From: Khalid Aziz <khalid.aziz@oracle.com>
To: juergh@gmail.com, tycho@tycho.ws, jsteckli@amazon.de,
ak@linux.intel.com, torvalds@linux-foundation.org,
liran.alon@oracle.com, keescook@google.com,
konrad.wilk@oracle.com
Cc: deepa.srinivasan@oracle.com, chris.hyser@oracle.com,
tyhicks@canonical.com, dwmw@amazon.co.uk,
andrew.cooper3@citrix.com, jcm@redhat.com,
boris.ostrovsky@oracle.com, kanth.ghatraju@oracle.com,
joao.m.martins@oracle.com, jmattson@google.com,
pradeep.vincent@oracle.com, john.haxby@oracle.com,
tglx@linutronix.de, kirill.shutemov@linux.intel.com, hch@lst.de,
steven.sistare@oracle.com, kernel-hardening@lists.openwall.com,
linux-mm@kvack.org, linux-kernel@vger.kernel.org, x86@kernel.org,
"Vasileios P . Kemerlis" <vpk@cs.columbia.edu>,
Juerg Haefliger <juerg.haefliger@canonical.com>,
Tycho Andersen <tycho@docker.com>,
Marco Benatto <marco.antonio.780@gmail.com>,
David Woodhouse <dwmw2@infradead.org>,
Khalid Aziz <khalid.aziz@oracle.com>
Subject: [RFC PATCH v7 11/16] mm, x86: omit TLB flushing by default for XPFO page table modifications
Date: Thu, 10 Jan 2019 14:09:43 -0700 [thread overview]
Message-ID: <4e51a5d4409b54116968b8c0501f6d82c4eb9cb5.1547153058.git.khalid.aziz@oracle.com> (raw)
In-Reply-To: <cover.1547153058.git.khalid.aziz@oracle.com>
In-Reply-To: <cover.1547153058.git.khalid.aziz@oracle.com>
From: Julian Stecklina <jsteckli@amazon.de>
XPFO carries a large performance overhead. In my tests, I saw >40%
overhead for compiling a Linux kernel with XPFO enabled. The
frequent TLB flushes that XPFO performs are the root cause of much
of this overhead.
TLB flushing is required for full paranoia mode where we don't want
TLB entries of physmap pages to stick around potentially
indefinitely. In reality, though, these TLB entries are going to be
evicted pretty rapidly even without explicit flushing. That means
omitting TLB flushes only marginally lowers the security benefits of
XPFO. For kernel compile, omitting TLB flushes pushes the overhead
below 3%.
Change the default in XPFO to not flush TLBs unless the user
explicitly requests to do so using a kernel parameter.
Signed-off-by: Julian Stecklina <jsteckli@amazon.de>
Cc: x86@kernel.org
Cc: kernel-hardening@lists.openwall.com
Cc: Vasileios P. Kemerlis <vpk@cs.columbia.edu>
Cc: Juerg Haefliger <juerg.haefliger@canonical.com>
Cc: Tycho Andersen <tycho@docker.com>
Cc: Marco Benatto <marco.antonio.780@gmail.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Khalid Aziz <khalid.aziz@oracle.com>
---
mm/xpfo.c | 37 +++++++++++++++++++++++++++++--------
1 file changed, 29 insertions(+), 8 deletions(-)
diff --git a/mm/xpfo.c b/mm/xpfo.c
index 25fba05d01bd..e80374b0c78e 100644
--- a/mm/xpfo.c
+++ b/mm/xpfo.c
@@ -36,6 +36,7 @@ struct xpfo {
};
DEFINE_STATIC_KEY_FALSE(xpfo_inited);
+DEFINE_STATIC_KEY_FALSE(xpfo_do_tlb_flush);
static bool xpfo_disabled __initdata;
@@ -46,7 +47,15 @@ static int __init noxpfo_param(char *str)
return 0;
}
+static int __init xpfotlbflush_param(char *str)
+{
+ static_branch_enable(&xpfo_do_tlb_flush);
+
+ return 0;
+}
+
early_param("noxpfo", noxpfo_param);
+early_param("xpfotlbflush", xpfotlbflush_param);
static bool __init need_xpfo(void)
{
@@ -76,6 +85,13 @@ bool __init xpfo_enabled(void)
}
EXPORT_SYMBOL(xpfo_enabled);
+
+static void xpfo_cond_flush_kernel_tlb(struct page *page, int order)
+{
+ if (static_branch_unlikely(&xpfo_do_tlb_flush))
+ xpfo_flush_kernel_tlb(page, order);
+}
+
static inline struct xpfo *lookup_xpfo(struct page *page)
{
struct page_ext *page_ext = lookup_page_ext(page);
@@ -114,12 +130,17 @@ void xpfo_alloc_pages(struct page *page, int order, gfp_t gfp)
"xpfo: already mapped page being allocated\n");
if ((gfp & GFP_HIGHUSER) == GFP_HIGHUSER) {
- /*
- * Tag the page as a user page and flush the TLB if it
- * was previously allocated to the kernel.
- */
- if (!test_and_set_bit(XPFO_PAGE_USER, &xpfo->flags))
- flush_tlb = 1;
+ if (static_branch_unlikely(&xpfo_do_tlb_flush)) {
+ /*
+ * Tag the page as a user page and flush the TLB if it
+ * was previously allocated to the kernel.
