From: Bharata B Rao <bharata@amd.com>
To: Andy Lutomirski <luto@kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: linux-mm@kvack.org, the arch/x86 maintainers <x86@kernel.org>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
shuah@kernel.org, Oleg Nesterov <oleg@redhat.com>,
ananth.narayan@amd.com
Subject: Re: [RFC PATCH v0 0/6] x86/AMD: Userspace address tagging
Date: Wed, 23 Mar 2022 13:18:41 +0530 [thread overview]
Message-ID: <b0861376-e628-06bd-713e-8837e0dc9d0b@amd.com> (raw)
In-Reply-To: <6a5076ad-405e-4e5e-af55-fe2a6b01467d@www.fastmail.com>
On 3/22/2022 3:59 AM, Andy Lutomirski wrote:
> On Thu, Mar 10, 2022, at 3:15 AM, Bharata B Rao wrote:
>> Hi,
>>
>> This patchset makes use of Upper Address Ignore (UAI) feature available
>> on upcoming AMD processors to provide user address tagging support for x86/AMD.
>>
>> UAI allows software to store a tag in the upper 7 bits of a logical
>> address [63:57]. When enabled, the processor will suppress the
>> traditional canonical address checks on the addresses. More information
>> about UAI can be found in section 5.10 of 'AMD64 Architecture
>> Programmer's Manual, Vol 2: System Programming' which is available from
>>
>> https://bugzilla.kernel.org/attachment.cgi?id=300549
>
> I hate to be a pain, but I'm really not convinced that this feature is suitable for Linux. There are a few reasons:
>
> Right now, the concept that the high bit of an address determines whether it's a user or a kernel address is fairly fundamental to the x86_64 (and x86_32!) code. It may not be strictly necessary to preserve this, but violating it would require substantial thought. With UAI enabled, kernel and user addresses are, functionally, interleaved. This makes things like access_ok checks, and more generally anything that operates on a range of addresses, behave potentially quite differently. A lot of auditing of existing code would be needed to make it safe.
Ok got that. However can you point to me a few instances in the current
kernel code where such assumption of high bit being user/kernel address
differentiator exists so that I get some idea of what it takes to
audit all such cases?
Also wouldn't the problem of high bit be solved by using only the
6 out of 7 available bits in UAI and leaving the 63rd bit alone?
The hardware will still ignore the top bit, but this should take
care of the requirement of high bit being 0/1 for user/kernel in the
x86_64 kernel. Wouldn't that work?
>
> UAI looks like it wasn't intended to be context switched and, indeed, your series doesn't context switch it. As far as I'm concerned, this is an error, and if we support UAI at all, we should context switch it. Yes, this will be slow, perhaps painfully slow. AMD knows how to fix it by, for example, reading the Intel SDM. By *not* context switching UAI, we force it on for all user code, including unsuspecting user code, as well as for kernel code. Do we actually want it on for kernel code? With LAM, in contrast, the semantics for kernel pointers vs user pointers actually make sense and can be set per mm, which will make things like io_uring (in theory) do the right thing.
I plan to enable/disable UAI based on the next task's settings by
doing MSR write to EFER during context switch. I will have to measure
how much additional cost an MSR write in context switch path brings in.
However given that without a hardware feature like ARM64 MTE, this would
primarily be used in non-production environments. Hence I wonder if MSR
write cost could be tolerated?
Regarding enabling UAI for kernel, I will have to check how clean and
efficient it would be to disable/enable UAI on user/kernel entry/exit
points.
>
> UAI and LAM are incompatible from a userspace perspective. Since LAM is pretty clearly superior [0], it seems like a better long term outcome would be for programs that want tag bits to target LAM and for AMD to support LAM if there is demand. For that matter, do we actually expect any userspace to want to support UAI? (Are there existing too-clever sandboxes that would be broken by enabling UAI?)
>
> Given that UAI is not efficiently context switched, the implementation of uaccess is rather bizarre. With the implementation in this series in particular, if the access_ok checks ever get out of sync with actual user access, a user access could be emitted with the high bits not masked despite the range check succeeding due to masking, which would, unless great care is taken, result in a "user" access hitting the kernel range. That's no good.
Okay, I guess if context switching and sticking to 6 bits as mentioned
earlier is feasible, this concern too goes away unless I am missing something.
Thanks for your feedback.
Regards,
Bharata.
next prev parent reply other threads:[~2022-03-23 7:48 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-10 11:15 [RFC PATCH v0 0/6] x86/AMD: Userspace address tagging Bharata B Rao
2022-03-10 11:15 ` [RFC PATCH v0 1/6] mm, arm64: Update PR_SET/GET_TAGGED_ADDR_CTRL interface Bharata B Rao
2022-03-10 11:15 ` [RFC PATCH v0 2/6] x86/cpufeatures: Add Upper Address Ignore(UAI) as CPU feature Bharata B Rao
2022-03-10 11:15 ` [RFC PATCH v0 3/6] x86: Enable Upper Address Ignore(UAI) feature Bharata B Rao
2022-03-10 19:46 ` Andrew Cooper
2022-03-10 22:37 ` David Laight
2022-03-10 22:46 ` Dave Hansen
2022-03-11 12:37 ` Boris Petkov
2022-03-10 11:15 ` [RFC PATCH v0 4/6] x86: Provide an implementation of untagged_addr() Bharata B Rao
2022-03-10 11:15 ` [RFC PATCH v0 5/6] x86: Untag user pointers in access_ok() Bharata B Rao
2022-03-10 11:15 ` [RFC PATCH v0 6/6] x86: Add prctl() options to control tagged user addresses ABI Bharata B Rao
2022-03-10 14:32 ` [RFC PATCH v0 0/6] x86/AMD: Userspace address tagging David Laight
2022-03-10 16:45 ` Dave Hansen
2022-03-10 17:19 ` David Laight
2022-03-11 5:42 ` Bharata B Rao
2022-03-11 8:15 ` David Laight
2022-03-11 9:11 ` Bharata B Rao
2022-03-11 9:36 ` David Laight
2022-03-11 16:51 ` Dave Hansen
2022-03-10 15:16 ` Dave Hansen
2022-03-10 15:22 ` Dave Hansen
2022-03-14 5:00 ` Bharata B Rao
2022-03-14 7:03 ` Dave Hansen
2022-03-21 22:29 ` Andy Lutomirski
2022-03-21 22:59 ` Thomas Gleixner
2022-03-22 5:31 ` David Laight
2022-03-23 7:48 ` Bharata B Rao [this message]
2022-04-01 19:25 ` Dave Hansen
2022-04-05 5:58 ` Bharata B Rao
2022-04-01 19:41 ` Andy Lutomirski
2022-04-05 8:14 ` Peter Zijlstra
2022-04-05 8:40 ` Bharata B Rao
2022-04-08 17:41 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b0861376-e628-06bd-713e-8837e0dc9d0b@amd.com \
--to=bharata@amd.com \
--cc=ananth.narayan@amd.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@linux.intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=shuah@kernel.org \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).