From: Christophe Leroy <christophe.leroy@csgroup.eu>
To: Maxwell Bland <mbland@motorola.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>
Cc: "mark.rutland@arm.com" <mark.rutland@arm.com>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"david@redhat.com" <david@redhat.com>,
"catalin.marinas@arm.com" <catalin.marinas@arm.com>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"ast@kernel.org" <ast@kernel.org>,
"linux@armlinux.org.uk" <linux@armlinux.org.uk>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"ryabinin.a.a@gmail.com" <ryabinin.a.a@gmail.com>,
"glider@google.com" <glider@google.com>,
"sdf@google.com" <sdf@google.com>,
"yonghong.song@linux.dev" <yonghong.song@linux.dev>,
"wuqiang.matt@bytedance.com" <wuqiang.matt@bytedance.com>,
"agordeev@linux.ibm.com" <agordeev@linux.ibm.com>,
"vincenzo.frascino@arm.com" <vincenzo.frascino@arm.com>,
"will@kernel.org" <will@kernel.org>,
"ardb@kernel.org" <ardb@kernel.org>,
"michael.christie@oracle.com" <michael.christie@oracle.com>,
"quic_nprakash@quicinc.com" <quic_nprakash@quicinc.com>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
"hch@infrade ad.org" <hch@infradead.org>,
"arnd@arndb.de" <arnd@arndb.de>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"mst@redhat.com" <mst@redhat.com>,
"john.fastabend@gmail.com" <john.fastabend@gmail.com>,
"andrii@kernel.org" <andrii@kernel.org>,
"kasan-dev@googlegroups.com" <kasan-dev@googlegroups.com>,
"aneesh.kumar@kernel.org" <aneesh.kumar@kernel.org>,
"urezki@gmail.com" <urezki@gmail.com>,
"samitolvanen@google.com" <samitolvanen@google.com>,
"zlim.lnx@gmail.com" <zlim.lnx@gmail.com>,
"naveen.n.rao@linux.ibm.com" <naveen.n.rao@linux.ibm.com>,
"dennis@kernel.org" <dennis@kernel.org>,
"borntraeger@linux.ibm.com" <borntraeger@linux.ibm.com>,
"cl@linux.com" <cl@linux.com>,
"aou@eecs.berkeley.edu" <aou@eecs.berkeley.edu>,
"ryan.roberts@arm.com" <ryan.roberts@arm.com>,
"gor@linux.ibm.com" <gor@linux.ibm.com>,
"linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
"hca@linux.ibm.com" <hca@linux.ibm.com>,
"npiggin@gmail.com" <npiggin@gmail.com>,
"kpsingh@kernel.org" <kpsingh@kernel.org>,
" meted@linux.ibm.com" <meted@linux.ibm.com>,
"quic_pkondeti@quicinc.com" <quic_pkondeti@quicinc.com>,
"paul.walmsley@sifive.com" <paul.walmsley@sifive.com>,
"surenb@google.com" <surenb@google.com>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"dvyukov@google.com" <dvyukov@google.com>,
"andreyknvl@gmail.com" <andreyknvl@gmail.com>,
"haoluo@google.com" <haoluo@google.com>,
"brauner@kernel.org" <brauner@kernel.org>,
"mjguzik@gmail.com" <mjguzik@gmail.com>,
"lstoakes@gmail.com" <lstoakes@gmail.com>,
"song@kernel.org" <song@kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"muchun.song@linux.dev" <muchun.song@linux.dev>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"awheeler@motorola.com" <awheeler@motorola.com>,
"martin.lau@linux.dev" <martin.lau@linux.dev>,
"linux-riscv@lists.infradead.org"
<linux-riscv@lists.infradead.org>,
"palmer@dabbelt.com" <palmer@dabbelt.com>,
"svens@linux.ibm.com" <svens@linux.ibm.com>,
"jolsa@kernel.org" <jols a@kernel.org>,
"tj@kernel.org" <tj@kernel.org>,
"guoren@kernel.org" <guoren@kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"rick.p.edgecombe@intel.com" <rick.p.edgecombe@intel.com>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>
Subject: Re: [PATCH 0/4] arm64: mm: support dynamic vmalloc/pmd configuration
Date: Wed, 21 Feb 2024 07:32:09 +0000 [thread overview]
Message-ID: <4368e86f-d6aa-4db8-b4cf-42174191dcf9@csgroup.eu> (raw)
In-Reply-To: <20240220203256.31153-1-mbland@motorola.com>
Le 20/02/2024 à 21:32, Maxwell Bland a écrit :
> [Vous ne recevez pas souvent de courriers de mbland@motorola.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ]
>
> Reworks ARM's virtual memory allocation infrastructure to support
> dynamic enforcement of page middle directory PXNTable restrictions
> rather than only during the initial memory mapping. Runtime enforcement
> of this bit prevents write-then-execute attacks, where malicious code is
> staged in vmalloc'd data regions, and later the page table is changed to
> make this code executable.
