* [PATCH 01/30] x86, mm: do not set _PAGE_USER for init_mm page tables
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
@ 2017-11-08 19:46 ` Dave Hansen
2017-11-08 19:52 ` Linus Torvalds
2017-11-09 10:29 ` Borislav Petkov
2017-11-08 19:46 ` [PATCH 02/30] x86, tlb: make CR4-based TLB flushes more robust Dave Hansen
` (28 subsequent siblings)
29 siblings, 2 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:46 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, tglx, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
init_mm is for kernel-exclusive use. If someone is allocating page
tables for it, do not set _PAGE_USER on them.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/pgalloc.h | 33 ++++++++++++++++++++++++++++-----
1 file changed, 28 insertions(+), 5 deletions(-)
diff -puN arch/x86/include/asm/pgalloc.h~kaiser-prep-clear-_PAGE_USER-for-init_mm arch/x86/include/asm/pgalloc.h
--- a/arch/x86/include/asm/pgalloc.h~kaiser-prep-clear-_PAGE_USER-for-init_mm 2017-11-08 10:45:25.928681403 -0800
+++ b/arch/x86/include/asm/pgalloc.h 2017-11-08 10:45:25.931681403 -0800
@@ -61,20 +61,37 @@ static inline void __pte_free_tlb(struct
___pte_free_tlb(tlb, pte);
}
+/*
+ * init_mm is for kernel-exclusive use. Any page tables that
+ * are seteup for it should not be usable by userspace.
+ *
+ * This also *signals* to code (like KAISER) that this page table
+ * entry is for kernel-exclusive use.
+ */
+static inline pteval_t mm_pgtable_flags(struct mm_struct *mm)
+{
+ if (!mm || (mm == &init_mm))
+ return _KERNPG_TABLE;
+ return _PAGE_TABLE;
+}
+
static inline void pmd_populate_kernel(struct mm_struct *mm,
pmd_t *pmd, pte_t *pte)
{
+ pteval_t pgtable_flags = mm_pgtable_flags(mm);
+
paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
- set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
+ set_pmd(pmd, __pmd(__pa(pte) | pgtable_flags));
}
static inline void pmd_populate(struct mm_struct *mm, pmd_t *pmd,
struct page *pte)
{
+ pteval_t pgtable_flags = mm_pgtable_flags(mm);
unsigned long pfn = page_to_pfn(pte);
paravirt_alloc_pte(mm, pfn);
- set_pmd(pmd, __pmd(((pteval_t)pfn << PAGE_SHIFT) | _PAGE_TABLE));
+ set_pmd(pmd, __pmd(((pteval_t)pfn << PAGE_SHIFT) | pgtable_flags));
}
#define pmd_pgtable(pmd) pmd_page(pmd)
@@ -117,16 +134,20 @@ extern void pud_populate(struct mm_struc
#else /* !CONFIG_X86_PAE */
static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
{
+ pteval_t pgtable_flags = mm_pgtable_flags(mm);
+
paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT);
- set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)));
+ set_pud(pud, __pud(__pa(pmd) | pgtable_flags));
}
#endif /* CONFIG_X86_PAE */
#if CONFIG_PGTABLE_LEVELS > 3
static inline void p4d_populate(struct mm_struct *mm, p4d_t *p4d, pud_t *pud)
{
+ pteval_t pgtable_flags = mm_pgtable_flags(mm);
+
paravirt_alloc_pud(mm, __pa(pud) >> PAGE_SHIFT);
- set_p4d(p4d, __p4d(_PAGE_TABLE | __pa(pud)));
+ set_p4d(p4d, __p4d(__pa(pud) | pgtable_flags));
}
static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
@@ -155,8 +176,10 @@ static inline void __pud_free_tlb(struct
#if CONFIG_PGTABLE_LEVELS > 4
static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, p4d_t *p4d)
{
+ pteval_t pgtable_flags = mm_pgtable_flags(mm);
+
paravirt_alloc_p4d(mm, __pa(p4d) >> PAGE_SHIFT);
- set_pgd(pgd, __pgd(_PAGE_TABLE | __pa(p4d)));
+ set_pgd(pgd, __pgd(__pa(p4d) | pgtable_flags));
}
static inline p4d_t *p4d_alloc_one(struct mm_struct *mm, unsigned long addr)
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 01/30] x86, mm: do not set _PAGE_USER for init_mm page tables
2017-11-08 19:46 ` [PATCH 01/30] x86, mm: do not set _PAGE_USER for init_mm " Dave Hansen
@ 2017-11-08 19:52 ` Linus Torvalds
2017-11-08 20:11 ` Dave Hansen
2017-11-09 10:29 ` Borislav Petkov
1 sibling, 1 reply; 64+ messages in thread
From: Linus Torvalds @ 2017-11-08 19:52 UTC (permalink / raw)
To: Dave Hansen
Cc: Linux Kernel Mailing List, linux-mm, Thomas Gleixner,
moritz.lipp, Daniel Gruss, michael.schwarz, richard.fellner,
Andrew Lutomirski, Kees Cook, Hugh Dickins,
the arch/x86 maintainers
On Wed, Nov 8, 2017 at 11:46 AM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
>
> +
> static inline void pmd_populate_kernel(struct mm_struct *mm,
> pmd_t *pmd, pte_t *pte)
> {
> + pteval_t pgtable_flags = mm_pgtable_flags(mm);
Why is "pmd_populate_kernel()" using mm_pgtable_flags(mm)?
It should just use _KERNPG_TABLE unconditionally, shouldn't it?
Nothing to do with init_mm, it's populating a _kernel_ page table
regardless, no?
Linus
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 01/30] x86, mm: do not set _PAGE_USER for init_mm page tables
2017-11-08 19:52 ` Linus Torvalds
@ 2017-11-08 20:11 ` Dave Hansen
0 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 20:11 UTC (permalink / raw)
To: Linus Torvalds
Cc: Linux Kernel Mailing List, linux-mm, Thomas Gleixner,
moritz.lipp, Daniel Gruss, michael.schwarz, richard.fellner,
Andrew Lutomirski, Kees Cook, Hugh Dickins,
the arch/x86 maintainers
On 11/08/2017 11:52 AM, Linus Torvalds wrote:
> On Wed, Nov 8, 2017 at 11:46 AM, Dave Hansen
> <dave.hansen@linux.intel.com> wrote:
>>
>> +
>> static inline void pmd_populate_kernel(struct mm_struct *mm,
>> pmd_t *pmd, pte_t *pte)
>> {
>> + pteval_t pgtable_flags = mm_pgtable_flags(mm);
>
> Why is "pmd_populate_kernel()" using mm_pgtable_flags(mm)?
>
> It should just use _KERNPG_TABLE unconditionally, shouldn't it?
> Nothing to do with init_mm, it's populating a _kernel_ page table
> regardless, no?
The end result is probably the same since a quick grep shows it only
ever getting called with init_mm or NULL. But, yeah, it should probably
just be _PAGE_KERNEL directly.
I'll update it.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 01/30] x86, mm: do not set _PAGE_USER for init_mm page tables
2017-11-08 19:46 ` [PATCH 01/30] x86, mm: do not set _PAGE_USER for init_mm " Dave Hansen
2017-11-08 19:52 ` Linus Torvalds
@ 2017-11-09 10:29 ` Borislav Petkov
1 sibling, 0 replies; 64+ messages in thread
From: Borislav Petkov @ 2017-11-09 10:29 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, tglx, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On Wed, Nov 08, 2017 at 11:46:47AM -0800, Dave Hansen wrote:
>
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> init_mm is for kernel-exclusive use. If someone is allocating page
> tables for it, do not set _PAGE_USER on them.
>
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
> Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
> Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
> Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
> Cc: Richard Fellner <richard.fellner@student.tugraz.at>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Kees Cook <keescook@google.com>
> Cc: Hugh Dickins <hughd@google.com>
> Cc: x86@kernel.org
> ---
>
> b/arch/x86/include/asm/pgalloc.h | 33 ++++++++++++++++++++++++++++-----
> 1 file changed, 28 insertions(+), 5 deletions(-)
>
> diff -puN arch/x86/include/asm/pgalloc.h~kaiser-prep-clear-_PAGE_USER-for-init_mm arch/x86/include/asm/pgalloc.h
> --- a/arch/x86/include/asm/pgalloc.h~kaiser-prep-clear-_PAGE_USER-for-init_mm 2017-11-08 10:45:25.928681403 -0800
> +++ b/arch/x86/include/asm/pgalloc.h 2017-11-08 10:45:25.931681403 -0800
> @@ -61,20 +61,37 @@ static inline void __pte_free_tlb(struct
> ___pte_free_tlb(tlb, pte);
> }
>
> +/*
> + * init_mm is for kernel-exclusive use. Any page tables that
> + * are seteup for it should not be usable by userspace.
s/seteup/setup/
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 02/30] x86, tlb: make CR4-based TLB flushes more robust
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
2017-11-08 19:46 ` [PATCH 01/30] x86, mm: do not set _PAGE_USER for init_mm " Dave Hansen
@ 2017-11-08 19:46 ` Dave Hansen
2017-11-09 10:48 ` Borislav Petkov
2017-11-08 19:46 ` [PATCH 03/30] x86, mm: document X86_CR4_PGE toggling behavior Dave Hansen
` (27 subsequent siblings)
29 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:46 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
Our CR4-based TLB flush currently requries global pages to be
supported *and* enabled. But, the hardware only needs for them to
be supported.
Make the code more robust by alllowing the initial state of
X86_CR4_PGE to be on *or* off. In addition, if we get called in
an unepected state (X86_CR4_PGE=0), issue a warning. Having
X86_CR4_PGE=0 is certainly unexpected and we should not ignore
it if encountered.
This essentially gives us the best of both worlds: we get a TLB
flush no matter what, and we get a warning if we got called in
an unexpected way (X86_CR4_PGE=0).
The XOR change was suggested by Kirill Shutemov.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/tlbflush.h | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff -puN arch/x86/include/asm/tlbflush.h~kaiser-prep-make-cr4-writes-tolerate-clear-pge arch/x86/include/asm/tlbflush.h
--- a/arch/x86/include/asm/tlbflush.h~kaiser-prep-make-cr4-writes-tolerate-clear-pge 2017-11-08 10:45:26.461681402 -0800
+++ b/arch/x86/include/asm/tlbflush.h 2017-11-08 10:45:26.464681402 -0800
@@ -250,9 +250,20 @@ static inline void __native_flush_tlb_gl
unsigned long cr4;
cr4 = this_cpu_read(cpu_tlbstate.cr4);
- /* clear PGE */
- native_write_cr4(cr4 & ~X86_CR4_PGE);
- /* write old PGE again and flush TLBs */
+ /*
+ * This function is only called on systems that support X86_CR4_PGE
+ * and where always set X86_CR4_PGE. Warn if we are called without
+ * PGE set.
+ */
+ WARN_ON_ONCE(!(cr4 & X86_CR4_PGE));
+ /*
+ * Architecturally, any _change_ to X86_CR4_PGE will fully flush the
+ * TLB of all entries including all entries in all PCIDs and all
+ * global pages. Make sure that we _change_ the bit, regardless of
+ * whether we had X86_CR4_PGE set in the first place.
+ */
+ native_write_cr4(cr4 ^ X86_CR4_PGE);
+ /* Put original CR4 value back: */
native_write_cr4(cr4);
}
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 02/30] x86, tlb: make CR4-based TLB flushes more robust
2017-11-08 19:46 ` [PATCH 02/30] x86, tlb: make CR4-based TLB flushes more robust Dave Hansen
@ 2017-11-09 10:48 ` Borislav Petkov
2017-11-09 10:51 ` Thomas Gleixner
0 siblings, 1 reply; 64+ messages in thread
From: Borislav Petkov @ 2017-11-09 10:48 UTC (permalink / raw)
To: Dave Hansen, luto
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, torvalds, keescook, hughd, x86
On Wed, Nov 08, 2017 at 11:46:49AM -0800, Dave Hansen wrote:
>
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> Our CR4-based TLB flush currently requries global pages to be
> supported *and* enabled. But, the hardware only needs for them to
> be supported.
>
> Make the code more robust by alllowing the initial state of
> X86_CR4_PGE to be on *or* off. In addition, if we get called in
> an unepected state (X86_CR4_PGE=0), issue a warning. Having
> X86_CR4_PGE=0 is certainly unexpected and we should not ignore
> it if encountered.
>
> This essentially gives us the best of both worlds: we get a TLB
> flush no matter what, and we get a warning if we got called in
> an unexpected way (X86_CR4_PGE=0).
Commit message could use a spell checker.
> The XOR change was suggested by Kirill Shutemov.
>
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
> Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
> Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
> Cc: Richard Fellner <richard.fellner@student.tugraz.at>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Kees Cook <keescook@google.com>
> Cc: Hugh Dickins <hughd@google.com>
> Cc: x86@kernel.org
> ---
>
> b/arch/x86/include/asm/tlbflush.h | 17 ++++++++++++++---
> 1 file changed, 14 insertions(+), 3 deletions(-)
>
> diff -puN arch/x86/include/asm/tlbflush.h~kaiser-prep-make-cr4-writes-tolerate-clear-pge arch/x86/include/asm/tlbflush.h
> --- a/arch/x86/include/asm/tlbflush.h~kaiser-prep-make-cr4-writes-tolerate-clear-pge 2017-11-08 10:45:26.461681402 -0800
> +++ b/arch/x86/include/asm/tlbflush.h 2017-11-08 10:45:26.464681402 -0800
> @@ -250,9 +250,20 @@ static inline void __native_flush_tlb_gl
> unsigned long cr4;
>
> cr4 = this_cpu_read(cpu_tlbstate.cr4);
> - /* clear PGE */
> - native_write_cr4(cr4 & ~X86_CR4_PGE);
> - /* write old PGE again and flush TLBs */
<---- newline here.
> + /*
> + * This function is only called on systems that support X86_CR4_PGE
> + * and where always set X86_CR4_PGE. Warn if we are called without
"... and where X86_CR4_PGE is normally always set."
> + * PGE set.
> + */
> + WARN_ON_ONCE(!(cr4 & X86_CR4_PGE));
<---- newline here.
> + /*
> + * Architecturally, any _change_ to X86_CR4_PGE will fully flush the
> + * TLB of all entries including all entries in all PCIDs and all
> + * global pages. Make sure that we _change_ the bit, regardless of
> + * whether we had X86_CR4_PGE set in the first place.
... or not."
> + */
> + native_write_cr4(cr4 ^ X86_CR4_PGE);
<---- newline here.
> + /* Put original CR4 value back: */
> native_write_cr4(cr4);
> }
Btw, Andy, we read the CR4 shadow in that function but we don't update
it. Why?
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 02/30] x86, tlb: make CR4-based TLB flushes more robust
2017-11-09 10:48 ` Borislav Petkov
@ 2017-11-09 10:51 ` Thomas Gleixner
2017-11-09 11:02 ` Borislav Petkov
0 siblings, 1 reply; 64+ messages in thread
From: Thomas Gleixner @ 2017-11-09 10:51 UTC (permalink / raw)
To: Borislav Petkov
Cc: Dave Hansen, luto, linux-kernel, linux-mm, moritz.lipp,
daniel.gruss, michael.schwarz, richard.fellner, torvalds,
keescook, hughd, x86
On Thu, 9 Nov 2017, Borislav Petkov wrote:
> On Wed, Nov 08, 2017 at 11:46:49AM -0800, Dave Hansen wrote:
> > + /* Put original CR4 value back: */
> > native_write_cr4(cr4);
> > }
>
> Btw, Andy, we read the CR4 shadow in that function but we don't update
> it. Why?
