Kernel-hardening Archive on lore.kernel.org
 help / color / Atom feed
From: tip-bot for Andy Lutomirski <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: tglx@linutronix.de, linux-kernel@vger.kernel.org,
	will.deacon@arm.com, mhiramat@kernel.org, hpa@zytor.com,
	torvalds@linux-foundation.org, peterz@infradead.org,
	mingo@kernel.org, kernel-hardening@lists.openwall.com,
	dave.hansen@intel.com, kristen@linux.intel.com, riel@surriel.com,
	linux_dti@icloud.com, namit@vmware.com,
	ard.biesheuvel@linaro.org, luto@kernel.org,
	keescook@chromium.org, rick.p.edgecombe@intel.com, bp@alien8.de,
	akpm@linux-foundation.org, deneen.t.dock@intel.com
Subject: [tip:x86/mm] x86/mm: Introduce temporary mm structs
Date: Tue, 30 Apr 2019 04:16:36 -0700
Message-ID: <tip-cefa929c034eb5d9c15c50088235a0093a219687@git.kernel.org> (raw)
In-Reply-To: <20190426001143.4983-4-namit@vmware.com>

Commit-ID:  cefa929c034eb5d9c15c50088235a0093a219687
Gitweb:     https://git.kernel.org/tip/cefa929c034eb5d9c15c50088235a0093a219687
Author:     Andy Lutomirski <luto@kernel.org>
AuthorDate: Thu, 25 Apr 2019 17:11:23 -0700
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Tue, 30 Apr 2019 12:37:50 +0200

x86/mm: Introduce temporary mm structs

Using a dedicated page-table for temporary PTEs prevents other cores
from using - even speculatively - these PTEs, thereby providing two
benefits:

(1) Security hardening: an attacker that gains kernel memory writing
    abilities cannot easily overwrite sensitive data.

(2) Avoiding TLB shootdowns: the PTEs do not need to be flushed in
    remote page-tables.

To do so a temporary mm_struct can be used. Mappings which are private
for this mm can be set in the userspace part of the address-space.
During the whole time in which the temporary mm is loaded, interrupts
must be disabled.

The first use-case for temporary mm struct, which will follow, is for
poking the kernel text.

[ Commit message was written by Nadav Amit ]

Tested-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: <akpm@linux-foundation.org>
Cc: <ard.biesheuvel@linaro.org>
Cc: <deneen.t.dock@intel.com>
Cc: <kernel-hardening@lists.openwall.com>
Cc: <kristen@linux.intel.com>
Cc: <linux_dti@icloud.com>
Cc: <will.deacon@arm.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190426001143.4983-4-namit@vmware.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 arch/x86/include/asm/mmu_context.h | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 19d18fae6ec6..24dc3b810970 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -356,4 +356,37 @@ static inline unsigned long __get_current_cr3_fast(void)
 	return cr3;
 }
 
+typedef struct {
+	struct mm_struct *mm;
+} temp_mm_state_t;
+
+/*
+ * Using a temporary mm allows to set temporary mappings that are not accessible
+ * by other CPUs. Such mappings are needed to perform sensitive memory writes
+ * that override the kernel memory protections (e.g., W^X), without exposing the
+ * temporary page-table mappings that are required for these write operations to
+ * other CPUs. Using a temporary mm also allows to avoid TLB shootdowns when the
+ * mapping is torn down.
+ *
+ * Context: The temporary mm needs to be used exclusively by a single core. To
+ *          harden security IRQs must be disabled while the temporary mm is
+ *          loaded, thereby preventing interrupt handler bugs from overriding
+ *          the kernel memory protection.
+ */
+static inline temp_mm_state_t use_temporary_mm(struct mm_struct *mm)
+{
+	temp_mm_state_t temp_state;
+
+	lockdep_assert_irqs_disabled();
+	temp_state.mm = this_cpu_read(cpu_tlbstate.loaded_mm);
+	switch_mm_irqs_off(NULL, mm, current);
+	return temp_state;
+}
+
+static inline void unuse_temporary_mm(temp_mm_state_t prev_state)
+{
+	lockdep_assert_irqs_disabled();
+	switch_mm_irqs_off(NULL, prev_state.mm, current);
+}
+
 #endif /* _ASM_X86_MMU_CONTEXT_H */

