From: Russell Currey <ruscur@russell.cc>
To: Kees Cook <keescook@chromium.org>
Cc: PowerPC <linuxppc-dev@lists.ozlabs.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Nick Piggin <npiggin@gmail.com>,
Christophe Leroy <christophe.leroy@c-s.fr>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH 0/7] Kernel Userspace Protection for radix
Date: Fri, 22 Feb 2019 11:09:22 +1100 [thread overview]
Message-ID: <8ef1669cdfbcc6114eebc30c610c91c191c7cc7a.camel@russell.cc> (raw)
In-Reply-To: <CAGXu5j+P1wh0uf1kfMywSTo4NYtwFPSnKXg6wbfyBRqwVRZVYA@mail.gmail.com>
On Thu, 2019-02-21 at 08:07 -0800, Kees Cook wrote:
> On Thu, Feb 21, 2019 at 1:36 AM Russell Currey <ruscur@russell.cc>
> wrote:
> > The first three patches of these series are from Christophe's work
> > and are
> > the bare minimum framework needed to implement the support for
> > radix.
> >
> > In patch 3, I have removed from Christophe's patch my
> > implementation of
> > the 64-bit exception handling code, since we don't have an answer
> > for
> > making nested exceptions work yet. This is mentioned in the final
> > KUAP
> > patch. Regardless, this is still a significant security
> > improvement
> > and greatly narrows the attack surface.
>
> Nice! Am I understanding correctly that with this series powerpc9 and
> later, using radix, will pass the lkdtm tests for KUAP and KUEP (i.e.
> EXEC_USERSPACE and ACCESS_USERSPACE)?
Yes! We've had execution prevention for a while on radix (which is
default on POWER9) since 3b10d0095a1e, the only functional thing this
series does is allow disabling it with nosmep. This series adds access
prevention.
next prev parent reply other threads:[~2019-02-22 0:09 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-21 9:35 [PATCH 0/7] Kernel Userspace Protection for radix Russell Currey
2019-02-21 9:35 ` [PATCH 1/7] powerpc: Add framework for Kernel Userspace Protection Russell Currey
2019-02-21 9:35 ` [PATCH 2/7] powerpc: Add skeleton for Kernel Userspace Execution Prevention Russell Currey
2019-02-21 9:35 ` [PATCH 3/7] powerpc/mm: Add a framework for Kernel Userspace Access Protection Russell Currey
2019-02-21 10:46 ` Christophe Leroy
2019-02-21 14:48 ` Mark Rutland
2019-02-22 0:11 ` Russell Currey
2019-02-21 12:56 ` kbuild test robot
2019-02-21 9:35 ` [PATCH 4/7] powerpc/64: Setup KUP on secondary CPUs Russell Currey
2019-02-21 9:35 ` [PATCH 5/7] powerpc/mm/radix: Use KUEP API for Radix MMU Russell Currey
2019-02-21 9:36 ` [PATCH 6/7] powerpc/lib: Refactor __patch_instruction() to use __put_user_asm() Russell Currey
2019-02-21 9:36 ` [PATCH 7/7] powerpc/64s: Implement KUAP for Radix MMU Russell Currey
2019-02-22 5:14 ` Nicholas Piggin
2019-02-21 16:07 ` [PATCH 0/7] Kernel Userspace Protection for radix Kees Cook
2019-02-22 0:09 ` Russell Currey [this message]
2019-02-22 0:16 ` Kees Cook
2019-02-22 3:46 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ef1669cdfbcc6114eebc30c610c91c191c7cc7a.camel@russell.cc \
--to=ruscur@russell.cc \
--cc=christophe.leroy@c-s.fr \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=npiggin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).