Because its the same as before.
> > + /* Put original CR4 value back: */
> > native_write_cr4(cr4);
Thanks,
tglx
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 02/30] x86, tlb: make CR4-based TLB flushes more robust
2017-11-09 10:51 ` Thomas Gleixner
@ 2017-11-09 11:02 ` Borislav Petkov
0 siblings, 0 replies; 64+ messages in thread
From: Borislav Petkov @ 2017-11-09 11:02 UTC (permalink / raw)
To: Thomas Gleixner
Cc: Dave Hansen, luto, linux-kernel, linux-mm, moritz.lipp,
daniel.gruss, michael.schwarz, richard.fellner, torvalds,
keescook, hughd, x86
On Thu, Nov 09, 2017 at 11:51:08AM +0100, Thomas Gleixner wrote:
> Because its the same as before.
Doh, of course.
Thx.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 03/30] x86, mm: document X86_CR4_PGE toggling behavior
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
2017-11-08 19:46 ` [PATCH 01/30] x86, mm: do not set _PAGE_USER for init_mm " Dave Hansen
2017-11-08 19:46 ` [PATCH 02/30] x86, tlb: make CR4-based TLB flushes more robust Dave Hansen
@ 2017-11-08 19:46 ` Dave Hansen
2017-11-09 12:21 ` Borislav Petkov
2017-11-08 19:46 ` [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER Dave Hansen
` (26 subsequent siblings)
29 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:46 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
The comment says it all here. The problem here is that the
X86_CR4_PGE bit affects all PCIDs in a way that is totally
obscure.
This makes it easier for someone to find if grepping for PCID-
related stuff and documents the hardware behavior that we are
depending on.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/tlbflush.h | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff -puN arch/x86/include/asm/tlbflush.h~kaiser-prep-document-cr4-pge-behavior arch/x86/include/asm/tlbflush.h
--- a/arch/x86/include/asm/tlbflush.h~kaiser-prep-document-cr4-pge-behavior 2017-11-08 10:45:26.994681401 -0800
+++ b/arch/x86/include/asm/tlbflush.h 2017-11-08 10:45:26.997681401 -0800
@@ -257,10 +257,12 @@ static inline void __native_flush_tlb_gl
*/
WARN_ON_ONCE(!(cr4 & X86_CR4_PGE));
/*
- * Architecturally, any _change_ to X86_CR4_PGE will fully flush the
- * TLB of all entries including all entries in all PCIDs and all
- * global pages. Make sure that we _change_ the bit, regardless of
+ * Architecturally, any _change_ to X86_CR4_PGE will fully flush
+ * all entries. Make sure that we _change_ the bit, regardless of
* whether we had X86_CR4_PGE set in the first place.
+ *
+ * Note that just toggling PGE *also* flushes all entries from all
+ * PCIDs, regardless of the state of X86_CR4_PCIDE.
*/
native_write_cr4(cr4 ^ X86_CR4_PGE);
/* Put original CR4 value back: */
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 03/30] x86, mm: document X86_CR4_PGE toggling behavior
2017-11-08 19:46 ` [PATCH 03/30] x86, mm: document X86_CR4_PGE toggling behavior Dave Hansen
@ 2017-11-09 12:21 ` Borislav Petkov
0 siblings, 0 replies; 64+ messages in thread
From: Borislav Petkov @ 2017-11-09 12:21 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On Wed, Nov 08, 2017 at 11:46:51AM -0800, Dave Hansen wrote:
>
> From: Dave Hansen <dave.hansen@linux.intel.com>
Subject: Re: [PATCH 03/30] x86, mm: document X86_CR4_PGE toggling behavior
Btw, note the new-ish tip subject format:
<path>: Sentence with a capital letter
i.e.,
x86/mm: Document X86_CR4_PGE toggling behavior
in this case.
Thx.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (2 preceding siblings ...)
2017-11-08 19:46 ` [PATCH 03/30] x86, mm: document X86_CR4_PGE toggling behavior Dave Hansen
@ 2017-11-08 19:46 ` Dave Hansen
2017-11-09 12:51 ` Borislav Petkov
2017-11-09 22:19 ` Thomas Gleixner
2017-11-08 19:46 ` [PATCH 05/30] x86, kaiser: prepare assembly for entry/exit CR3 switching Dave Hansen
` (25 subsequent siblings)
29 siblings, 2 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:46 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
Global pages stay in the TLB across context switches. Since all
contexts share the same kernel mapping, we use global pages to
allow kernel entries in the TLB to survive when we context
switch.
But, even having these entries in the TLB opens up something that
an attacker can use [1].
Disable global pages so that kernel TLB entries are flushed when
we run userspace. This way, all accesses to kernel memory result
in a TLB miss whether there is good data there or not. Without
this, even when KAISER switches pages tables, the kernel entries
might remain in the TLB.
We keep _PAGE_GLOBAL available so that we can use it for things
that are global even with KAISER like the entry/exit code and
data.
1. The double-page-fault attack:
http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/pgtable_types.h | 14 +++++++++++++-
b/arch/x86/mm/pageattr.c | 16 ++++++++--------
2 files changed, 21 insertions(+), 9 deletions(-)
diff -puN arch/x86/include/asm/pgtable_types.h~kaiser-prep-disable-global-pages arch/x86/include/asm/pgtable_types.h
--- a/arch/x86/include/asm/pgtable_types.h~kaiser-prep-disable-global-pages 2017-11-08 10:45:27.525681399 -0800
+++ b/arch/x86/include/asm/pgtable_types.h 2017-11-08 10:45:27.530681399 -0800
@@ -179,8 +179,20 @@ enum page_cache_mode {
#define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
_PAGE_ACCESSED)
+/*
+ * Disable global pages for anything using the default
+ * __PAGE_KERNEL* macros. PGE will still be enabled
+ * and _PAGE_GLOBAL may still be used carefully.
+ */
+#ifdef CONFIG_KAISER
+#define __PAGE_KERNEL_GLOBAL 0
+#else
+#define __PAGE_KERNEL_GLOBAL _PAGE_GLOBAL
+#endif
+
#define __PAGE_KERNEL_EXEC \
- (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
+ (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | \
+ __PAGE_KERNEL_GLOBAL)
#define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
#define __PAGE_KERNEL_RO (__PAGE_KERNEL & ~_PAGE_RW)
diff -puN arch/x86/mm/pageattr.c~kaiser-prep-disable-global-pages arch/x86/mm/pageattr.c
--- a/arch/x86/mm/pageattr.c~kaiser-prep-disable-global-pages 2017-11-08 10:45:27.527681399 -0800
+++ b/arch/x86/mm/pageattr.c 2017-11-08 10:45:27.531681399 -0800
@@ -585,9 +585,9 @@ try_preserve_large_page(pte_t *kpte, uns
* for the ancient hardware that doesn't support it.
*/
if (pgprot_val(req_prot) & _PAGE_PRESENT)
- pgprot_val(req_prot) |= _PAGE_PSE | _PAGE_GLOBAL;
+ pgprot_val(req_prot) |= _PAGE_PSE | __PAGE_KERNEL_GLOBAL;
else
- pgprot_val(req_prot) &= ~(_PAGE_PSE | _PAGE_GLOBAL);
+ pgprot_val(req_prot) &= ~(_PAGE_PSE | __PAGE_KERNEL_GLOBAL);
req_prot = canon_pgprot(req_prot);
@@ -705,9 +705,9 @@ __split_large_page(struct cpa_data *cpa,
* for the ancient hardware that doesn't support it.
*/
if (pgprot_val(ref_prot) & _PAGE_PRESENT)
- pgprot_val(ref_prot) |= _PAGE_GLOBAL;
+ pgprot_val(ref_prot) |= __PAGE_KERNEL_GLOBAL;
else
- pgprot_val(ref_prot) &= ~_PAGE_GLOBAL;
+ pgprot_val(ref_prot) &= ~__PAGE_KERNEL_GLOBAL;
/*
* Get the target pfn from the original entry:
@@ -938,9 +938,9 @@ static void populate_pte(struct cpa_data
* support it.
*/
if (pgprot_val(pgprot) & _PAGE_PRESENT)
- pgprot_val(pgprot) |= _PAGE_GLOBAL;
+ pgprot_val(pgprot) |= __PAGE_KERNEL_GLOBAL;
else
- pgprot_val(pgprot) &= ~_PAGE_GLOBAL;
+ pgprot_val(pgprot) &= ~__PAGE_KERNEL_GLOBAL;
pgprot = canon_pgprot(pgprot);
@@ -1242,9 +1242,9 @@ repeat:
* support it.
*/
if (pgprot_val(new_prot) & _PAGE_PRESENT)
- pgprot_val(new_prot) |= _PAGE_GLOBAL;
+ pgprot_val(new_prot) |= __PAGE_KERNEL_GLOBAL;
else
- pgprot_val(new_prot) &= ~_PAGE_GLOBAL;
+ pgprot_val(new_prot) &= ~__PAGE_KERNEL_GLOBAL;
/*
* We need to keep the pfn from the existing PTE,
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER
2017-11-08 19:46 ` [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER Dave Hansen
@ 2017-11-09 12:51 ` Borislav Petkov
2017-11-09 22:19 ` Thomas Gleixner
1 sibling, 0 replies; 64+ messages in thread
From: Borislav Petkov @ 2017-11-09 12:51 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On Wed, Nov 08, 2017 at 11:46:53AM -0800, Dave Hansen wrote:
>
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> Global pages stay in the TLB across context switches. Since all
> contexts share the same kernel mapping, we use global pages to
> allow kernel entries in the TLB to survive when we context
> switch.
>
> But, even having these entries in the TLB opens up something that
> an attacker can use [1].
>
> Disable global pages so that kernel TLB entries are flushed when
> we run userspace. This way, all accesses to kernel memory result
> in a TLB miss whether there is good data there or not. Without
> this, even when KAISER switches pages tables, the kernel entries
> might remain in the TLB.
>
> We keep _PAGE_GLOBAL available so that we can use it for things
> that are global even with KAISER like the entry/exit code and
> data.
>
> 1. The double-page-fault attack:
> http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
>
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
> Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
> Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
> Cc: Richard Fellner <richard.fellner@student.tugraz.at>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Kees Cook <keescook@google.com>
> Cc: Hugh Dickins <hughd@google.com>
> Cc: x86@kernel.org
> ---
>
> b/arch/x86/include/asm/pgtable_types.h | 14 +++++++++++++-
> b/arch/x86/mm/pageattr.c | 16 ++++++++--------
> 2 files changed, 21 insertions(+), 9 deletions(-)
Reviewed-by: Borislav Petkov <bp@suse.de>
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER
2017-11-08 19:46 ` [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER Dave Hansen
2017-11-09 12:51 ` Borislav Petkov
@ 2017-11-09 22:19 ` Thomas Gleixner
1 sibling, 0 replies; 64+ messages in thread
From: Thomas Gleixner @ 2017-11-09 22:19 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On Wed, 8 Nov 2017, Dave Hansen wrote:
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> Global pages stay in the TLB across context switches. Since all
> contexts share the same kernel mapping, we use global pages to
> allow kernel entries in the TLB to survive when we context
> switch.
>
> But, even having these entries in the TLB opens up something that
> an attacker can use [1].
>
> Disable global pages so that kernel TLB entries are flushed when
> we run userspace. This way, all accesses to kernel memory result
> in a TLB miss whether there is good data there or not. Without
> this, even when KAISER switches pages tables, the kernel entries
> might remain in the TLB.
>
> We keep _PAGE_GLOBAL available so that we can use it for things
> that are global even with KAISER like the entry/exit code and
> data.
Just a nitpick which applies to a lot of the changelogs in this
series. Describing ourself (we) running/doing something is (understandable)
but not a really technical way to describe things. Aside of that some of
the descriptions are slightly convoluted. Let me rephrase the above
paragraphs:
Global pages stay in the TLB across context switches. Since all contexts
share the same kernel mapping, these mappings are marked as global pages
so kernel entries in the TLB are not flushed out on a context switch.
But, even having these entries in the TLB opens up something that an
attacker can use [1].
That means that even when KAISER switches page tables on return to user
space the global pages would stay in the TLB cache.
Disable global pages so that kernel TLB entries can be flushed before
returning to user space. This way, all accesses to kernel addresses from
userspace result in a TLB miss independent of the existance of a kernel
mapping.
Replace _PAGE_GLOBAL by __PAGE_KERNEL_GLOBAL and keep _PAGE_GLOBAL
available so that it can still be used for a few selected kernel mappings
which must be visible to userspace, when KAISER is enabled, like the
entry/exit code and data.
I admit it's a pet pieve, but having very precise changelogs for this kind
of changes makes review a lot easier and is really usefulwhen you have to
stare at a commit 3 month later.
Other than that:
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 05/30] x86, kaiser: prepare assembly for entry/exit CR3 switching
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (3 preceding siblings ...)
2017-11-08 19:46 ` [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER Dave Hansen
@ 2017-11-08 19:46 ` Dave Hansen
2017-11-09 13:20 ` Borislav Petkov
2017-11-08 19:46 ` [PATCH 06/30] x86, kaiser: introduce user-mapped percpu areas Dave Hansen
` (24 subsequent siblings)
29 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:46 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
This is largely code from Andy Lutomirski. I fixed a few bugs
in it, and added a few SWITCH_TO_* spots.
KAISER needs to switch to a different CR3 value when it enters
the kernel and switch back when it exits. This essentially
needs to be done before we leave assembly code.
This is extra challenging because the context in which we have to
make this switch is tricky: the registers we are allowed to
clobber can vary. It's also hard to store things on the stack
because there are already things on it with an established ABI
(ptregs) or the stack is unsafe to use at all.
This patch establishes a set of macros that allow changing to
the user and kernel CR3 values.
Interactions with SWAPGS: previous versions of the KAISER code
relied on having per-cpu scratch space so we have a register
to clobber for our CR3 MOV. The %GS register is what we use
to index into our per-cpu sapce, so SWAPGS *had* to be done
before the CR3 switch. That scratch space is gone now, but we
still keep the semantic that SWAPGS must be done before the
CR3 MOV. This is good to keep because it is not that hard to
do and it allows us to do things like add per-cpu debugging
information to help us figure out what goes wrong sometimes.
What this does in the NMI code is worth pointing out. NMIs
can interrupt *any* context and they can also be nested with
NMIs interrupting other NMIs. The comments below
".Lnmi_from_kernel" explain the format of the stack that we
have to deal with this situation. Changing the format of
this stack is not a fun exercise: I tried. Instead of
storing the old CR3 value on the stack, we depend on the
*regular* register save/restore mechanism and then use %r14
to keep CR3 during the NMI. It will not be clobbered by the
C NMI handlers that get called.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/entry/calling.h | 65 +++++++++++++++++++++++++++++++++++++
b/arch/x86/entry/entry_64.S | 30 ++++++++++++++---
b/arch/x86/entry/entry_64_compat.S | 8 ++++
3 files changed, 98 insertions(+), 5 deletions(-)
diff -puN arch/x86/entry/calling.h~kaiser-luto-base-cr3-work arch/x86/entry/calling.h
--- a/arch/x86/entry/calling.h~kaiser-luto-base-cr3-work 2017-11-08 10:45:28.091681398 -0800
+++ b/arch/x86/entry/calling.h 2017-11-08 10:45:28.098681398 -0800
@@ -1,5 +1,6 @@
#include <linux/jump_label.h>
#include <asm/unwind_hints.h>
+#include <asm/cpufeatures.h>
/*
@@ -186,6 +187,70 @@ For 32-bit we have the following convent
#endif
.endm
+#ifdef CONFIG_KAISER
+
+/* KAISER PGDs are 8k. We flip bit 12 to switch between the two halves: */
+#define KAISER_SWITCH_MASK (1<<PAGE_SHIFT)
+
+.macro ADJUST_KERNEL_CR3 reg:req
+ /* Clear "KAISER bit", point CR3 at kernel pagetables: */
+ andq $(~KAISER_SWITCH_MASK), \reg
+.endm
+
+.macro ADJUST_USER_CR3 reg:req
+ /* Move CR3 up a page to the user page tables: */
+ orq $(KAISER_SWITCH_MASK), \reg
+.endm
+
+.macro SWITCH_TO_KERNEL_CR3 scratch_reg:req
+ mov %cr3, \scratch_reg
+ ADJUST_KERNEL_CR3 \scratch_reg
+ mov \scratch_reg, %cr3
+.endm
+
+.macro SWITCH_TO_USER_CR3 scratch_reg:req
+ mov %cr3, \scratch_reg
+ ADJUST_USER_CR3 \scratch_reg
+ mov \scratch_reg, %cr3
+.endm
+
+.macro SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg:req save_reg:req
+ movq %cr3, %r\scratch_reg
+ movq %r\scratch_reg, \save_reg
+ /*
+ * Is the switch bit zero? This means the address is
+ * up in real KAISER patches in a moment.
+ */
+ testq $(KAISER_SWITCH_MASK), %r\scratch_reg
+ jz .Ldone_\@
+
+ ADJUST_KERNEL_CR3 %r\scratch_reg
+ movq %r\scratch_reg, %cr3
+
+.Ldone_\@:
+.endm
+
+.macro RESTORE_CR3 save_reg:req
+ /*
+ * We could avoid the CR3 write if not changing its value,
+ * but that requires a CR3 read *and* a scratch register.
+ */
+ movq \save_reg, %cr3
+.endm
+
+#else /* CONFIG_KAISER=n: */
+
+.macro SWITCH_TO_KERNEL_CR3 scratch_reg:req
+.endm
+.macro SWITCH_TO_USER_CR3 scratch_reg:req
+.endm
+.macro SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg:req save_reg:req
+.endm
+.macro RESTORE_CR3 save_reg:req
+.endm
+
+#endif
+
#endif /* CONFIG_X86_64 */
/*
diff -puN arch/x86/entry/entry_64_compat.S~kaiser-luto-base-cr3-work arch/x86/entry/entry_64_compat.S
--- a/arch/x86/entry/entry_64_compat.S~kaiser-luto-base-cr3-work 2017-11-08 10:45:28.092681398 -0800
+++ b/arch/x86/entry/entry_64_compat.S 2017-11-08 10:45:28.098681398 -0800
@@ -91,6 +91,9 @@ ENTRY(entry_SYSENTER_compat)
pushq $0 /* pt_regs->r15 = 0 */
cld
+ /* We just saved all the registers, so safe to clobber %rdi */
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
+
/*
* SYSENTER doesn't filter flags, so we need to clear NT and AC
* ourselves. To save a few cycles, we can check whether
@@ -214,6 +217,8 @@ GLOBAL(entry_SYSCALL_compat_after_hwfram
pushq $0 /* pt_regs->r14 = 0 */
pushq $0 /* pt_regs->r15 = 0 */
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
+
/*
* User mode is traced as though IRQs are on, and SYSENTER
* turned them off.
@@ -240,6 +245,7 @@ sysret32_from_system_call:
popq %rsi /* pt_regs->si */
popq %rdi /* pt_regs->di */
+ SWITCH_TO_USER_CR3 scratch_reg=%r8
/*
* USERGS_SYSRET32 does:
* GSBASE = user's GS base
@@ -324,6 +330,8 @@ ENTRY(entry_INT80_compat)
pushq %r15 /* pt_regs->r15 */
cld
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%r11
+
movq %rsp, %rdi /* pt_regs pointer */
call sync_regs
movq %rax, %rsp /* switch stack */
diff -puN arch/x86/entry/entry_64.S~kaiser-luto-base-cr3-work arch/x86/entry/entry_64.S
--- a/arch/x86/entry/entry_64.S~kaiser-luto-base-cr3-work 2017-11-08 10:45:28.094681398 -0800
+++ b/arch/x86/entry/entry_64.S 2017-11-08 10:45:28.099681398 -0800
@@ -147,8 +147,6 @@ ENTRY(entry_SYSCALL_64)
movq %rsp, PER_CPU_VAR(rsp_scratch)
movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
- TRACE_IRQS_OFF
-
/* Construct struct pt_regs on stack */
pushq $__USER_DS /* pt_regs->ss */
pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */
@@ -169,6 +167,13 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */
UNWIND_HINT_REGS extra=0
+ /* NB: right here, all regs except r11 are live. */
+
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%r11
+
+ /* Must wait until we have the kernel CR3 to call C functions: */
+ TRACE_IRQS_OFF
+
/*
* If we need to do entry work or if we guess we'll need to do
* exit work, go straight to the slow path.
@@ -340,6 +345,7 @@ syscall_return_via_sysret:
* We are on the trampoline stack. All regs except RDI are live.
* We can do future final exit work right here.
*/
+ SWITCH_TO_USER_CR3 scratch_reg=%rdi
popq %rdi
popq %rsp
@@ -679,6 +685,8 @@ GLOBAL(swapgs_restore_regs_and_return_to
* We can do future final exit work right here.
*/
+ SWITCH_TO_USER_CR3 scratch_reg=%rdi
+
/* Restore RDI. */
popq %rdi
SWAPGS
@@ -1167,7 +1175,11 @@ ENTRY(paranoid_entry)
js 1f /* negative -> in kernel */
SWAPGS
xorl %ebx, %ebx
-1: ret
+
+1:
+ SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=ax save_reg=%r14
+
+ ret
END(paranoid_entry)
/*
@@ -1189,6 +1201,7 @@ ENTRY(paranoid_exit)
testl %ebx, %ebx /* swapgs needed? */
jnz .Lparanoid_exit_no_swapgs
TRACE_IRQS_IRETQ
+ RESTORE_CR3 %r14
SWAPGS_UNSAFE_STACK
jmp .Lparanoid_exit_restore
.Lparanoid_exit_no_swapgs:
@@ -1217,6 +1230,9 @@ ENTRY(error_entry)
*/
SWAPGS
+ /* We have user CR3. Change to kernel CR3. */
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
+
.Lerror_entry_from_usermode_after_swapgs:
/*
* We need to tell lockdep that IRQs are off. We can't do this until
@@ -1263,9 +1279,10 @@ ENTRY(error_entry)
.Lerror_bad_iret:
/*
- * We came from an IRET to user mode, so we have user gsbase.
- * Switch to kernel gsbase:
+ * We came from an IRET to user mode, so we have user
+ * gsbase and CR3. Switch to kernel gsbase and CR3:
*/
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
SWAPGS
/*
@@ -1389,6 +1406,7 @@ ENTRY(nmi)
UNWIND_HINT_REGS
ENCODE_FRAME_POINTER
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
/*
* At this point we no longer need to worry about stack damage
* due to nesting -- we're on the normal thread stack and we're
@@ -1613,6 +1631,8 @@ end_repeat_nmi:
movq $-1, %rsi
call do_nmi
+ RESTORE_CR3 save_reg=%r14
+
testl %ebx, %ebx /* swapgs needed? */
jnz nmi_restore
nmi_swapgs:
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 05/30] x86, kaiser: prepare assembly for entry/exit CR3 switching
2017-11-08 19:46 ` [PATCH 05/30] x86, kaiser: prepare assembly for entry/exit CR3 switching Dave Hansen
@ 2017-11-09 13:20 ` Borislav Petkov
2017-11-09 15:34 ` Dave Hansen
0 siblings, 1 reply; 64+ messages in thread
From: Borislav Petkov @ 2017-11-09 13:20 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On Wed, Nov 08, 2017 at 11:46:54AM -0800, Dave Hansen wrote:
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> This is largely code from Andy Lutomirski. I fixed a few bugs
> in it, and added a few SWITCH_TO_* spots.
...
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
> Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
> Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
> Cc: Richard Fellner <richard.fellner@student.tugraz.at>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Kees Cook <keescook@google.com>
> Cc: Hugh Dickins <hughd@google.com>
> Cc: x86@kernel.org
> ---
>
> b/arch/x86/entry/calling.h | 65 +++++++++++++++++++++++++++++++++++++
> b/arch/x86/entry/entry_64.S | 30 ++++++++++++++---
> b/arch/x86/entry/entry_64_compat.S | 8 ++++
> 3 files changed, 98 insertions(+), 5 deletions(-)
What branch is that one against?
It doesn't apply cleanly against tip:x86/asm from today:
patching file arch/x86/entry/calling.h
Hunk #1 succeeded at 2 with fuzz 1 (offset 1 line).
Hunk #2 succeeded at 188 (offset 1 line).
patching file arch/x86/entry/entry_64_compat.S
Hunk #1 succeeded at 92 (offset 1 line).
Hunk #2 succeeded at 218 (offset 1 line).
Hunk #3 succeeded at 246 (offset 1 line).
Hunk #4 FAILED at 330.
1 out of 4 hunks FAILED -- saving rejects to file arch/x86/entry/entry_64_compat.S.rej
patching file arch/x86/entry/entry_64.S
Hunk #1 succeeded at 148 (offset 1 line).
Hunk #2 succeeded at 168 (offset 1 line).
Hunk #3 succeeded at 508 with fuzz 2 (offset 163 lines).
Hunk #4 FAILED at 685.
Hunk #5 succeeded at 1119 (offset -54 lines).
Hunk #6 succeeded at 1145 (offset -54 lines).
Hunk #7 succeeded at 1174 (offset -54 lines).
Hunk #8 succeeded at 1223 (offset -54 lines).
Hunk #9 succeeded at 1350 (offset -54 lines).
Hunk #10 succeeded at 1575 (offset -54 lines).
1 out of 10 hunks FAILED -- saving rejects to file arch/x86/entry/entry_64.S.rej
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 05/30] x86, kaiser: prepare assembly for entry/exit CR3 switching
2017-11-09 13:20 ` Borislav Petkov
@ 2017-11-09 15:34 ` Dave Hansen
2017-11-09 15:59 ` Borislav Petkov
0 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-09 15:34 UTC (permalink / raw)
To: Borislav Petkov
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On 11/09/2017 05:20 AM, Borislav Petkov wrote:
> What branch is that one against?
It's against Andy's entry rework:
https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/log/?h=x86/entry_consolidation
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 05/30] x86, kaiser: prepare assembly for entry/exit CR3 switching
2017-11-09 15:34 ` Dave Hansen
@ 2017-11-09 15:59 ` Borislav Petkov
0 siblings, 0 replies; 64+ messages in thread
From: Borislav Petkov @ 2017-11-09 15:59 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On Thu, Nov 09, 2017 at 07:34:52AM -0800, Dave Hansen wrote:
> On 11/09/2017 05:20 AM, Borislav Petkov wrote:
> > What branch is that one against?
>
> It's against Andy's entry rework:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/log/?h=x86/entry_consolidation
Ah, so this is what
" * Updated to be on top of Andy L's new entry code"
means.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 06/30] x86, kaiser: introduce user-mapped percpu areas
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (4 preceding siblings ...)
2017-11-08 19:46 ` [PATCH 05/30] x86, kaiser: prepare assembly for entry/exit CR3 switching Dave Hansen
@ 2017-11-08 19:46 ` Dave Hansen
2017-11-08 19:46 ` [PATCH 07/30] x86, kaiser: mark percpu data structures required for entry/exit Dave Hansen
` (23 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:46 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
These patches are based on work from a team at Graz University of
Technology posted here: https://github.com/IAIK/KAISER
The KAISER approach keeps two copies of the page tables: one for running
in the kernel and one for running userspace. But, there are a few
structures that are needed for switching in and out of the kernel and
a good subset of *those* are per-cpu data.
This patch creates a new kind of per-cpu data that is mapped and can be
used no matter which copy of the page tables we are using. Users of
this new section will be forthcoming.
Thanks to Hugh Dickins for cleanups to this code.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/include/asm-generic/vmlinux.lds.h | 7 +++++++
b/include/linux/percpu-defs.h | 30 ++++++++++++++++++++++++++++++
2 files changed, 37 insertions(+)
diff -puN include/asm-generic/vmlinux.lds.h~kaiser-prep-user-mapped-percpu include/asm-generic/vmlinux.lds.h
--- a/include/asm-generic/vmlinux.lds.h~kaiser-prep-user-mapped-percpu 2017-11-08 10:45:28.687681397 -0800
+++ b/include/asm-generic/vmlinux.lds.h 2017-11-08 10:45:28.692681397 -0800
@@ -807,7 +807,14 @@
*/
#define PERCPU_INPUT(cacheline) \
VMLINUX_SYMBOL(__per_cpu_start) = .; \
+ VMLINUX_SYMBOL(__per_cpu_user_mapped_start) = .; \
*(.data..percpu..first) \
+ . = ALIGN(cacheline); \
+ *(.data..percpu..user_mapped) \
+ *(.data..percpu..user_mapped..shared_aligned) \
+ . = ALIGN(PAGE_SIZE); \
+ *(.data..percpu..user_mapped..page_aligned) \
+ VMLINUX_SYMBOL(__per_cpu_user_mapped_end) = .; \
. = ALIGN(PAGE_SIZE); \
*(.data..percpu..page_aligned) \
. = ALIGN(cacheline); \
diff -puN include/linux/percpu-defs.h~kaiser-prep-user-mapped-percpu include/linux/percpu-defs.h
--- a/include/linux/percpu-defs.h~kaiser-prep-user-mapped-percpu 2017-11-08 10:45:28.689681397 -0800
+++ b/include/linux/percpu-defs.h 2017-11-08 10:45:28.693681397 -0800
@@ -35,6 +35,12 @@
#endif
+#ifdef CONFIG_KAISER
+#define USER_MAPPED_SECTION "..user_mapped"
+#else
+#define USER_MAPPED_SECTION ""
+#endif
+
/*
* Base implementations of per-CPU variable declarations and definitions, where
* the section in which the variable is to be placed is provided by the
@@ -115,6 +121,12 @@
#define DEFINE_PER_CPU(type, name) \
DEFINE_PER_CPU_SECTION(type, name, "")
+#define DECLARE_PER_CPU_USER_MAPPED(type, name) \
+ DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION)
+
+#define DEFINE_PER_CPU_USER_MAPPED(type, name) \
+ DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION)
+
/*
* Declaration/definition used for per-CPU variables that must come first in
* the set of variables.
@@ -144,6 +156,14 @@
DEFINE_PER_CPU_SECTION(type, name, PER_CPU_SHARED_ALIGNED_SECTION) \
____cacheline_aligned_in_smp
+#define DECLARE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name) \
+ DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION PER_CPU_SHARED_ALIGNED_SECTION) \
+ ____cacheline_aligned_in_smp
+
+#define DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(type, name) \
+ DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION PER_CPU_SHARED_ALIGNED_SECTION) \
+ ____cacheline_aligned_in_smp
+
#define DECLARE_PER_CPU_ALIGNED(type, name) \
DECLARE_PER_CPU_SECTION(type, name, PER_CPU_ALIGNED_SECTION) \
____cacheline_aligned
@@ -162,6 +182,16 @@
#define DEFINE_PER_CPU_PAGE_ALIGNED(type, name) \
DEFINE_PER_CPU_SECTION(type, name, "..page_aligned") \
__aligned(PAGE_SIZE)
+/*
+ * Declaration/definition used for per-CPU variables that must be page aligned and need to be mapped in user mode.
+ */
+#define DECLARE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name) \
+ DECLARE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
+ __aligned(PAGE_SIZE)
+
+#define DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(type, name) \
+ DEFINE_PER_CPU_SECTION(type, name, USER_MAPPED_SECTION"..page_aligned") \
+ __aligned(PAGE_SIZE)
/*
* Declaration/definition used for per-CPU variables that must be read mostly.
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 07/30] x86, kaiser: mark percpu data structures required for entry/exit
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (5 preceding siblings ...)
2017-11-08 19:46 ` [PATCH 06/30] x86, kaiser: introduce user-mapped percpu areas Dave Hansen
@ 2017-11-08 19:46 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch) Dave Hansen
` (22 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:46 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
These patches are based on work from a team at Graz University of
Technology posted here: https://github.com/IAIK/KAISER
The KAISER approach keeps two copies of the page tables: one for running
in the kernel and one for running userspace. But, there are a few
structures that are needed for switching in and out of the kernel and
a good subset of *those* are per-cpu data.
Here's a short summary of the things we map to userspace:
* The gdt_page's virtual address is pointed to by the LGDT instruction.
It is needed to define the segments. Deeply required by CPU to run.
* cpu_tss tells the CPU, among other things, where the new stacks are
after user<->kernel transitions. Needed by the CPU to make ring
transitions.
* exception_stacks are needed at interrupt and exception entry so
that we have a place to store data to, among other things, get
a free register to load the kernel CR3.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/desc.h | 2 +-
b/arch/x86/include/asm/processor.h | 2 +-
b/arch/x86/kernel/cpu/common.c | 4 ++--
b/arch/x86/kernel/process.c | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff -puN arch/x86/include/asm/desc.h~kaiser-prep-x86-percpu-user-mapped arch/x86/include/asm/desc.h
--- a/arch/x86/include/asm/desc.h~kaiser-prep-x86-percpu-user-mapped 2017-11-08 10:45:29.252681395 -0800
+++ b/arch/x86/include/asm/desc.h 2017-11-08 10:45:29.261681395 -0800
@@ -45,7 +45,7 @@ struct gdt_page {
struct desc_struct gdt[GDT_ENTRIES];
} __attribute__((aligned(PAGE_SIZE)));
-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
+DECLARE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(struct gdt_page, gdt_page);
/* Provide the original GDT */
static inline struct desc_struct *get_cpu_gdt_rw(unsigned int cpu)
diff -puN arch/x86/include/asm/processor.h~kaiser-prep-x86-percpu-user-mapped arch/x86/include/asm/processor.h
--- a/arch/x86/include/asm/processor.h~kaiser-prep-x86-percpu-user-mapped 2017-11-08 10:45:29.254681395 -0800
+++ b/arch/x86/include/asm/processor.h 2017-11-08 10:45:29.261681395 -0800
@@ -346,7 +346,7 @@ struct tss_struct {
unsigned long SYSENTER_stack[64];
} ____cacheline_aligned;
-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss);
+DECLARE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(struct tss_struct, cpu_tss);
/*
* sizeof(unsigned long) coming from an extra "long" at the end
diff -puN arch/x86/kernel/cpu/common.c~kaiser-prep-x86-percpu-user-mapped arch/x86/kernel/cpu/common.c
--- a/arch/x86/kernel/cpu/common.c~kaiser-prep-x86-percpu-user-mapped 2017-11-08 10:45:29.256681395 -0800
+++ b/arch/x86/kernel/cpu/common.c 2017-11-08 10:45:29.262681395 -0800
@@ -98,7 +98,7 @@ static const struct cpu_dev default_cpu
static const struct cpu_dev *this_cpu = &default_cpu;
-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
+DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(struct gdt_page, gdt_page) = { .gdt = {
#ifdef CONFIG_X86_64
/*
* We need valid kernel segments for data and code in long mode too
@@ -1343,7 +1343,7 @@ static const unsigned int exception_stac
[DEBUG_STACK - 1] = DEBUG_STKSZ
};
-static DEFINE_PER_CPU_PAGE_ALIGNED(char, exception_stacks
+DEFINE_PER_CPU_PAGE_ALIGNED_USER_MAPPED(char, exception_stacks
[(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ]);
/* May not be marked __init: used by software suspend */
diff -puN arch/x86/kernel/process.c~kaiser-prep-x86-percpu-user-mapped arch/x86/kernel/process.c
--- a/arch/x86/kernel/process.c~kaiser-prep-x86-percpu-user-mapped 2017-11-08 10:45:29.257681395 -0800
+++ b/arch/x86/kernel/process.c 2017-11-08 10:45:29.262681395 -0800
@@ -46,7 +46,7 @@
* section. Since TSS's are completely CPU-local, we want them
* on exact cacheline boundaries, to eliminate cacheline ping-pong.
*/
-__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
+__visible DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(struct tss_struct, cpu_tss) = {
.x86_tss = {
/*
* .sp0 is only used when entering ring 0 from a lower
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (6 preceding siblings ...)
2017-11-08 19:46 ` [PATCH 07/30] x86, kaiser: mark percpu data structures required for entry/exit Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-10 12:57 ` Ingo Molnar
2017-11-08 19:47 ` [PATCH 09/30] x86, kaiser: only populate shadow page tables for userspace Dave Hansen
` (21 subsequent siblings)
29 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, richard.fellner, moritz.lipp,
daniel.gruss, michael.schwarz, luto, torvalds, keescook, hughd,
x86
From: Dave Hansen <dave.hansen@linux.intel.com>
These patches are based on work from a team at Graz University of
Technology: https://github.com/IAIK/KAISER . This work would not have
been possible without their work as a starting point.
KAISER is a countermeasure against side channel attacks against kernel
virtual memory. It leaves the existing page tables largely alone and
refers to them as the "kernel page tables. It adds a "shadow" pgd for
every process which is intended for use when we run userspace. The
shadow pgd maps all the same user memory as the "kernel" copy, but
only maps a minimal set of kernel memory.
Whenever we enter the kernel (syscalls, interrupts, exceptions), the
pgd is switched to the "kernel" copy. When the system switches back
to user mode, the shadow pgd is used.
The minimalistic kernel page tables try to map only what is needed to
enter/exit the kernel such as the entry/exit functions themselves and
the interrupt descriptors (IDT).
Changes from original KAISER patch:
* Gobs of coding style cleanups
* The original patch tried to allocate an order-2 page, then
8k-align the result. That's silly since order-2 is already
guaranteed to be 16k-aligned. Removed that gunk and just
allocate an order-1 page.
* Handle (or at least detect and warn on) allocation failures
* Use _KERNPG_TABLE, not _PAGE_TABLE when creating mappings for
the kernel in the shadow (user) page tables.
* BUG_ON() for !pte_none() case was totally insane: it checked
the physical address of the 'struct page' against the physical
address of the page being mapped.
* Added 5-level page table support
* Never free kaiser page tables. We don't have the locking to
keep them from getting used while we free them.
* Use a totally different scheme in the entry code. The
original code just fell apart in horrific ways in debug faults,
NMIs, or when iret faults. Big thanks to Andy Lutomirski for
reducing the number of places we had to patch. He made the
code a ton simpler.
* Use new entry trampoline instead of mapping process stacks.
Note: The original KAISER authors signed-off on their patch. Some of
their code has been broken out into other patches in this series, but
their SoB was only retained here.
Signed-off-by: Richard Fellner <richard.fellner@student.tugraz.at>
Signed-off-by: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Signed-off-by: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Signed-off-by: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/Documentation/x86/kaiser.txt | 160 +++++++++++++
b/arch/x86/entry/calling.h | 1
b/arch/x86/entry/entry_64.S | 15 +
b/arch/x86/include/asm/kaiser.h | 57 ++++
b/arch/x86/include/asm/pgtable.h | 6
b/arch/x86/include/asm/pgtable_64.h | 93 ++++++++
b/arch/x86/kernel/espfix_64.c | 17 +
b/arch/x86/kernel/head_64.S | 14 -
b/arch/x86/kernel/traps.c | 46 +++-
b/arch/x86/mm/Makefile | 1
b/arch/x86/mm/kaiser.c | 412 ++++++++++++++++++++++++++++++++++++
b/arch/x86/mm/pageattr.c | 2
b/arch/x86/mm/pgtable.c | 16 +
b/include/linux/kaiser.h | 29 ++
b/init/main.c | 3
b/kernel/fork.c | 1
16 files changed, 856 insertions(+), 17 deletions(-)
diff -puN arch/x86/entry/calling.h~kaiser-base arch/x86/entry/calling.h
--- a/arch/x86/entry/calling.h~kaiser-base 2017-11-08 10:45:29.866681394 -0800
+++ b/arch/x86/entry/calling.h 2017-11-08 10:45:29.890681394 -0800
@@ -1,6 +1,7 @@
#include <linux/jump_label.h>
#include <asm/unwind_hints.h>
#include <asm/cpufeatures.h>
+#include <asm/page_types.h>
/*
diff -puN arch/x86/entry/entry_64.S~kaiser-base arch/x86/entry/entry_64.S
--- a/arch/x86/entry/entry_64.S~kaiser-base 2017-11-08 10:45:29.868681394 -0800
+++ b/arch/x86/entry/entry_64.S 2017-11-08 10:45:29.896681394 -0800
@@ -145,6 +145,16 @@ ENTRY(entry_SYSCALL_64)
swapgs
movq %rsp, PER_CPU_VAR(rsp_scratch)
+
+ /*
+ * We need a good kernel CR3 to be able to map the process
+ * stack, but we need a scratch register to be able to load
+ * CR3. We could create another PER_CPU_VAR(), but %rsp is
+ * actually clobberable right now. Just use it. It will only
+ * be insane for one a couple instructions.
+ */
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
+
movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
/* Construct struct pt_regs on stack */
@@ -169,8 +179,6 @@ GLOBAL(entry_SYSCALL_64_after_hwframe)
/* NB: right here, all regs except r11 are live. */
- SWITCH_TO_KERNEL_CR3 scratch_reg=%r11
-
/* Must wait until we have the kernel CR3 to call C functions: */
TRACE_IRQS_OFF
@@ -1269,6 +1277,7 @@ ENTRY(error_entry)
* gsbase and proceed. We'll fix up the exception and land in
* .Lgs_change's error handler with kernel gsbase.
*/
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
SWAPGS
jmp .Lerror_entry_done
@@ -1378,6 +1387,7 @@ ENTRY(nmi)
swapgs
cld
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx
movq %rsp, %rdx
movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
UNWIND_HINT_IRET_REGS base=%rdx offset=8
@@ -1406,7 +1416,6 @@ ENTRY(nmi)
UNWIND_HINT_REGS
ENCODE_FRAME_POINTER
- SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
/*
* At this point we no longer need to worry about stack damage
* due to nesting -- we're on the normal thread stack and we're
diff -puN /dev/null arch/x86/include/asm/kaiser.h
--- /dev/null 2017-11-06 07:51:38.702108459 -0800
+++ b/arch/x86/include/asm/kaiser.h 2017-11-08 10:45:29.891681394 -0800
@@ -0,0 +1,57 @@
+#ifndef _ASM_X86_KAISER_H
+#define _ASM_X86_KAISER_H
+/*
+ * Copyright(c) 2017 Intel Corporation. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * Based on work published here: https://github.com/IAIK/KAISER
+ * Modified by Dave Hansen <dave.hansen@intel.com to actually work.
+ */
+#ifndef __ASSEMBLY__
+
+#ifdef CONFIG_KAISER
+/**
+ * kaiser_add_mapping - map a kernel range into the user page tables
+ * @addr: the start address of the range
+ * @size: the size of the range
+ * @flags: The mapping flags of the pages
+ *
+ * Use this on all data and code that need to be mapped into both
+ * copies of the page tables. This includes the code that switches
+ * to/from userspace and all of the hardware structures that are
+ * virtually-addressed and needed in userspace like the interrupt
+ * table.
+ */
+extern int kaiser_add_mapping(unsigned long addr, unsigned long size,
+ unsigned long flags);
+
+/**
+ * kaiser_remove_mapping - remove a kernel mapping from the userpage tables
+ * @addr: the start address of the range
+ * @size: the size of the range
+ */
+extern void kaiser_remove_mapping(unsigned long start, unsigned long size);
+
+/**
+ * kaiser_init - Initialize the shadow mapping
+ *
+ * Most parts of the shadow mapping can be mapped upon boot
+ * time. Only per-process things like the thread stacks
+ * or a new LDT have to be mapped at runtime. These boot-
+ * time mappings are permanent and never unmapped.
+ */
+extern void kaiser_init(void);
+
+#endif
+
+#endif /* __ASSEMBLY__ */
+
+#endif /* _ASM_X86_KAISER_H */
diff -puN arch/x86/include/asm/pgtable_64.h~kaiser-base arch/x86/include/asm/pgtable_64.h
--- a/arch/x86/include/asm/pgtable_64.h~kaiser-base 2017-11-08 10:45:29.870681394 -0800
+++ b/arch/x86/include/asm/pgtable_64.h 2017-11-08 10:45:29.891681394 -0800
@@ -130,9 +130,88 @@ static inline pud_t native_pudp_get_and_
#endif
}
+#ifdef CONFIG_KAISER
+/*
+ * All top-level KAISER page tables are order-1 pages (8k-aligned
+ * and 8k in size). The kernel one is at the beginning 4k and
+ * the user (shadow) one is in the last 4k. To switch between
+ * them, you just need to flip the 12th bit in their addresses.
+ */
+#define KAISER_PGTABLE_SWITCH_BIT PAGE_SHIFT
+
+/*
+ * This generates better code than the inline assembly in
+ * __set_bit().
+ */
+static inline void *ptr_set_bit(void *ptr, int bit)
+{
+ unsigned long __ptr = (unsigned long)ptr;
+ __ptr |= (1<<bit);
+ return (void *)__ptr;
+}
+static inline void *ptr_clear_bit(void *ptr, int bit)
+{
+ unsigned long __ptr = (unsigned long)ptr;
+ __ptr &= ~(1<<bit);
+ return (void *)__ptr;
+}
+
+static inline pgd_t *native_get_shadow_pgd(pgd_t *pgdp)
+{
+ return ptr_set_bit(pgdp, KAISER_PGTABLE_SWITCH_BIT);
+}
+static inline pgd_t *native_get_normal_pgd(pgd_t *pgdp)
+{
+ return ptr_clear_bit(pgdp, KAISER_PGTABLE_SWITCH_BIT);
+}
+static inline p4d_t *native_get_shadow_p4d(p4d_t *p4dp)
+{
+ return ptr_set_bit(p4dp, KAISER_PGTABLE_SWITCH_BIT);
+}
+static inline p4d_t *native_get_normal_p4d(p4d_t *p4dp)
+{
+ return ptr_clear_bit(p4dp, KAISER_PGTABLE_SWITCH_BIT);
+}
+#endif /* CONFIG_KAISER */
+
+/*
+ * Page table pages are page-aligned. The lower half of the top
+ * level is used for userspace and the top half for the kernel.
+ * This returns true for user pages that need to get copied into
+ * both the user and kernel copies of the page tables, and false
+ * for kernel pages that should only be in the kernel copy.
+ */
+static inline bool is_userspace_pgd(void *__ptr)
+{
+ unsigned long ptr = (unsigned long)__ptr;
+
+ return ((ptr % PAGE_SIZE) < (PAGE_SIZE / 2));
+}
+
static inline void native_set_p4d(p4d_t *p4dp, p4d_t p4d)
{
+#if defined(CONFIG_KAISER) && !defined(CONFIG_X86_5LEVEL)
+ /*
+ * set_pgd() does not get called when we are running
+ * CONFIG_X86_5LEVEL=y. So, just hack around it. We
+ * know here that we have a p4d but that it is really at
+ * the top level of the page tables; it is really just a
+ * pgd.
+ */
+ /* Do we need to also populate the shadow p4d? */
+ if (is_userspace_pgd(p4dp))
+ native_get_shadow_p4d(p4dp)->pgd = p4d.pgd;
+ /*
+ * Even if the entry is *mapping* userspace, ensure
+ * that userspace can not use it. This way, if we
+ * get out to userspace with the wrong CR3 value,
+ * userspace will crash instead of running.
+ */
+ if (!p4d.pgd.pgd)
+ p4dp->pgd.pgd = p4d.pgd.pgd | _PAGE_NX;
+#else /* CONFIG_KAISER */
*p4dp = p4d;
+#endif
}
static inline void native_p4d_clear(p4d_t *p4d)
@@ -146,7 +225,21 @@ static inline void native_p4d_clear(p4d_
static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
{
+#ifdef CONFIG_KAISER
+ /* Do we need to also populate the shadow pgd? */
+ if (is_userspace_pgd(pgdp))
+ native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
+ /*
+ * Even if the entry is mapping userspace, ensure
+ * that it is unusable for userspace. This way,
+ * if we get out to userspace with the wrong CR3
+ * value, userspace will crash instead of running.
+ */
+ if (!pgd_none(pgd))
+ pgdp->pgd = pgd.pgd | _PAGE_NX;
+#else /* CONFIG_KAISER */
*pgdp = pgd;
+#endif
}
static inline void native_pgd_clear(pgd_t *pgd)
diff -puN arch/x86/include/asm/pgtable.h~kaiser-base arch/x86/include/asm/pgtable.h
--- a/arch/x86/include/asm/pgtable.h~kaiser-base 2017-11-08 10:45:29.872681394 -0800
+++ b/arch/x86/include/asm/pgtable.h 2017-11-08 10:45:29.891681394 -0800
@@ -1105,6 +1105,12 @@ static inline void pmdp_set_wrprotect(st
static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
{
memcpy(dst, src, count * sizeof(pgd_t));
+#ifdef CONFIG_KAISER
+ /* Clone the shadow pgd part as well */
+ memcpy(native_get_shadow_pgd(dst),
+ native_get_shadow_pgd(src),
+ count * sizeof(pgd_t));
+#endif
}
#define PTE_SHIFT ilog2(PTRS_PER_PTE)
diff -puN arch/x86/kernel/espfix_64.c~kaiser-base arch/x86/kernel/espfix_64.c
--- a/arch/x86/kernel/espfix_64.c~kaiser-base 2017-11-08 10:45:29.874681394 -0800
+++ b/arch/x86/kernel/espfix_64.c 2017-11-08 10:45:29.892681394 -0800
@@ -41,6 +41,7 @@
#include <asm/pgalloc.h>
#include <asm/setup.h>
#include <asm/espfix.h>
+#include <asm/kaiser.h>
/*
* Note: we only need 6*8 = 48 bytes for the espfix stack, but round
@@ -128,6 +129,22 @@ void __init init_espfix_bsp(void)
pgd = &init_top_pgt[pgd_index(ESPFIX_BASE_ADDR)];
p4d = p4d_alloc(&init_mm, pgd, ESPFIX_BASE_ADDR);
p4d_populate(&init_mm, p4d, espfix_pud_page);
+ /*
+ * Just copy the top-level PGD that is mapping the espfix
+ * area to ensure it is mapped into the shadow user page
+ * tables.
+ *
+ * For 5-level paging, we should have already populated
+ * the espfix pgd when kaiser_init() pre-populated all
+ * the pgd entries. The above p4d_alloc() would never do
+ * anything and the p4d_populate() would be done to a p4d
+ * already mapped in the userspace pgd.
+ */
+#ifdef CONFIG_KAISER
+ if (CONFIG_PGTABLE_LEVELS <= 4)
+ set_pgd(native_get_shadow_pgd(pgd),
+ __pgd(_KERNPG_TABLE | (p4d_pfn(*p4d) << PAGE_SHIFT)));
+#endif
/* Randomize the locations */
init_espfix_random();
diff -puN arch/x86/kernel/head_64.S~kaiser-base arch/x86/kernel/head_64.S
--- a/arch/x86/kernel/head_64.S~kaiser-base 2017-11-08 10:45:29.876681394 -0800
+++ b/arch/x86/kernel/head_64.S 2017-11-08 10:45:29.892681394 -0800
@@ -339,6 +339,14 @@ GLOBAL(early_recursion_flag)
.balign PAGE_SIZE; \
GLOBAL(name)
+#ifdef CONFIG_KAISER
+#define NEXT_PGD_PAGE(name) \
+ .balign 2 * PAGE_SIZE; \
+GLOBAL(name)
+#else
+#define NEXT_PGD_PAGE(name) NEXT_PAGE(name)
+#endif
+
/* Automate the creation of 1 to 1 mapping pmd entries */
#define PMDS(START, PERM, COUNT) \
i = 0 ; \
@@ -348,7 +356,7 @@ GLOBAL(name)
.endr
__INITDATA
-NEXT_PAGE(early_top_pgt)
+NEXT_PGD_PAGE(early_top_pgt)
.fill 511,8,0
#ifdef CONFIG_X86_5LEVEL
.quad level4_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE_NOENC
@@ -362,10 +370,10 @@ NEXT_PAGE(early_dynamic_pgts)
.data
#ifndef CONFIG_XEN
-NEXT_PAGE(init_top_pgt)
+NEXT_PGD_PAGE(init_top_pgt)
.fill 512,8,0
#else
-NEXT_PAGE(init_top_pgt)
+NEXT_PGD_PAGE(init_top_pgt)
.quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE_NOENC
.org init_top_pgt + PGD_PAGE_OFFSET*8, 0
.quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE_NOENC
diff -puN arch/x86/kernel/traps.c~kaiser-base arch/x86/kernel/traps.c
--- a/arch/x86/kernel/traps.c~kaiser-base 2017-11-08 10:45:29.878681394 -0800
+++ b/arch/x86/kernel/traps.c 2017-11-08 10:45:29.897681394 -0800
@@ -329,6 +329,43 @@ __visible void __noreturn handle_stack_o
}
#endif
+/*
+ * This "fakes" a #GP from userspace upon returning (iret'ing)
+ * from this double fault.
+ */
+void setup_fake_gp_at_iret(struct pt_regs *regs)
+{
+ unsigned long *new_stack_top = (unsigned long *)
+ (this_cpu_read(cpu_tss.x86_tss.ist[0]) - 0x1500);
+
+ /*
+ * Set up a stack just like the hardware would for a #GP.
+ *
+ * This format is an "iret frame", plus the error code
+ * that the hardware puts on the stack for us for
+ * exceptions. (see struct pt_regs).
+ */
+ new_stack_top[-1] = regs->ss;
+ new_stack_top[-2] = regs->sp;
+ new_stack_top[-3] = regs->flags;
+ new_stack_top[-4] = regs->cs;
+ new_stack_top[-5] = regs->ip;
+ new_stack_top[-6] = 0; /* faked #GP error code */
+
+ /*
+ * 'regs' points to the "iret frame" for *this*
+ * exception, *not* the #GP we are faking. Here,
+ * we are telling 'iret' to jump to general_protection
+ * when returning from this double fault.
+ */
+ regs->ip = (unsigned long)general_protection;
+ /*
+ * Make iret move the stack to the "fake #GP" stack
+ * we created above.
+ */
+ regs->sp = (unsigned long)&new_stack_top[-6];
+}
+
#ifdef CONFIG_X86_64
/* Runs on IST stack */
dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
@@ -354,14 +391,7 @@ dotraplinkage void do_double_fault(struc
regs->cs == __KERNEL_CS &&
regs->ip == (unsigned long)native_irq_return_iret)
{
- struct pt_regs *normal_regs = task_pt_regs(current);
-
- /* Fake a #GP(0) from userspace. */
- memmove(&normal_regs->ip, (void *)regs->sp, 5*8);
- normal_regs->orig_ax = 0; /* Missing (lost) #GP error code */
- regs->ip = (unsigned long)general_protection;
- regs->sp = (unsigned long)&normal_regs->orig_ax;
-
+ setup_fake_gp_at_iret(regs);
return;
}
#endif
diff -puN /dev/null arch/x86/mm/kaiser.c
--- /dev/null 2017-11-06 07:51:38.702108459 -0800
+++ b/arch/x86/mm/kaiser.c 2017-11-08 10:45:29.893681394 -0800
@@ -0,0 +1,412 @@
+/*
+ * Copyright(c) 2017 Intel Corporation. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * Based on work published here: https://github.com/IAIK/KAISER
+ * Modified by Dave Hansen <dave.hansen@intel.com to actually work.
+ */
+#include <linux/kernel.h>
+#include <linux/errno.h>
+#include <linux/string.h>
+#include <linux/types.h>
+#include <linux/bug.h>
+#include <linux/init.h>
+#include <linux/spinlock.h>
+#include <linux/mm.h>
+#include <linux/uaccess.h>
+
+#include <asm/kaiser.h>
+#include <asm/pgtable.h>
+#include <asm/pgalloc.h>
+#include <asm/tlbflush.h>
+#include <asm/desc.h>
+
+/*
+ * At runtime, the only things we map are some things for CPU
+ * hotplug, and stacks for new processes. No two CPUs will ever
+ * be populating the same addresses, so we only need to ensure
+ * that we protect between two CPUs trying to allocate and
+ * populate the same page table page.
+ *
+ * Only take this lock when doing a set_p[4um]d(), but it is not
+ * needed for doing a set_pte(). We assume that only the *owner*
+ * of a given allocation will be doing this for _their_
+ * allocation.
+ *
+ * This ensures that once a system has been running for a while
+ * and there have been stacks all over and these page tables
+ * are fully populated, there will be no further acquisitions of
+ * this lock.
+ */
+static DEFINE_SPINLOCK(shadow_table_allocation_lock);
+
+/*
+ * This is only for walking kernel addresses. We use it too help
+ * recreate the "shadow" page tables which are used while we are in
+ * userspace.
+ *
+ * This can be called on any kernel memory addresses and will work
+ * with any page sizes and any types: normal linear map memory,
+ * vmalloc(), even kmap().
+ *
+ * Note: this is only used when mapping new *kernel* entries into
+ * the user/shadow page tables. It is never used for userspace
+ * addresses.
+ *
+ * Returns -1 on error.
+ */
+static inline unsigned long get_pa_from_kernel_map(unsigned long vaddr)
+{
+ pgd_t *pgd;
+ p4d_t *p4d;
+ pud_t *pud;
+ pmd_t *pmd;
+ pte_t *pte;
+
+ /* We should only be asked to walk kernel addresses */
+ if (vaddr < PAGE_OFFSET) {
+ WARN_ON_ONCE(1);
+ return -1;
+ }
+
+ pgd = pgd_offset_k(vaddr);
+ /*
+ * We made all the kernel PGDs present in kaiser_init().
+ * We expect them to stay that way.
+ */
+ if (pgd_none(*pgd)) {
+ WARN_ON_ONCE(1);
+ return -1;
+ }
+ /*
+ * PGDs are either 512GB or 128TB on all x86_64
+ * configurations. We don't handle these.
+ */
+ if (pgd_large(*pgd)) {
+ WARN_ON_ONCE(1);
+ return -1;
+ }
+
+ p4d = p4d_offset(pgd, vaddr);
+ if (p4d_none(*p4d)) {
+ WARN_ON_ONCE(1);
+ return -1;
+ }
+
+ pud = pud_offset(p4d, vaddr);
+ if (pud_none(*pud)) {
+ WARN_ON_ONCE(1);
+ return -1;
+ }
+
+ if (pud_large(*pud))
+ return (pud_pfn(*pud) << PAGE_SHIFT) | (vaddr & ~PUD_PAGE_MASK);
+
+ pmd = pmd_offset(pud, vaddr);
+ if (pmd_none(*pmd)) {
+ WARN_ON_ONCE(1);
+ return -1;
+ }
+
+ if (pmd_large(*pmd))
+ return (pmd_pfn(*pmd) << PAGE_SHIFT) | (vaddr & ~PMD_PAGE_MASK);
+
+ pte = pte_offset_kernel(pmd, vaddr);
+ if (pte_none(*pte)) {
+ WARN_ON_ONCE(1);
+ return -1;
+ }
+
+ return (pte_pfn(*pte) << PAGE_SHIFT) | (vaddr & ~PAGE_MASK);
+}
+
+/*
+ * Walk the shadow copy of the page tables (optionally) trying to
+ * allocate page table pages on the way down. Does not support
+ * large pages since the data we are mapping is (generally) not
+ * large enough or aligned to 2MB.
+ *
+ * Note: this is only used when mapping *new* kernel data into the
+ * user/shadow page tables. It is never used for userspace data.
+ *
+ * Returns a pointer to a PTE on success, or NULL on failure.
+ */
+#define KAISER_WALK_ATOMIC 0x1
+static pte_t *kaiser_shadow_pagetable_walk(unsigned long address,
+ unsigned long flags)
+{
+ pte_t *pte;
+ pmd_t *pmd;
+ pud_t *pud;
+ p4d_t *p4d;
+ pgd_t *pgd = native_get_shadow_pgd(pgd_offset_k(address));
+ gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
+
+ if (flags & KAISER_WALK_ATOMIC) {
+ gfp &= ~GFP_KERNEL;
+ gfp |= __GFP_HIGH | __GFP_ATOMIC;
+ }
+
+ if (address < PAGE_OFFSET) {
+ WARN_ONCE(1, "attempt to walk user address\n");
+ return NULL;
+ }
+
+ if (pgd_none(*pgd)) {
+ WARN_ONCE(1, "All shadow pgds should have been populated\n");
+ return NULL;
+ }
+ BUILD_BUG_ON(pgd_large(*pgd) != 0);
+
+ p4d = p4d_offset(pgd, address);
+ BUILD_BUG_ON(p4d_large(*p4d) != 0);
+ if (p4d_none(*p4d)) {
+ unsigned long new_pud_page = __get_free_page(gfp);
+ if (!new_pud_page)
+ return NULL;
+
+ spin_lock(&shadow_table_allocation_lock);
+ if (p4d_none(*p4d))
+ set_p4d(p4d, __p4d(_KERNPG_TABLE | __pa(new_pud_page)));
+ else
+ free_page(new_pud_page);
+ spin_unlock(&shadow_table_allocation_lock);
+ }
+
+ pud = pud_offset(p4d, address);
+ /* The shadow page tables do not use large mappings: */
+ if (pud_large(*pud)) {
+ WARN_ON(1);
+ return NULL;
+ }
+ if (pud_none(*pud)) {
+ unsigned long new_pmd_page = __get_free_page(gfp);
+ if (!new_pmd_page)
+ return NULL;
+
+ spin_lock(&shadow_table_allocation_lock);
+ if (pud_none(*pud))
+ set_pud(pud, __pud(_KERNPG_TABLE | __pa(new_pmd_page)));
+ else
+ free_page(new_pmd_page);
+ spin_unlock(&shadow_table_allocation_lock);
+ }
+
+ pmd = pmd_offset(pud, address);
+ /* The shadow page tables do not use large mappings: */
+ if (pmd_large(*pmd)) {
+ WARN_ON(1);
+ return NULL;
+ }
+ if (pmd_none(*pmd)) {
+ unsigned long new_pte_page = __get_free_page(gfp);
+ if (!new_pte_page)
+ return NULL;
+
+ spin_lock(&shadow_table_allocation_lock);
+ if (pmd_none(*pmd))
+ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(new_pte_page)));
+ else
+ free_page(new_pte_page);
+ spin_unlock(&shadow_table_allocation_lock);
+ }
+
+ pte = pte_offset_kernel(pmd, address);
+ if (pte_flags(*pte) & _PAGE_USER) {
+ WARN_ONCE(1, "attempt to walk to user pte\n");
+ return NULL;
+ }
+ return pte;
+}
+
+/*
+ * Given a kernel address, @__start_addr, copy that mapping into
+ * the user (shadow) page tables. This may need to allocate page
+ * table pages.
+ */
+int kaiser_add_user_map(const void *__start_addr, unsigned long size,
+ unsigned long flags)
+{
+ pte_t *pte;
+ unsigned long start_addr = (unsigned long)__start_addr;
+ unsigned long address = start_addr & PAGE_MASK;
+ unsigned long end_addr = PAGE_ALIGN(start_addr + size);
+ unsigned long target_address;
+
+ for (; address < end_addr; address += PAGE_SIZE) {
+ target_address = get_pa_from_kernel_map(address);
+ if (target_address == -1)
+ return -EIO;
+
+ pte = kaiser_shadow_pagetable_walk(address, false);
+ /*
+ * Errors come from either -ENOMEM for a page
+ * table page, or something screwy that did a
+ * WARN_ON(). Just return -ENOMEM.
+ */
+ if (!pte)
+ return -ENOMEM;
+ if (pte_none(*pte)) {
+ set_pte(pte, __pte(flags | target_address));
+ } else {
+ pte_t tmp;
+ set_pte(&tmp, __pte(flags | target_address));
+ WARN_ON_ONCE(!pte_same(*pte, tmp));
+ }
+ }
+ return 0;
+}
+
+int kaiser_add_user_map_ptrs(const void *__start_addr,
+ const void *__end_addr,
+ unsigned long flags)
+{
+ return kaiser_add_user_map(__start_addr,
+ __end_addr - __start_addr,
+ flags);
+}
+
+/*
+ * Ensure that the top level of the (shadow) page tables are
+ * entirely populated. This ensures that all processes that get
+ * forked have the same entries. This way, we do not have to
+ * ever go set up new entries in older processes.
+ *
+ * Note: we never free these, so there are no updates to them
+ * after this.
+ */
+static void __init kaiser_init_all_pgds(void)
+{
+ pgd_t *pgd;
+ int i = 0;
+
+ pgd = native_get_shadow_pgd(pgd_offset_k(0UL));
+ for (i = PTRS_PER_PGD / 2; i < PTRS_PER_PGD; i++) {
+ unsigned long addr = PAGE_OFFSET + i * PGDIR_SIZE;
+#if CONFIG_PGTABLE_LEVELS > 4
+ p4d_t *p4d = p4d_alloc_one(&init_mm, addr);
+ if (!p4d) {
+ WARN_ON(1);
+ break;
+ }
+ set_pgd(pgd + i, __pgd(_KERNPG_TABLE | __pa(p4d)));
+#else /* CONFIG_PGTABLE_LEVELS <= 4 */
+ pud_t *pud = pud_alloc_one(&init_mm, addr);
+ if (!pud) {
+ WARN_ON(1);
+ break;
+ }
+ set_pgd(pgd + i, __pgd(_KERNPG_TABLE | __pa(pud)));
+#endif /* CONFIG_PGTABLE_LEVELS */
+ }
+}
+
+/*
+ * The page table allocations in here can theoretically fail, but
+ * we can not do much about it in early boot. Do the checking
+ * and warning in a macro to make it more readable.
+ */
+#define kaiser_add_user_map_early(start, size, flags) do { \
+ int __ret = kaiser_add_user_map(start, size, flags); \
+ WARN_ON(__ret); \
+} while (0)
+
+#define kaiser_add_user_map_ptrs_early(start, end, flags) do { \
+ int __ret = kaiser_add_user_map_ptrs(start, end, flags); \
+ WARN_ON(__ret); \
+} while (0)
+
+extern char __per_cpu_user_mapped_start[], __per_cpu_user_mapped_end[];
+/*
+ * If anything in here fails, we will likely die on one of the
+ * first kernel->user transitions and init will die. But, we
+ * will have most of the kernel up by then and should be able to
+ * get a clean warning out of it. If we BUG_ON() here, we run
+ * the risk of being before we have good console output.
+ *
+ * When KAISER is enabled, we remove _PAGE_GLOBAL from all of the
+ * kernel PTE permissions. This ensures that the TLB entries for
+ * the kernel are not available when in userspace. However, for
+ * the pages that are available to userspace *anyway*, we might as
+ * well continue to map them _PAGE_GLOBAL and enjoy the potential
+ * performance advantages.
+ */
+void __init kaiser_init(void)
+{
+ int cpu;
+
+ kaiser_init_all_pgds();
+
+ for_each_possible_cpu(cpu) {
+ void *percpu_vaddr = __per_cpu_user_mapped_start +
+ per_cpu_offset(cpu);
+ unsigned long percpu_sz = __per_cpu_user_mapped_end -
+ __per_cpu_user_mapped_start;
+ kaiser_add_user_map_early(percpu_vaddr, percpu_sz,
+ __PAGE_KERNEL | _PAGE_GLOBAL);
+ }
+
+ kaiser_add_user_map_ptrs_early(__entry_text_start, __entry_text_end,
+ __PAGE_KERNEL_RX | _PAGE_GLOBAL);
+
+ /* the fixed map address of the idt_table */
+ kaiser_add_user_map_early((void *)idt_descr.address,
+ sizeof(gate_desc) * NR_VECTORS,
+ __PAGE_KERNEL_RO | _PAGE_GLOBAL);
+}
+
+int kaiser_add_mapping(unsigned long addr, unsigned long size,
+ unsigned long flags)
+{
+ return kaiser_add_user_map((const void *)addr, size, flags);
+}
+
+void kaiser_remove_mapping(unsigned long start, unsigned long size)
+{
+ unsigned long addr;
+
+ /* The shadow page tables always use small pages: */
+ for (addr = start; addr < start + size; addr += PAGE_SIZE) {
+ /*
+ * Do an "atomic" walk in case this got called from an atomic
+ * context. This should not do any allocations because we
+ * should only be walking things that are known to be mapped.
+ */
+ pte_t *pte = kaiser_shadow_pagetable_walk(addr, KAISER_WALK_ATOMIC);
+
+ /*
+ * We are removing a mapping that shoud
+ * exist. WARN if it was not there:
+ */
+ if (!pte) {
+ WARN_ON_ONCE(1);
+ continue;
+ }
+
+ pte_clear(&init_mm, addr, pte);
+ }
+ /*
+ * This ensures that the TLB entries used to map this data are
+ * no longer usable on *this* CPU. We theoretically want to
+ * flush the entries on all CPUs here, but that's too
+ * expensive right now: this is called to unmap process
+ * stacks in the exit() path path.
+ *
+ * This can change if we get to the point where this is not
+ * in a remotely hot path, like only called via write_ldt().
+ *
+ * Note: we could probably also just invalidate the individual
+ * addresses to take care of *this* PCID and then do a
+ * tlb_flush_shared_nonglobals() to ensure that all other
+ * PCIDs get flushed before being used again.
+ */
+ __native_flush_tlb_global();
+}
diff -puN arch/x86/mm/Makefile~kaiser-base arch/x86/mm/Makefile
--- a/arch/x86/mm/Makefile~kaiser-base 2017-11-08 10:45:29.879681394 -0800
+++ b/arch/x86/mm/Makefile 2017-11-08 10:45:29.893681394 -0800
@@ -45,6 +45,7 @@ obj-$(CONFIG_NUMA_EMU) += numa_emulatio
obj-$(CONFIG_X86_INTEL_MPX) += mpx.o
obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS) += pkeys.o
obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o
+obj-$(CONFIG_KAISER) += kaiser.o
obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt.o
obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_boot.o
diff -puN arch/x86/mm/pageattr.c~kaiser-base arch/x86/mm/pageattr.c
--- a/arch/x86/mm/pageattr.c~kaiser-base 2017-11-08 10:45:29.881681394 -0800
+++ b/arch/x86/mm/pageattr.c 2017-11-08 10:45:29.894681394 -0800
@@ -859,7 +859,7 @@ static void unmap_pmd_range(pud_t *pud,
pud_clear(pud);
}
-static void unmap_pud_range(p4d_t *p4d, unsigned long start, unsigned long end)
+void unmap_pud_range(p4d_t *p4d, unsigned long start, unsigned long end)
{
pud_t *pud = pud_offset(p4d, start);
diff -puN arch/x86/mm/pgtable.c~kaiser-base arch/x86/mm/pgtable.c
--- a/arch/x86/mm/pgtable.c~kaiser-base 2017-11-08 10:45:29.883681394 -0800
+++ b/arch/x86/mm/pgtable.c 2017-11-08 10:45:29.894681394 -0800
@@ -354,14 +354,26 @@ static inline void _pgd_free(pgd_t *pgd)
kmem_cache_free(pgd_cache, pgd);
}
#else
+
+#ifdef CONFIG_KAISER
+/*
+ * Instead of one pgd, we aquire two pgds. Being order-1, it is
+ * both 8k in size and 8k-aligned. That lets us just flip bit 12
+ * in a pointer to swap between the two 4k halves.
+ */
+#define PGD_ALLOCATION_ORDER 1
+#else
+#define PGD_ALLOCATION_ORDER 0
+#endif
+
static inline pgd_t *_pgd_alloc(void)
{
- return (pgd_t *)__get_free_page(PGALLOC_GFP);
+ return (pgd_t *)__get_free_pages(PGALLOC_GFP, PGD_ALLOCATION_ORDER);
}
static inline void _pgd_free(pgd_t *pgd)
{
- free_page((unsigned long)pgd);
+ free_pages((unsigned long)pgd, PGD_ALLOCATION_ORDER);
}
#endif /* CONFIG_X86_PAE */
diff -puN /dev/null Documentation/x86/kaiser.txt
--- /dev/null 2017-11-06 07:51:38.702108459 -0800
+++ b/Documentation/x86/kaiser.txt 2017-11-08 10:45:29.894681394 -0800
@@ -0,0 +1,160 @@
+Overview
+========
+
+KAISER is a countermeasure against attacks on kernel address
+information. There are at least three existing, published,
+approaches using the shared user/kernel mapping and hardware features
+to defeat KASLR. One approach referenced in the paper locates the
+kernel by observing differences in page fault timing between
+present-but-inaccessable kernel pages and non-present pages.
+
+When we enter the kernel via syscalls, interrupts or exceptions,
+page tables are switched to the full "kernel" copy. When the
+system switches back to user mode, the user/shadow copy is used.
+
+The minimalistic kernel portion of the user page tables try to
+map only what is needed to enter/exit the kernel such as the
+entry/exit functions themselves and the interrupt descriptor
+table (IDT).
+
+This helps ensure that side-channel attacks that leverage the
+paging structures do not function when KAISER is enabled. It
+can be enabled by setting CONFIG_KAISER=y
+
+Page Table Management
+=====================
+
+KAISER logically keeps a "copy" of the page tables which unmap
+the kernel while in userspace. The kernel manages the page
+tables as normal, but the "copying" is done with a few tricks
+that mean that we do not have to manage two full copies.
+
+The first trick is that for any any new kernel mapping, we
+presume that we do not want it mapped to userspace. That means
+we normally have no copying to do. We only copy the kernel
+entries over to the shadow in response to a kaiser_add_*()
+call which is rare.
+
+For a new userspace mapping, the kernel makes the entries in
+its page tables like normal. The only difference is when the
+kernel makes entries in the top (PGD) level. In addition to
+setting the entry in the main kernel PGD, a copy if the entry
+is made in the shadow PGD.
+
+PGD entries always point to another page table. Two PGD
+entries pointing to the same thing gives us shared page tables
+for all the lower entries. This leaves a single, shared set of
+userspace page tables to manage. One PTE to lock, one set set
+of accessed bits, dirty bits, etc...
+
+Overhead
+========
+
+Protection against side-channel attacks is important. But,
+this protection comes at a cost:
+
+1. Increased Memory Use
+ a. Each process now needs an order-1 PGD instead of order-0.
+ (Consumes 4k per process).
+ b. The pre-allocated second-level (p4d or pud) kernel page
+ table pages cost ~1MB of additional memory at boot. This
+ is not totally wasted because some of these pages would
+ have been needed eventually for normal kernel page tables
+ and things in the vmalloc() area like vmemmap[].
+ c. Statically-allocated structures and entry/exit text must
+ be padded out to 4k (or 8k for PGDs) so they can be mapped
+ into the user page tables. This bloats the kernel image
+ by ~20-30k.
+ d. The shadow page tables eventually grow to map all of used
+ vmalloc() space. They can have roughly the same memory
+ consumption as the vmalloc() page tables.
+
+2. Runtime Cost
+ a. CR3 manipulation to switch between the page table copies
+ must be done at interrupt, syscall, and exception entry
+ and exit (it can be skipped when the kernel is interrupted,
+ though.) Moves to CR3 are on the order of a hundred
+ cycles, and we need one at entry and another at exit.