  reply index

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-26  0:11 [PATCH v5 00/23] x86: text_poke() fixes and executable lockdowns Nadav Amit
2019-04-26  0:11 ` [PATCH v5 01/23] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Nadav Amit
2019-04-30 11:13   ` [tip:x86/mm] x86/alternatives: Add text_poke_kgdb() to not assert the lock when debugging tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 02/23] x86/jump_label: Use text_poke_early() during early init Nadav Amit
2019-04-30 11:15   ` [tip:x86/mm] " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 03/23] x86/mm: Introduce temporary mm structs Nadav Amit
2019-04-30 11:16   ` tip-bot for Andy Lutomirski [this message]
2019-04-26  0:11 ` [PATCH v5 04/23] x86/mm: Save debug registers when loading a temporary mm Nadav Amit
2019-04-30 11:17   ` [tip:x86/mm] " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 05/23] fork: Provide a function for copying init_mm Nadav Amit
2019-04-30 11:18   ` [tip:x86/mm] " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 06/23] x86/alternative: Initialize temporary mm for patching Nadav Amit
2019-04-26  0:11 ` [PATCH v5 07/23] x86/alternative: Use temporary mm for text poking Nadav Amit
2019-04-30 11:20   ` [tip:x86/mm] x86/alternatives: " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 08/23] x86/kgdb: Avoid redundant comparison of patched code Nadav Amit
2019-04-30 11:20   ` [tip:x86/mm] " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 09/23] x86/ftrace: Set trampoline pages as executable Nadav Amit
2019-04-30 11:21   ` [tip:x86/mm] " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 10/23] x86/kprobes: Set instruction page " Nadav Amit
2019-04-30 11:22   ` [tip:x86/mm] " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 11/23] x86/module: Avoid breaking W^X while loading modules Nadav Amit
2019-04-30 11:22   ` [tip:x86/mm] x86/modules: " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 12/23] x86/jump-label: Remove support for custom poker Nadav Amit
2019-04-30 11:23   ` [tip:x86/mm] x86/jump-label: Remove support for custom text poker tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 13/23] x86/alternative: Remove the return value of text_poke_*() Nadav Amit
2019-04-30 11:24   ` [tip:x86/mm] x86/alternatives: " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 14/23] x86/mm/cpa: Add set_direct_map_ functions Nadav Amit
2019-04-26 16:40   ` Linus Torvalds
2019-04-26 16:43     ` Nadav Amit
2019-04-30 11:24   ` [tip:x86/mm] x86/mm/cpa: Add set_direct_map_*() functions tip-bot for Rick Edgecombe
2019-04-26  0:11 ` [PATCH v5 15/23] mm: Make hibernate handle unmapped pages Nadav Amit
2019-04-30 11:25   ` [tip:x86/mm] mm/hibernation: Make hibernation " tip-bot for Rick Edgecombe
2019-04-26  0:11 ` [PATCH v5 16/23] vmalloc: Add flag for free of special permsissions Nadav Amit
2019-04-30 11:26   ` [tip:x86/mm] mm/vmalloc: Add flag for freeing " tip-bot for Rick Edgecombe
2019-04-26  0:11 ` [PATCH v5 17/23] modules: Use vmalloc special flag Nadav Amit
2019-04-30 11:26   ` [tip:x86/mm] " tip-bot for Rick Edgecombe
2019-04-26  0:11 ` [PATCH v5 18/23] bpf: " Nadav Amit
2019-04-30 11:27   ` [tip:x86/mm] " tip-bot for Rick Edgecombe
2019-04-26  0:11 ` [PATCH v5 19/23] x86/ftrace: " Nadav Amit
2019-04-30 11:28   ` [tip:x86/mm] " tip-bot for Rick Edgecombe
2019-04-26  0:11 ` [PATCH v5 20/23] x86/kprobes: " Nadav Amit
2019-04-30 11:28   ` [tip:x86/mm] " tip-bot for Rick Edgecombe
2019-04-26  0:11 ` [PATCH v5 21/23] x86/alternative: Comment about module removal races Nadav Amit
2019-04-30 11:29   ` [tip:x86/mm] x86/alternatives: Add comment " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 22/23] mm/tlb: Provide default nmi_uaccess_okay() Nadav Amit
2019-04-30 11:14   ` [tip:x86/mm] " tip-bot for Nadav Amit
2019-04-26  0:11 ` [PATCH v5 23/23] bpf: Fail bpf_probe_write_user() while mm is switched Nadav Amit
2019-04-30 11:15   ` [tip:x86/mm] " tip-bot for Nadav Amit
2019-04-26 12:36 ` [PATCH v5 00/23] x86: text_poke() fixes and executable lockdowns Peter Zijlstra

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=tip-cefa929c034eb5d9c15c50088235a0093a219687@git.kernel.org \
    --to=tipbot@zytor.com \
    --cc=akpm@linux-foundation.org \
    --cc=ard.biesheuvel@linaro.org \
    --cc=bp@alien8.de \
    --cc=dave.hansen@intel.com \
    --cc=deneen.t.dock@intel.com \
    --cc=hpa@zytor.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=kristen@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=linux_dti@icloud.com \
    --cc=luto@kernel.org \
    --cc=mhiramat@kernel.org \
    --cc=mingo@kernel.org \
    --cc=namit@vmware.com \
    --cc=peterz@infradead.org \
    --cc=rick.p.edgecombe@intel.com \
    --cc=riel@surriel.com \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Kernel-hardening Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/kernel-hardening/0 kernel-hardening/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 kernel-hardening kernel-hardening/ https://lore.kernel.org/kernel-hardening \
		kernel-hardening@lists.openwall.com
	public-inbox-index kernel-hardening

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.openwall.lists.kernel-hardening


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git