+ */
+ if (!test_and_set_bit(XPFO_PAGE_USER, &xpfo->flags))
+ flush_tlb = 1;
+ } else {
+ set_bit(XPFO_PAGE_USER, &xpfo->flags);
+ }
+
} else {
/* Tag the page as a non-user (kernel) page */
clear_bit(XPFO_PAGE_USER, &xpfo->flags);
@@ -127,7 +148,7 @@ void xpfo_alloc_pages(struct page *page, int order, gfp_t gfp)
}
if (flush_tlb)
- xpfo_flush_kernel_tlb(page, order);
+ xpfo_cond_flush_kernel_tlb(page, order);
}
void xpfo_free_pages(struct page *page, int order)
@@ -221,7 +242,7 @@ void xpfo_kunmap(void *kaddr, struct page *page)
"xpfo: unmapping already unmapped page\n");
set_bit(XPFO_PAGE_UNMAPPED, &xpfo->flags);
set_kpte(kaddr, page, __pgprot(0));
- xpfo_flush_kernel_tlb(page, 0);
+ xpfo_cond_flush_kernel_tlb(page, 0);
}
spin_unlock(&xpfo->maplock);
--
2.17.1
next prev parent reply other threads:[~2019-01-10 21:09 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-10 21:09 [RFC PATCH v7 00/16] Add support for eXclusive Page Frame Ownership Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 01/16] mm: add MAP_HUGETLB support to vm_mmap Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 02/16] x86: always set IF before oopsing from page fault Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 03/16] mm, x86: Add support for eXclusive Page Frame Ownership (XPFO) Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 04/16] swiotlb: Map the buffer if it was unmapped by XPFO Khalid Aziz
2019-01-23 14:16 ` Konrad Rzeszutek Wilk
2019-01-10 21:09 ` [RFC PATCH v7 05/16] arm64/mm: Add support for XPFO Khalid Aziz
2019-01-23 14:20 ` Konrad Rzeszutek Wilk
2019-02-12 15:45 ` Khalid Aziz
2019-01-23 14:24 ` Konrad Rzeszutek Wilk
2019-02-12 15:52 ` Khalid Aziz
2019-02-12 20:01 ` Laura Abbott
2019-02-12 20:34 ` Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 06/16] xpfo: add primitives for mapping underlying memory Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 07/16] arm64/mm, xpfo: temporarily map dcache regions Khalid Aziz
2019-01-11 14:54 ` Tycho Andersen
2019-01-11 18:28 ` Khalid Aziz
2019-01-11 19:50 ` Tycho Andersen
2019-01-23 14:56 ` Konrad Rzeszutek Wilk
2019-01-10 21:09 ` [RFC PATCH v7 08/16] arm64/mm: disable section/contiguous mappings if XPFO is enabled Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 09/16] mm: add a user_virt_to_phys symbol Khalid Aziz
2019-01-23 15:03 ` Konrad Rzeszutek Wilk
2019-01-10 21:09 ` [RFC PATCH v7 10/16] lkdtm: Add test for XPFO Khalid Aziz
2019-01-10 21:09 ` Khalid Aziz [this message]
2019-01-10 21:09 ` [RFC PATCH v7 12/16] xpfo, mm: remove dependency on CONFIG_PAGE_EXTENSION Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 13/16] xpfo, mm: optimize spinlock usage in xpfo_kunmap Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 14/16] EXPERIMENTAL: xpfo, mm: optimize spin lock usage in xpfo_kmap Khalid Aziz
2019-01-17 0:18 ` Laura Abbott
2019-01-17 15:14 ` Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 15/16] xpfo, mm: Fix hang when booting with "xpfotlbflush" Khalid Aziz
2019-01-10 21:09 ` [RFC PATCH v7 16/16] xpfo, mm: Defer TLB flushes for non-current CPUs (x86 only) Khalid Aziz
2019-01-10 23:07 ` [RFC PATCH v7 00/16] Add support for eXclusive Page Frame Ownership Kees Cook
2019-01-11 0:20 ` Khalid Aziz
2019-01-11 0:44 ` Andy Lutomirski
2019-01-11 21:45 ` Khalid Aziz
2019-01-10 23:40 ` Dave Hansen
2019-01-11 9:59 ` Peter Zijlstra
2019-01-11 18:21 ` Khalid Aziz
2019-01-11 20:42 ` Dave Hansen
2019-01-11 21:06 ` Andy Lutomirski
2019-01-11 23:25 ` Khalid Aziz
2019-01-11 23:23 ` Khalid Aziz
2019-01-16 1:28 ` Laura Abbott
[not found] ` <ciirm8o98gzm4z.fsf@u54ee758033e858cfa736.ant.amazon.com>
2019-01-16 15:16 ` Khalid Aziz
2019-01-17 23:38 ` Laura Abbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4e51a5d4409b54116968b8c0501f6d82c4eb9cb5.1547153058.git.khalid.aziz@oracle.com \
--to=khalid.aziz@oracle.com \
--cc=ak@linux.intel.com \
--cc=andrew.cooper3@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=chris.hyser@oracle.com \
--cc=deepa.srinivasan@oracle.com \
--cc=dwmw2@infradead.org \
--cc=dwmw@amazon.co.uk \
--cc=hch@lst.de \
--cc=jcm@redhat.com \
--cc=jmattson@google.com \
--cc=joao.m.martins@oracle.com \
--cc=john.haxby@oracle.com \
--cc=jsteckli@amazon.de \
--cc=juerg.haefliger@canonical.com \
--cc=juergh@gmail.com \
--cc=kanth.ghatraju@oracle.com \
--cc=keescook@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=liran.alon@oracle.com \
--cc=marco.antonio.780@gmail.com \
--cc=pradeep.vincent@oracle.com \
--cc=steven.sistare@oracle.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tycho@docker.com \
--cc=tycho@tycho.ws \
--cc=tyhicks@canonical.com \
--cc=vpk@cs.columbia.edu \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).