+ b. Task stacks must be mapped/unmapped. We need to walk
+ and modify the shadow page tables at fork() and exit().
+ c. Global pages are disabled. This feature of the MMU
+ allows different processes to share TLB entries mapping
+ the kernel. Losing the feature means potentially more
+ TLB misses after a context switch.
+ d. Process Context IDentifiers (PCID) is a CPU feature that
+ allows us to skip flushing the entire TLB when we switch
+ the page tables. This makes switching the page tables
+ (at context switch, or kernel entry/exit) cheaper. But,
+ on systems with PCID support, the context switch code
+ must flush both the user and kernel entries out of the
+ TLB, with an INVPCID in addition to the CR3 write. This
+ INVPCID is generally slower than a CR3 write, but still
+ on the order of a hundred cycles.
+ e. The shadow page tables must be populated for each new
+ process. Even without KAISER, since we share all of the
+ kernel mappings in all processes, we can do all this
+ population for kernel addresses at the top level of the
+ page tables (the PGD level). But, with KAISER, we now
+ have *two* kernel mappings: one in the kernel page tables
+ that maps everything and one in the user/shadow page
+ tables mapping the "minimal" kernel. At fork(), we
+ copy the portion of the shadow PGD that maps the minimal
+ kernel structures in addition to the normal kernel one.
+ f. In addition to the fork()-time copying, we must also
+ update the shadow PGD any time a set_pgd() is done on a
+ PGD used to map userspace. This ensures that the kernel
+ and user/shadow copies always map the same userspace
+ memory.
+ g. On systems without PCID support, each CR3 write flushes
+ the entire TLB. That means that each syscall, interrupt
+ or exception flushes the TLB.
+
+Possible Future Work:
+1. We can be more careful about not actually writing to CR3
+ unless we actually switch it.
+2. Try to have dedicated entry/exit kernel stacks so we do
+ not have to map/unmap the task/thread stacks.
+3. Compress the user/shadow-mapped data to be mapped together
+ underneath a single PGD entry.
+4. Re-enable global pages, but use them for mappings in the
+ user/shadow page tables. This would allow the kernel to
+ take advantage of TLB entries that were established from
+ the user page tables. This might speed up the entry/exit
+ code or userspace since it will not have to reload all of
+ its TLB entries. However, its upside is limited by PCID
+ being used.
+5. Allow KAISER to enabled/disabled at runtime so folks can
+ run a single kernel image.
+
+Debugging:
+
+Bugs in KAISER cause a few different signatures of crashes
+that are worth noting here.
+
+ * Crashes in early boot, especially around CPU bringup. Bugs
+ in the trampoline code or mappings cause these.
+ * Crashes at the first interrupt. Caused by bugs in entry_64.S,
+ like screwing up a page table switch. Also caused by
+ incorrectly mapping the IRQ handler entry code.
+ * Crashes at the first NMI. The NMI code is separate from main
+ interrupt handlers and can have bugs that do not affect
+ normal interrupts. Also caused by incorrectly mapping NMI
+ code. NMIs that interrupt the entry code must be very
+ careful and can be the cause of crashes that show up when
+ running perf.
+ * Kernel crashes at the first exit to userspace. entry_64.S
+ bugs, or failing to map some of the exit code.
+ * Crashes at first interrupt that interrupts userspace. The paths
+ in entry_64.S that return to userspace are sometimes separate
+ from the ones that return to the kernel.
+ * Double faults: overflowing the kernel stack because of page
+ faults upon page faults. Caused by touching non-kaiser-mapped
+ data in the entry code, or forgetting to switch to kernel
+ CR3 before calling into C functions which are not kaiser-mapped.
+ * Failures of the selftests/x86 code. Usually a bug in one of the
+ more obscure corners of entry_64.S
+ * Userspace segfaults early in boot, sometimes manifesting
+ as mount(8) failing to mount the rootfs. These have
+ tended to be TLB invalidation issues. Usually invalidating
+ the wrong PCID, or otherwise missing an invalidation.
+
diff -puN /dev/null include/linux/kaiser.h
--- /dev/null 2017-11-06 07:51:38.702108459 -0800
+++ b/include/linux/kaiser.h 2017-11-08 10:45:29.895681394 -0800
@@ -0,0 +1,29 @@
+#ifndef _INCLUDE_KAISER_H
+#define _INCLUDE_KAISER_H
+
+#ifdef CONFIG_KAISER
+#include <asm/kaiser.h>
+#else
+
+/*
+ * These stubs are used whenever CONFIG_KAISER is off, which
+ * includes architectures that support KAISER, but have it
+ * disabled.
+ */
+
+static inline void kaiser_init(void)
+{
+}
+
+static inline void kaiser_remove_mapping(unsigned long start, unsigned long size)
+{
+}
+
+static inline int kaiser_add_mapping(unsigned long addr, unsigned long size,
+ unsigned long flags)
+{
+ return 0;
+}
+
+#endif /* !CONFIG_KAISER */
+#endif /* _INCLUDE_KAISER_H */
diff -puN init/main.c~kaiser-base init/main.c
--- a/init/main.c~kaiser-base 2017-11-08 10:45:29.885681394 -0800
+++ b/init/main.c 2017-11-08 10:45:29.895681394 -0800
@@ -75,6 +75,7 @@
#include <linux/slab.h>
#include <linux/perf_event.h>
#include <linux/ptrace.h>
+#include <linux/kaiser.h>
#include <linux/blkdev.h>
#include <linux/elevator.h>
#include <linux/sched_clock.h>
@@ -504,6 +505,8 @@ static void __init mm_init(void)
pgtable_init();
vmalloc_init();
ioremap_huge_init();
+ /* This just needs to be done before we first run userspace: */
+ kaiser_init();
}
asmlinkage __visible void __init start_kernel(void)
diff -puN kernel/fork.c~kaiser-base kernel/fork.c
--- a/kernel/fork.c~kaiser-base 2017-11-08 10:45:29.887681394 -0800
+++ b/kernel/fork.c 2017-11-08 10:45:29.896681394 -0800
@@ -70,6 +70,7 @@
#include <linux/tsacct_kern.h>
#include <linux/cn_proc.h>
#include <linux/freezer.h>
+#include <linux/kaiser.h>
#include <linux/delayacct.h>
#include <linux/taskstats_kern.h>
#include <linux/random.h>
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)
2017-11-08 19:47 ` [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch) Dave Hansen
@ 2017-11-10 12:57 ` Ingo Molnar
0 siblings, 0 replies; 64+ messages in thread
From: Ingo Molnar @ 2017-11-10 12:57 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, richard.fellner, moritz.lipp,
daniel.gruss, michael.schwarz, luto, torvalds, keescook, hughd,
x86
* Dave Hansen <dave.hansen@linux.intel.com> wrote:
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> These patches are based on work from a team at Graz University of
> Technology: https://github.com/IAIK/KAISER . This work would not have
> been possible without their work as a starting point.
> Note: The original KAISER authors signed-off on their patch. Some of
> their code has been broken out into other patches in this series, but
> their SoB was only retained here.
>
> Signed-off-by: Richard Fellner <richard.fellner@student.tugraz.at>
> Signed-off-by: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
> Signed-off-by: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
> Signed-off-by: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
That's not how SOB chains should be used normally - nor does the current code have
much resemblance to the original code.
So you credit them in the file:
> --- /dev/null 2017-11-06 07:51:38.702108459 -0800
> +++ b/arch/x86/mm/kaiser.c 2017-11-08 10:45:29.893681394 -0800
> @@ -0,0 +1,412 @@
> +/*
> + * Copyright(c) 2017 Intel Corporation. All rights reserved.
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of version 2 of the GNU General Public License as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful, but
> + * WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + * General Public License for more details.
> + *
> + * Based on work published here: https://github.com/IAIK/KAISER
> + * Modified by Dave Hansen <dave.hansen@intel.com to actually work.
You could credit the original authors via something like:
/*
* The original KAISER patch, on which this code is based in part, was
* written by and signed off by for the Linux kernel by:
*
* Signed-off-by: Richard Fellner <richard.fellner@student.tugraz.at>
* Signed-off-by: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
* Signed-off-by: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
* Signed-off-by: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
*
* At:
*
* https://github.com/IAIK/KAISER
*/
Or something like that - but the original SOBs should not be carried over as-is
into the commit log entry.
Thanks,
Ingo
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 09/30] x86, kaiser: only populate shadow page tables for userspace
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (7 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch) Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 10/30] x86, kaiser: allow NX to be set in p4d/pgd Dave Hansen
` (20 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
KAISER has two copies of the page tables: one for the kernel and
one for when we are running in userspace. There is also a kernel
portion of each of the page tables: the part that *maps* the
kernel.
The kernel portion is relatively static and uses pre-populated
PGDs. Nobody ever calls set_pgd() on the kernel portion during
normal operation.
The userspace portion of the page tables is updated frequently as
userspace pages are mapped and we demand-allocate page table
pages. These updates of the userspace *portion* of the tables
need to be reflected into both the kernel and user/shadow copies.
The original KAISER patches did this by effectively looking at
the address that we are updating *for*. If it is <PAGE_OFFSET,
we are doing an update for the userspace portion of the page
tables and must make an entry in the shadow. We also make the
kernel copy if this new entry unusable for userspace.
However, this has a wrinkle: we have a few places where we use
low addresses in supervisor (kernel) mode. When we make EFI
calls, we they use traditionaly user addresses in supervisor mode
and trip over these checks. The trampoline code that we use for
booting secondary CPUs has a similar issue.
Remember, we need to do two things for a userspace PGD: populate
the shadow and sabotage the kernel PGD so it can not be used in
userspace. This patch fixes the wrinkle by only doing those two
things when we are dealing with a user address *and* the PGD has
_PAGE_USER set. That way, we do not accidentally sabotage the
in-kernel users of low addresses that are typically used only for
userspace.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/pgtable_64.h | 94 +++++++++++++++++++++++-------------
1 file changed, 61 insertions(+), 33 deletions(-)
diff -puN arch/x86/include/asm/pgtable_64.h~kaiser-set-pgd-careful-plus-NX arch/x86/include/asm/pgtable_64.h
--- a/arch/x86/include/asm/pgtable_64.h~kaiser-set-pgd-careful-plus-NX 2017-11-08 10:45:30.776681391 -0800
+++ b/arch/x86/include/asm/pgtable_64.h 2017-11-08 10:45:30.779681391 -0800
@@ -177,38 +177,76 @@ static inline p4d_t *native_get_normal_p
/*
* Page table pages are page-aligned. The lower half of the top
* level is used for userspace and the top half for the kernel.
- * This returns true for user pages that need to get copied into
- * both the user and kernel copies of the page tables, and false
- * for kernel pages that should only be in the kernel copy.
+ *
+ * Returns true for parts of the PGD that map userspace and
+ * false for the parts that map the kernel.
*/
-static inline bool is_userspace_pgd(void *__ptr)
+static inline bool pgdp_maps_userspace(void *__ptr)
{
unsigned long ptr = (unsigned long)__ptr;
return ((ptr % PAGE_SIZE) < (PAGE_SIZE / 2));
}
+/*
+ * Does this PGD allow access via userspace?
+ */
+static inline bool pgd_userspace_access(pgd_t pgd)
+{
+ return (pgd.pgd & _PAGE_USER);
+}
+
+/*
+ * Returns the pgd_t that the kernel should use in its page tables.
+ */
+static inline pgd_t kaiser_set_shadow_pgd(pgd_t *pgdp, pgd_t pgd)
+{
+#ifdef CONFIG_KAISER
+ if (pgd_userspace_access(pgd)) {
+ if (pgdp_maps_userspace(pgdp)) {
+ /*
+ * The user/shadow page tables get the full
+ * PGD, accessible to userspace:
+ */
+ native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
+ /*
+ * For the copy of the pgd that the kernel
+ * uses, make it unusable to userspace. This
+ * ensures if we get out to userspace with the
+ * wrong CR3 value, userspace will crash
+ * instead of running.
+ */
+ pgd.pgd |= _PAGE_NX;
+ }
+ } else if (!pgd.pgd) {
+ /*
+ * We are clearing the PGD and can not check _PAGE_USER
+ * in the zero'd PGD. We never do this on the
+ * pre-populated kernel PGDs, except for pgd_bad().
+ */
+ if (pgdp_maps_userspace(pgdp)) {
+ native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
+ } else {
+ /*
+ * Uh, we are very confused. We have been
+ * asked to clear a PGD that is in the kernel
+ * part of the address space. We preallocated
+ * all the KAISER PGDs, so this should never
+ * happen.
+ */
+ WARN_ON_ONCE(1);
+ }
+ }
+#endif
+ /* return the copy of the PGD we want the kernel to use: */
+ return pgd;
+}
+
+
static inline void native_set_p4d(p4d_t *p4dp, p4d_t p4d)
{
#if defined(CONFIG_KAISER) && !defined(CONFIG_X86_5LEVEL)
- /*
- * set_pgd() does not get called when we are running
- * CONFIG_X86_5LEVEL=y. So, just hack around it. We
- * know here that we have a p4d but that it is really at
- * the top level of the page tables; it is really just a
- * pgd.
- */
- /* Do we need to also populate the shadow p4d? */
- if (is_userspace_pgd(p4dp))
- native_get_shadow_p4d(p4dp)->pgd = p4d.pgd;
- /*
- * Even if the entry is *mapping* userspace, ensure
- * that userspace can not use it. This way, if we
- * get out to userspace with the wrong CR3 value,
- * userspace will crash instead of running.
- */
- if (!p4d.pgd.pgd)
- p4dp->pgd.pgd = p4d.pgd.pgd | _PAGE_NX;
+ p4dp->pgd = kaiser_set_shadow_pgd(&p4dp->pgd, p4d.pgd);
#else /* CONFIG_KAISER */
*p4dp = p4d;
#endif
@@ -226,17 +264,7 @@ static inline void native_p4d_clear(p4d_
static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
{
#ifdef CONFIG_KAISER
- /* Do we need to also populate the shadow pgd? */
- if (is_userspace_pgd(pgdp))
- native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
- /*
- * Even if the entry is mapping userspace, ensure
- * that it is unusable for userspace. This way,
- * if we get out to userspace with the wrong CR3
- * value, userspace will crash instead of running.
- */
- if (!pgd_none(pgd))
- pgdp->pgd = pgd.pgd | _PAGE_NX;
+ *pgdp = kaiser_set_shadow_pgd(pgdp, pgd);
#else /* CONFIG_KAISER */
*pgdp = pgd;
#endif
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 10/30] x86, kaiser: allow NX to be set in p4d/pgd
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (8 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 09/30] x86, kaiser: only populate shadow page tables for userspace Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 11/30] x86, kaiser: make sure static PGDs are 8k in size Dave Hansen
` (19 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
We protect user portion of the kernel page tables with the NX
bit to cripple it. But, that trips the p4d/pgd_bad() checks.
