.1614971838634; Fri, 05 Mar 2021 11:17:18 -0800 (PST) MIME-Version: 1.0 References: <20210304171145.12281-1-ardb@kernel.org> <20210304171145.12281-3-ardb@kernel.org> <20210305190600.GK23855@arm.com> In-Reply-To: <20210305190600.GK23855@arm.com> From: Ard Biesheuvel Date: Fri, 5 Mar 2021 20:17:07 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 2/2] arm64: mm: use XN table mapping attributes for the linear region To: Catalin Marinas Cc: Linux ARM , Marc Zyngier , Will Deacon , Mark Rutland , Anshuman Khandual , Quentin Perret , Android Kernel Team X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210305_191722_919523_C39CFD98 X-CRM114-Status: GOOD ( 21.44 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, 5 Mar 2021 at 20:06, Catalin Marinas wrote: > > On Thu, Mar 04, 2021 at 06:11:45PM +0100, Ard Biesheuvel wrote: > > The way the arm64 kernel virtual address space is constructed guarantees > > that swapper PGD entries are never shared between the linear region on > > the one hand, and the vmalloc region on the other, which is where all > > kernel text, module text and BPF text mappings reside. > > > > This means that mappings in the linear region (which never require > > executable permissions) never share any table entries at any level with > > mappings that do require executable permissions, and so we can set the > > table-level PXN/UXN attributes for all table entries that are created > > while setting up mappings in the linear region. Since swapper's PGD > > level page table is mapped r/o itself, this adds another layer of > > robustness to the way the kernel manages its own page tables. > > In ARMv8.1 the architecture added the possibility of disabling the > hierarchical page table permissions (FEAT_HPDS) so that we can use these > bits for software. > Sure, but I don't think there is a shortage of software bits in table descriptors, right? And we don't enable the feature in the first place. > Is there any big advantage to using the hierarchical permissions vs > some sanity check in set_pte() for example? > There is a big advantage: the fact that the permissions are both hierarchical and subtractive. Sanity checks in set_pte() only cover page mappings that were created in the correct way. But that does not help us if an attacker manages a single 64-bit write that creates a page or table entry pointing to a page under their control. Taking away the exec permissions at the levels above makes it much more difficult to carry out such an attack, especially given that the root level is not mapped read-write to begin with. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel