From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754542AbdKIMwG (ORCPT <rfc822;w@1wt.eu>);
        Thu, 9 Nov 2017 07:52:06 -0500
Received: from mail.skyhub.de ([5.9.137.197]:43458 "EHLO mail.skyhub.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1754371AbdKIMwF (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Nov 2017 07:52:05 -0500
Date: Thu, 9 Nov 2017 13:51:55 +0100
From: Borislav Petkov <bp@alien8.de>
To: Dave Hansen <dave.hansen@linux.intel.com>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
        moritz.lipp@iaik.tugraz.at, daniel.gruss@iaik.tugraz.at,
        michael.schwarz@iaik.tugraz.at, richard.fellner@student.tugraz.at,
        luto@kernel.org, torvalds@linux-foundation.org, keescook@google.com,
        hughd@google.com, x86@kernel.org
Subject: Re: [PATCH 04/30] x86, kaiser: disable global pages by default with
 KAISER
Message-ID: <20171109125155.lglrqo6mwd5hzzb7@pd.tnic>
References: <20171108194646.907A1942@viggo.jf.intel.com>
 <20171108194653.D6C7EFF4@viggo.jf.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20171108194653.D6C7EFF4@viggo.jf.intel.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 08, 2017 at 11:46:53AM -0800, Dave Hansen wrote:
> 
> From: Dave Hansen <dave.hansen@linux.intel.com>
> 
> Global pages stay in the TLB across context switches.  Since all
> contexts share the same kernel mapping, we use global pages to
> allow kernel entries in the TLB to survive when we context
> switch.
> 
> But, even having these entries in the TLB opens up something that
> an attacker can use [1].
> 
> Disable global pages so that kernel TLB entries are flushed when
> we run userspace.  This way, all accesses to kernel memory result
> in a TLB miss whether there is good data there or not.  Without
> this, even when KAISER switches pages tables, the kernel entries
> might remain in the TLB.
> 
> We keep _PAGE_GLOBAL available so that we can use it for things
> that are global even with KAISER like the entry/exit code and
> data.
> 
> 1. The double-page-fault attack:
>    http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
> 
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
> Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
> Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
> Cc: Richard Fellner <richard.fellner@student.tugraz.at>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Kees Cook <keescook@google.com>
> Cc: Hugh Dickins <hughd@google.com>
> Cc: x86@kernel.org
> ---
> 
>  b/arch/x86/include/asm/pgtable_types.h |   14 +++++++++++++-
>  b/arch/x86/mm/pageattr.c               |   16 ++++++++--------
>  2 files changed, 21 insertions(+), 9 deletions(-)

Reviewed-by: Borislav Petkov <bp@suse.de>

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.