>
> Previously the entire region from VMALLOC_START to VMALLOC_END was
> vulnerable, but now the vulnerable region is restricted to the 2GB
> reserved by module_alloc, a region which is generally read-only and more
> difficult to inject staging code into, e.g., data must pass the BPF
> verifier. These changes also set the stage for other systems, such as
> KVM-level (EL2) changes to mark page tables immutable and code page
> verification changes, forging a path toward complete mitigation of
> kernel exploits on ARM.
>
> Implementing this required minimal changes to the generic vmalloc
> interface in the kernel to allow architecture overrides of some vmalloc
> wrapper functions, refactoring vmalloc calls to use a standard interface
> in the generic kernel, and passing the address parameter already passed
> into PTE allocation to the pte_allocate child function call.
>
> The new arm64 vmalloc wrapper functions ensure vmalloc data is not
> allocated into the region reserved for module_alloc. arm64 BPF and
> kprobe code also see a two-line-change ensuring their allocations abide
> by the segmentation of code from data. Finally, arm64's pmd_populate
> function is modified to set the PXNTable bit appropriately.
On powerpc (book3s/32) we have more or less the same although it is not
directly linked to PMDs: the virtual 4G address space is split in
segments of 256M. On each segment there's a bit called NX to forbit
execution. Vmalloc space is allocated in a segment with NX bit set while
Module spare is allocated in a segment with NX bit unset. We never have
to override vmalloc wrappers. All consumers of exec memory allocate it
using module_alloc() while vmalloc() provides non-exec memory.
For modules, all you have to do is select
ARCH_WANTS_MODULES_DATA_IN_VMALLOC and module data will be allocated
using vmalloc() hence non-exec memory in our case.
Christophe
next prev parent reply other threads:[~2024-02-21 11:02 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-20 20:32 [PATCH 0/4] arm64: mm: support dynamic vmalloc/pmd configuration Maxwell Bland
2024-02-20 20:32 ` [PATCH 1/4] mm/vmalloc: allow arch-specific vmalloc_node overrides Maxwell Bland
2024-02-21 5:43 ` Christoph Hellwig
2024-02-21 7:38 ` Christophe Leroy
2024-02-21 6:59 ` Christophe Leroy
2024-02-21 17:19 ` Maxwell Bland
2024-02-20 20:32 ` [PATCH 2/4] mm: pgalloc: support address-conditional pmd allocation Maxwell Bland
2024-02-21 7:13 ` Christophe Leroy
2024-02-21 9:27 ` David Hildenbrand
2024-02-21 15:54 ` [External] " Maxwell Bland
2024-02-20 20:32 ` [PATCH 3/4] arm64: separate code and data virtual memory allocation Maxwell Bland
2024-02-21 7:20 ` Christophe Leroy
2024-02-20 20:32 ` [PATCH 4/4] arm64: dynamic enforcement of pmd-level PXNTable Maxwell Bland
2024-02-21 7:32 ` Christophe Leroy [this message]
2024-02-21 17:57 ` [PATCH 0/4] arm64: mm: support dynamic vmalloc/pmd configuration Maxwell Bland
2024-02-21 14:50 ` Conor Dooley
2024-02-21 15:42 ` [External] " Maxwell Bland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4368e86f-d6aa-4db8-b4cf-42174191dcf9@csgroup.eu \
--to=christophe.leroy@csgroup.eu \
--cc=agordeev@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=andrii@kernel.org \
--cc=aneesh.kumar@kernel.org \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=ast@kernel.org \
--cc=awheeler@motorola.com \
--cc=borntraeger@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=david@redhat.com \
--cc=dennis@kernel.org \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=gor@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=haoluo@google.com \
--cc=hca@linux.ibm.com \
--cc=hch@infradead.org \
--cc=john.fastabend@gmail.com \
--cc=kasan-dev@googlegroups.com \
--cc=kpsingh@kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=lstoakes@gmail.com \
--cc=mark.rutland@arm.com \
--cc=martin.lau@linux.dev \
--cc=mbland@motorola.com \
--cc=meted@linux.ibm.com \
--cc=michael.christie@oracle.com \
--cc=mjguzik@gmail.com \
--cc=mst@redhat.com \
--cc=muchun.song@linux.dev \
--cc=naveen.n.rao@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=quic_nprakash@quicinc.com \
--cc=quic_pkondeti@quicinc.com \
--cc=ryabinin.a.a@gmail.com \
--cc=ryan.roberts@arm.com \
--cc=samitolvanen@google.com \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=surenb@google.com \
--cc=svens@linux.ibm.com \
--cc=urezki@gmail.com \
--cc=vincenzo.frascino@arm.com \
--cc=will@kernel.org \
--cc=wuqiang.matt@bytedance.com \
--cc=yonghong.song@linux.dev \
--cc=zlim.lnx@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).