* [PATCH v8 0/6] Optionally randomize kernel stack offset each syscall
@ 2021-04-01 20:49 Roy Yang
2021-04-01 20:59 ` Theodore Ts'o
0 siblings, 1 reply; 4+ messages in thread
From: Roy Yang @ 2021-04-01 20:49 UTC (permalink / raw)
To: Theodore Ts'o
Cc: Al Viro, keescook, akpm, alex.popov, ard.biesheuvel,
catalin.marinas, corbet, david, elena.reshetova,
Alexander Potapenko, Jann Horn, kernel-hardening,
linux-arm-kernel, linux-hardening, linux-kernel, linux-mm, luto,
mark.rutland, peterz, rdunlap, rppt, tglx, vbabka, will, x86
Thanks Ted, Casey and Al Viro. I am sorry for the inconvenience.
I tried to follow the instructions listed under
https://lore.kernel.org/lkml/20210330205750.428816-1-keescook@chromium.org/
using git-send-email
Thought that will reply to the original thread with the original
subject . Let me know what I can do to correct this to avoid
confusion.
- Roy
On Thu, Apr 1, 2021 at 1:13 PM Theodore Ts'o <tytso@mit.edu> wrote:
>
> On Thu, Apr 01, 2021 at 07:48:30PM +0000, Al Viro wrote:
> > On Thu, Apr 01, 2021 at 12:17:44PM -0700, Roy Yang wrote:
> > > Both Android and Chrome OS really want this feature; For Container-Optimized OS, we have customers
> > > interested in the defense too.
> > >
> > > Thank you very much.
> > >
> > > Change-Id: I1eb1b726007aa8f9c374b934cc1c690fb4924aa3
> >
> > You forgot to tell what patch you are refering to. Your
> > Change-Id (whatever the hell that is) doesn't help at all. Don't
> > assume that keys in your internal database make sense for the
> > rest of the world, especially when they appear to contain a hash
> > of something...
>
> The Change-Id fails to have any direct search hits at lore.kernel.org.
> However, it turn up Roy's original patch, and clicking on the
> message-Id in the "In-Reply-Field", it apperas Roy was replying to
> this message:
>
> https://lore.kernel.org/lkml/20210330205750.428816-1-keescook@chromium.org/
>
> which is the head of this patch series:
>
> Subject: [PATCH v8 0/6] Optionally randomize kernel stack offset each syscall
>
> That being said, it would have been better if the original subject
> line had been preserved, and it's yet another example of how the
> lore.kernel.org URL is infinitely better than the Change-Id. :-)
>
> - Ted
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v8 0/6] Optionally randomize kernel stack offset each syscall
2021-04-01 20:49 [PATCH v8 0/6] Optionally randomize kernel stack offset each syscall Roy Yang
@ 2021-04-01 20:59 ` Theodore Ts'o
0 siblings, 0 replies; 4+ messages in thread
From: Theodore Ts'o @ 2021-04-01 20:59 UTC (permalink / raw)
To: Roy Yang
Cc: Al Viro, keescook, akpm, alex.popov, ard.biesheuvel,
catalin.marinas, corbet, david, elena.reshetova,
Alexander Potapenko, Jann Horn, kernel-hardening,
linux-arm-kernel, linux-hardening, linux-kernel, linux-mm, luto,
mark.rutland, peterz, rdunlap, rppt, tglx, vbabka, will, x86
On Thu, Apr 01, 2021 at 01:49:17PM -0700, Roy Yang wrote:
> Thanks Ted, Casey and Al Viro. I am sorry for the inconvenience.
>
> I tried to follow the instructions listed under
> https://lore.kernel.org/lkml/20210330205750.428816-1-keescook@chromium.org/
> using git-send-email
>
> Thought that will reply to the original thread with the original
> subject . Let me know what I can do to correct this to avoid
> confusion.
It did chain to the original thread; that's how I was able to figure
out the context. However, it looks like in your reply, you set the
subject to be:
[PATCH] Where we are for this patch?
And the problem is if someone had deleted the original e-mail chain
--- for example, optimizing the kernel stack is not one of the
subjects that I normally closely track, I had already deleted those
e-mail chains. So all I saw (and I suspect all Al saw) was a message
with the above subject line, and no context.
If you had kept the original subject line, then those of us who mostly
focus on file system stuff would have known that it's an area which is
covered by other maintainers, and we wouldn't have deleted your query
and let someone else respond.
Cheers,
- Ted
P.S. I personally find the use "git-send-email" to reply to be so
much of a pain that I just use a non-google.com address to which I can
use a traditional threaded mail-reader (such as mutt) and I can send
e-mail without having to worry about the DMARC nonsense. :-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v8 0/6] Optionally randomize kernel stack offset each syscall
2021-04-01 19:17 ` [PATCH] Where we are for this patch? Roy Yang
@ 2021-04-01 21:46 ` Kees Cook
0 siblings, 0 replies; 4+ messages in thread
From: Kees Cook @ 2021-04-01 21:46 UTC (permalink / raw)
To: Roy Yang
Cc: akpm, alex.popov, ard.biesheuvel, catalin.marinas, corbet, david,
elena.reshetova, glider, jannh, kernel-hardening,
linux-arm-kernel, linux-hardening, linux-kernel, linux-mm, luto,
mark.rutland, peterz, rdunlap, rppt, tglx, vbabka, will, x86
On Thu, Apr 01, 2021 at 12:17:44PM -0700, Roy Yang wrote:
> Both Android and Chrome OS really want this feature; For Container-Optimized OS, we have customers
> interested in the defense too.
