linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Michal Hocko <mhocko@kernel.org>
To: Igor Stoppa <igor.stoppa@huawei.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	Dave Hansen <dave.hansen@intel.com>
Subject: Re: RFC v2: post-init-read-only protection for data allocated dynamically
Date: Thu, 4 May 2017 16:01:26 +0200	[thread overview]
Message-ID: <20170504140126.GJ31540@dhcp22.suse.cz> (raw)
In-Reply-To: <df1b34fb-f90b-da9e-6723-49e8f1cb1757@huawei.com>

On Thu 04-05-17 16:37:55, Igor Stoppa wrote:
> On 04/05/17 16:11, Michal Hocko wrote:
> > On Thu 04-05-17 15:14:10, Igor Stoppa wrote:
> 
> > I believe that this is a fundamental question. Sealing sounds useful
> > for after-boot usecases as well and it would change the approach
> > considerably. Coming up with an ad-hoc solution for the boot only way
> > seems like a wrong way to me. And as you've said SELinux which is your
> > target already does the thing after the early boot.
> 
> I didn't spend too many thoughts on this so far, because the zone-based
> approach seemed almost doomed, so I wanted to wait for the evolution of
> the discussion :-)
> 
> The main question here is granularity, I think.
> 
> At least, as first cut, the simpler approach would be to have a master
> toggle: when some legitimate operation needs to happen, the seal is
> lifted across the entire range, then it is put back in place, once the
> operation has concluded.
> 
> Simplicity is the main advantage.
> 
> The disadvantage is that anything can happen, undetected, while the seal
> is lifted.

Yes and I think this makes it basically pointless

> OTOH the amount of code that could backfire should be fairly limited, so
> it doesn't seem a huge issue to me.
> 
> The alternative would be to somehow know what a write will change and
> make only the appropriate page(s) writable. But it seems overkill to me.
> Especially because in some cases, with huge pages, everything would fit
> anyway in one page.
> 
> One more option that comes to mind - but I do not know how realistic it
> would be - is to have multiple slabs, to be used for different purposes.
> Ex: one for the monolithic kernel and one for modules.
> It wouldn't help for livepatch, though, as it can modify both, so both
> would have to be unprotected.

Just to make my proposal more clear. I suggest the following workflow

cache = kmem_cache_create(foo, object_size, ..., SLAB_SEAL);

obj = kmem_cache_alloc(cache, gfp_mask);
init_obj(obj)
[more allocations]
kmem_cache_seal(cache);

All slab pages belonging to the cache would get write protection. All
new allocations from this cache would go to new slab pages. Later
kmem_cache_seal will write protect only those new pages.

The main discomfort with this approach is that you have to create those
caches in advance, obviously. We could help by creating some general
purpose caches for common sizes but this sound like an overkill to me.
The caller will know which objects will need the protection so the
appropriate cache can be created on demand. But this reall depends on
potential users...
-- 
Michal Hocko
SUSE Labs

  reply	other threads:[~2017-05-04 14:01 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-03 12:06 RFC v2: post-init-read-only protection for data allocated dynamically Igor Stoppa
     [not found] ` <70a9d4db-f374-de45-413b-65b74c59edcb@intel.com>
2017-05-04  8:17   ` Igor Stoppa
2017-05-04 14:30     ` Dave Hansen
2017-05-05  8:53       ` Igor Stoppa
2017-05-04 11:21 ` Michal Hocko
2017-05-04 12:14   ` Igor Stoppa
2017-05-04 13:11     ` Michal Hocko
2017-05-04 13:37       ` Igor Stoppa
2017-05-04 14:01         ` Michal Hocko [this message]
2017-05-04 17:24           ` Dave Hansen
2017-05-05 12:08             ` Igor Stoppa
2017-05-05 12:19           ` Igor Stoppa
2017-05-10  7:45             ` Michal Hocko
2017-05-04 16:49 ` Laura Abbott
2017-05-05 10:42   ` Igor Stoppa
2017-05-08 15:25     ` Laura Abbott
2017-05-09  9:38       ` Igor Stoppa
2017-05-10  8:05     ` Michal Hocko
2017-05-10  8:57       ` Igor Stoppa
2017-05-10 11:43         ` Michal Hocko
2017-05-10 15:19           ` Igor Stoppa
2017-05-10 15:45             ` Dave Hansen
2017-05-19 10:51               ` Igor Stoppa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170504140126.GJ31540@dhcp22.suse.cz \
    --to=mhocko@kernel.org \
    --cc=dave.hansen@intel.com \
    --cc=igor.stoppa@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).