It's pretty close! There are a couple recent comments that need to be
addressed, but hopefully it can land if x86 and arm64 maintainers are
happy v10.
> Change-Id: I1eb1b726007aa8f9c374b934cc1c690fb4924aa3
> --
> 2.31.0.208.g409f899ff0-goog
And to let other folks know, I'm guessing this email got sent with git
send-email to try to get a valid In-Reply-To header, but I guess git
trashed the Subject and ran hooks to generate a Change-Id UUID.
I assume it's from following the "Reply instructions" at the bottom of:
https://lore.kernel.org/lkml/20210330205750.428816-1-keescook@chromium.org/
(It seems those need clarification about Subject handling.)
--
Kees Cook
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v8 0/6] Optionally randomize kernel stack offset each syscall
@ 2021-03-30 20:57 Kees Cook
2021-04-01 19:17 ` [PATCH] Where we are for this patch? Roy Yang
0 siblings, 1 reply; 4+ messages in thread
From: Kees Cook @ 2021-03-30 20:57 UTC (permalink / raw)
To: Thomas Gleixner
Cc: Kees Cook, Elena Reshetova, x86, Andy Lutomirski, Peter Zijlstra,
Catalin Marinas, Will Deacon, Mark Rutland, Alexander Potapenko,
Alexander Popov, Ard Biesheuvel, Jann Horn, Vlastimil Babka,
David Hildenbrand, Mike Rapoport, Andrew Morton, Jonathan Corbet,
Randy Dunlap, kernel-hardening, linux-hardening,
linux-arm-kernel, linux-mm, linux-kernel
v8:
- switch to __this_cpu_*() (tglx)
- improve commit log details, comments, and masking (ingo, tglx)
v7: https://lore.kernel.org/lkml/20210319212835.3928492-1-keescook@chromium.org/
v6: https://lore.kernel.org/lkml/20210315180229.1224655-1-keescook@chromium.org/
v5: https://lore.kernel.org/lkml/20210309214301.678739-1-keescook@chromium.org/
v4: https://lore.kernel.org/lkml/20200622193146.2985288-1-keescook@chromium.org/
v3: https://lore.kernel.org/lkml/20200406231606.37619-1-keescook@chromium.org/
v2: https://lore.kernel.org/lkml/20200324203231.64324-1-keescook@chromium.org/
rfc: https://lore.kernel.org/kernel-hardening/20190329081358.30497-1-elena.reshetova@intel.com/
Hi,
This is a continuation and refactoring of Elena's earlier effort to add
kernel stack base offset randomization. In the time since the earlier
discussions, two attacks[1][2] were made public that depended on stack
determinism, so we're no longer in the position of "this is a good idea
but we have no examples of attacks". :)
Earlier discussions also devolved into debates on entropy sources, which
is mostly a red herring, given the already low entropy available due
to stack size. Regardless, entropy can be changed/improved separately
from this series as needed.
Earlier discussions also got stuck debating how much syscall overhead
was too much, but this is also a red herring since the feature itself
needs to be selectable at boot with no cost for those that don't want it:
this is solved here with static branches.
So, here is the latest improved version, made as arch-agnostic as
possible, with usage added for x86 and arm64. It also includes some small
static branch clean ups, and addresses some surprise performance issues
due to the stack canary[3].
At the very least, the first two patches can land separately (already
Acked and Reviewed), since they're kind of "separate", but introduce
macros that are used in the core stack changes.
If I can get an Ack from an arm64 maintainer, I think this could all
land via -tip to make merging easiest.
Thanks!
-Kees
[1] https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
[2] https://repositorio-aberto.up.pt/bitstream/10216/125357/2/374717.pdf
[3] https://lore.kernel.org/lkml/202003281520.A9BFF461@keescook/
Kees Cook (6):
jump_label: Provide CONFIG-driven build state defaults
init_on_alloc: Optimize static branches
stack: Optionally randomize kernel stack offset each syscall
x86/entry: Enable random_kstack_offset support
arm64: entry: Enable random_kstack_offset support
lkdtm: Add REPORT_STACK for checking stack offsets
.../admin-guide/kernel-parameters.txt | 11 ++++
Makefile | 4 ++
arch/Kconfig | 23 ++++++++
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/Makefile | 5 ++
arch/arm64/kernel/syscall.c | 16 ++++++
arch/x86/Kconfig | 1 +
arch/x86/entry/common.c | 3 +
arch/x86/include/asm/entry-common.h | 16 ++++++
drivers/misc/lkdtm/bugs.c | 17 ++++++
drivers/misc/lkdtm/core.c | 1 +
drivers/misc/lkdtm/lkdtm.h | 1 +
include/linux/jump_label.h | 19 +++++++
include/linux/mm.h | 10 ++--
include/linux/randomize_kstack.h | 55 +++++++++++++++++++
init/main.c | 23 ++++++++
mm/page_alloc.c | 4 +-
mm/slab.h | 6 +-
18 files changed, 208 insertions(+), 8 deletions(-)
create mode 100644 include/linux/randomize_kstack.h
--
2.25.1
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-04-01 21:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-01 20:49 [PATCH v8 0/6] Optionally randomize kernel stack offset each syscall Roy Yang
2021-04-01 20:59 ` Theodore Ts'o
-- strict thread matches above, loose matches on Subject: below --
2021-03-30 20:57 Kees Cook
2021-04-01 19:17 ` [PATCH] Where we are for this patch? Roy Yang
2021-04-01 21:46 ` [PATCH v8 0/6] Optionally randomize kernel stack offset each syscall Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).