Make sure it does not do that.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/pgtable.h | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff -puN arch/x86/include/asm/pgtable.h~kaiser-p4d-allow-nx arch/x86/include/asm/pgtable.h
--- a/arch/x86/include/asm/pgtable.h~kaiser-p4d-allow-nx 2017-11-08 10:45:31.308681390 -0800
+++ b/arch/x86/include/asm/pgtable.h 2017-11-08 10:45:31.312681390 -0800
@@ -845,7 +845,12 @@ static inline pud_t *pud_offset(p4d_t *p
static inline int p4d_bad(p4d_t p4d)
{
- return (p4d_flags(p4d) & ~(_KERNPG_TABLE | _PAGE_USER)) != 0;
+ unsigned long ignore_flags = _KERNPG_TABLE | _PAGE_USER;
+
+ if (IS_ENABLED(CONFIG_KAISER))
+ ignore_flags |= _PAGE_NX;
+
+ return (p4d_flags(p4d) & ~ignore_flags) != 0;
}
#endif /* CONFIG_PGTABLE_LEVELS > 3 */
@@ -879,7 +884,12 @@ static inline p4d_t *p4d_offset(pgd_t *p
static inline int pgd_bad(pgd_t pgd)
{
- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
+ unsigned long ignore_flags = _PAGE_USER;
+
+ if (IS_ENABLED(CONFIG_KAISER))
+ ignore_flags |= _PAGE_NX;
+
+ return (pgd_flags(pgd) & ~ignore_flags) != _KERNPG_TABLE;
}
static inline int pgd_none(pgd_t pgd)
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 11/30] x86, kaiser: make sure static PGDs are 8k in size
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (9 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 10/30] x86, kaiser: allow NX to be set in p4d/pgd Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 12/30] x86, kaiser: map GDT into user page tables Dave Hansen
` (18 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
We have a few PGDs that come out of the kernel binary instead of being
allocated dynamically. Before this patch, they are all 8k-aligned,
but we also need them to be 8k in *size*e
The original KAISER patch did not do this. It probably just lucked out
that it did not trample over data after the last PGD.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/kernel/head_64.S | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff -puN arch/x86/kernel/head_64.S~kaiser-head_S-pgds-need-8k-too arch/x86/kernel/head_64.S
--- a/arch/x86/kernel/head_64.S~kaiser-head_S-pgds-need-8k-too 2017-11-08 10:45:31.840681389 -0800
+++ b/arch/x86/kernel/head_64.S 2017-11-08 10:45:31.843681389 -0800
@@ -340,11 +340,24 @@ GLOBAL(early_recursion_flag)
GLOBAL(name)
#ifdef CONFIG_KAISER
+/*
+ * Each PGD needs to be 8k long and 8k aligned. We do not
+ * ever go out to userspace with these, so we do not
+ * strictly *need* the second page, but this allows us to
+ * have a single set_pgd() implementation that does not
+ * need to worry about whether it has 4k or 8k to work
+ * with.
+ *
+ * This ensures PGDs are 8k long:
+ */
+#define KAISER_USER_PGD_FILL 512
+/* This ensures they are 8k-aligned: */
#define NEXT_PGD_PAGE(name) \
.balign 2 * PAGE_SIZE; \
GLOBAL(name)
#else
#define NEXT_PGD_PAGE(name) NEXT_PAGE(name)
+#define KAISER_USER_PGD_FILL 0
#endif
/* Automate the creation of 1 to 1 mapping pmd entries */
@@ -363,6 +376,7 @@ NEXT_PGD_PAGE(early_top_pgt)
#else
.quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE_NOENC
#endif
+ .fill KAISER_USER_PGD_FILL,8,0
NEXT_PAGE(early_dynamic_pgts)
.fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
@@ -372,6 +386,7 @@ NEXT_PAGE(early_dynamic_pgts)
#ifndef CONFIG_XEN
NEXT_PGD_PAGE(init_top_pgt)
.fill 512,8,0
+ .fill KAISER_USER_PGD_FILL,8,0
#else
NEXT_PGD_PAGE(init_top_pgt)
.quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE_NOENC
@@ -380,6 +395,7 @@ NEXT_PGD_PAGE(init_top_pgt)
.org init_top_pgt + PGD_START_KERNEL*8, 0
/* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
.quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE_NOENC
+ .fill KAISER_USER_PGD_FILL,8,0
NEXT_PAGE(level3_ident_pgt)
.quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE_NOENC
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 12/30] x86, kaiser: map GDT into user page tables
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (10 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 11/30] x86, kaiser: make sure static PGDs are 8k in size Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 13/30] x86, kaiser: map dynamically-allocated LDTs Dave Hansen
` (17 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
The GDT is used to control the x86 segmentation mechanism. It
must be virtually mapped when switching segments or at IRET
time when switching between userspace and kernel.
The original KAISER patch did not do this. I have no ide how
it ever worked.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/kernel/cpu/common.c | 15 +++++++++++++++
b/arch/x86/mm/kaiser.c | 10 ++++++++++
2 files changed, 25 insertions(+)
diff -puN arch/x86/kernel/cpu/common.c~kaiser-user-map-gdt-pages arch/x86/kernel/cpu/common.c
--- a/arch/x86/kernel/cpu/common.c~kaiser-user-map-gdt-pages 2017-11-08 10:45:32.375681387 -0800
+++ b/arch/x86/kernel/cpu/common.c 2017-11-08 10:45:32.380681387 -0800
@@ -5,6 +5,7 @@
#include <linux/export.h>
#include <linux/percpu.h>
#include <linux/string.h>
+#include <linux/kaiser.h>
#include <linux/ctype.h>
#include <linux/delay.h>
#include <linux/sched/mm.h>
@@ -487,6 +488,20 @@ static inline void setup_fixmap_gdt(int
#endif
__set_fixmap(get_cpu_gdt_ro_index(cpu), get_cpu_gdt_paddr(cpu), prot);
+
+ /* CPU 0's mapping is done in kaiser_init() */
+ if (cpu) {
+ int ret;
+
+ ret = kaiser_add_mapping((unsigned long) get_cpu_gdt_ro(cpu),
+ PAGE_SIZE, __PAGE_KERNEL_RO);
+ /*
+ * We do not have a good way to fail CPU bringup.
+ * Just WARN about it and hope we boot far enough
+ * to get a good log out.
+ */
+ WARN_ON(ret);
+ }
}
/* Load the original GDT from the per-cpu structure */
diff -puN arch/x86/mm/kaiser.c~kaiser-user-map-gdt-pages arch/x86/mm/kaiser.c
--- a/arch/x86/mm/kaiser.c~kaiser-user-map-gdt-pages 2017-11-08 10:45:32.376681387 -0800
+++ b/arch/x86/mm/kaiser.c 2017-11-08 10:45:32.380681387 -0800
@@ -361,6 +361,16 @@ void __init kaiser_init(void)
kaiser_add_user_map_early((void *)idt_descr.address,
sizeof(gate_desc) * NR_VECTORS,
__PAGE_KERNEL_RO | _PAGE_GLOBAL);
+
+ /*
+ * We could theoretically do this in setup_fixmap_gdt().
+ * But, we would need to rewrite the above page table
+ * allocation code to use the bootmem allocator. The
+ * buddy allocator is not available at the time that we
+ * call setup_fixmap_gdt() for CPU 0.
+ */
+ kaiser_add_user_map_early(get_cpu_gdt_ro(0), PAGE_SIZE,
+ __PAGE_KERNEL_RO | _PAGE_GLOBAL);
}
int kaiser_add_mapping(unsigned long addr, unsigned long size,
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 13/30] x86, kaiser: map dynamically-allocated LDTs
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (11 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 12/30] x86, kaiser: map GDT into user page tables Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 14/30] x86, kaiser: map espfix structures Dave Hansen
` (16 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
Normally, a process just has a NULL mm->context.ldt. But, we
have a syscall for a process to set a new one. If a process does
that, we need to map the new LDT.
The original KAISER patch missed this case.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/kernel/ldt.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff -puN arch/x86/kernel/ldt.c~kaiser-user-map-new-ldts arch/x86/kernel/ldt.c
--- a/arch/x86/kernel/ldt.c~kaiser-user-map-new-ldts 2017-11-08 10:45:32.935681386 -0800
+++ b/arch/x86/kernel/ldt.c 2017-11-08 10:45:32.938681386 -0800
@@ -10,6 +10,7 @@
#include <linux/gfp.h>
#include <linux/sched.h>
#include <linux/string.h>
+#include <linux/kaiser.h>
#include <linux/mm.h>
#include <linux/smp.h>
#include <linux/syscalls.h>
@@ -56,11 +57,21 @@ static void flush_ldt(void *__mm)
refresh_ldt_segments();
}
+static void __free_ldt_struct(struct ldt_struct *ldt)
+{
+ if (ldt->nr_entries * LDT_ENTRY_SIZE > PAGE_SIZE)
+ vfree_atomic(ldt->entries);
+ else
+ free_page((unsigned long)ldt->entries);
+ kfree(ldt);
+}
+
/* The caller must call finalize_ldt_struct on the result. LDT starts zeroed. */
static struct ldt_struct *alloc_ldt_struct(unsigned int num_entries)
{
struct ldt_struct *new_ldt;
unsigned int alloc_size;
+ int ret;
if (num_entries > LDT_ENTRIES)
return NULL;
@@ -88,6 +99,12 @@ static struct ldt_struct *alloc_ldt_stru
return NULL;
}
+ ret = kaiser_add_mapping((unsigned long)new_ldt->entries, alloc_size,
+ __PAGE_KERNEL | _PAGE_GLOBAL);
+ if (ret) {
+ __free_ldt_struct(new_ldt);
+ return NULL;
+ }
new_ldt->nr_entries = num_entries;
return new_ldt;
}
@@ -114,12 +131,10 @@ static void free_ldt_struct(struct ldt_s
if (likely(!ldt))
return;
+ kaiser_remove_mapping((unsigned long)ldt->entries,
+ ldt->nr_entries * LDT_ENTRY_SIZE);
paravirt_free_ldt(ldt->entries, ldt->nr_entries);
- if (ldt->nr_entries * LDT_ENTRY_SIZE > PAGE_SIZE)
- vfree_atomic(ldt->entries);
- else
- free_page((unsigned long)ldt->entries);
- kfree(ldt);
+ __free_ldt_struct(ldt);
}
/*
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 14/30] x86, kaiser: map espfix structures
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (12 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 13/30] x86, kaiser: map dynamically-allocated LDTs Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 15/30] x86, kaiser: map entry stack variables Dave Hansen
` (15 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
We have some rather arcane code to help when we IRET to 16-bit
segments: the "espfix" code. This consists of a few per-cpu
variables:
espfix_stack: tells us where we allocated the stack
(the bottom)
espfix_waddr: tells us where we can actually point %rsp
and the stack itself. We need all three things mapped for this
to work.
Note: the espfix code runs with a kernel GSBASE, but user
(shadow) page tables. We could switch to the kernel page tables
here and then not have to map any of this, but just
user-pagetable-mapping is simpler. To switch over to the kernel
copy, we would need some temporary storage which is in short
supply at this point.
The original KAISER patch missed this case.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/kernel/espfix_64.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff -puN arch/x86/kernel/espfix_64.c~kaiser-user-map-espfix arch/x86/kernel/espfix_64.c
--- a/arch/x86/kernel/espfix_64.c~kaiser-user-map-espfix 2017-11-08 10:45:33.465681385 -0800
+++ b/arch/x86/kernel/espfix_64.c 2017-11-08 10:45:33.469681385 -0800
@@ -33,6 +33,7 @@
#include <linux/init.h>
#include <linux/init_task.h>
+#include <linux/kaiser.h>
#include <linux/kernel.h>
#include <linux/percpu.h>
#include <linux/gfp.h>
@@ -41,7 +42,6 @@
#include <asm/pgalloc.h>
#include <asm/setup.h>
#include <asm/espfix.h>
-#include <asm/kaiser.h>
/*
* Note: we only need 6*8 = 48 bytes for the espfix stack, but round
@@ -61,8 +61,8 @@
#define PGALLOC_GFP (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO)
/* This contains the *bottom* address of the espfix stack */
-DEFINE_PER_CPU_READ_MOSTLY(unsigned long, espfix_stack);
-DEFINE_PER_CPU_READ_MOSTLY(unsigned long, espfix_waddr);
+DEFINE_PER_CPU_USER_MAPPED(unsigned long, espfix_stack);
+DEFINE_PER_CPU_USER_MAPPED(unsigned long, espfix_waddr);
/* Initialization mutex - should this be a spinlock? */
static DEFINE_MUTEX(espfix_init_mutex);
@@ -225,4 +225,10 @@ done:
per_cpu(espfix_stack, cpu) = addr;
per_cpu(espfix_waddr, cpu) = (unsigned long)stack_page
+ (addr & ~PAGE_MASK);
+ /*
+ * _PAGE_GLOBAL is not really required. This is not a hot
+ * path, but we do it here for consistency.
+ */
+ kaiser_add_mapping((unsigned long)stack_page, PAGE_SIZE,
+ __PAGE_KERNEL | _PAGE_GLOBAL);
}
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 15/30] x86, kaiser: map entry stack variables
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (13 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 14/30] x86, kaiser: map espfix structures Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 16/30] x86, kaiser: map trace interrupt entry Dave Hansen
` (14 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
There are times that we enter the kernel and do not have a safe
stack, like at SYSCALL entry. We use the per-cpu vairables
'rsp_scratch' and 'cpu_current_top_of_stack' to save off the old
%rsp and find a safe place to have a stack.
You can not directly manipulate the CR3 register. You can only
'MOV' to it from another register, which means we need to clobber
a register in order to do any CR3 manipulation. User-mapping these
variables allows us to obtain a safe stack *before* we switch the
CR3 value.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/kernel/cpu/common.c | 2 +-
b/arch/x86/kernel/process_64.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff -puN arch/x86/kernel/cpu/common.c~kaiser-user-map-stack-helper-vars arch/x86/kernel/cpu/common.c
--- a/arch/x86/kernel/cpu/common.c~kaiser-user-map-stack-helper-vars 2017-11-08 10:45:34.001681383 -0800
+++ b/arch/x86/kernel/cpu/common.c 2017-11-08 10:45:34.007681383 -0800
@@ -1447,7 +1447,7 @@ DEFINE_PER_CPU_ALIGNED(struct stack_cana
* trampoline, not the thread stack. Use an extra percpu variable to track
* the top of the kernel stack directly.
*/
-DEFINE_PER_CPU(unsigned long, cpu_current_top_of_stack) =
+DEFINE_PER_CPU_USER_MAPPED(unsigned long, cpu_current_top_of_stack) =
(unsigned long)&init_thread_union + THREAD_SIZE;
EXPORT_PER_CPU_SYMBOL(cpu_current_top_of_stack);
diff -puN arch/x86/kernel/process_64.c~kaiser-user-map-stack-helper-vars arch/x86/kernel/process_64.c
--- a/arch/x86/kernel/process_64.c~kaiser-user-map-stack-helper-vars 2017-11-08 10:45:34.003681383 -0800
+++ b/arch/x86/kernel/process_64.c 2017-11-08 10:45:34.007681383 -0800
@@ -59,7 +59,7 @@
#include <asm/unistd_32_ia32.h>
#endif
-__visible DEFINE_PER_CPU(unsigned long, rsp_scratch);
+__visible DEFINE_PER_CPU_USER_MAPPED(unsigned long, rsp_scratch);
/* Prints also some state that isn't saved in the pt_regs */
void __show_regs(struct pt_regs *regs, int all)
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 16/30] x86, kaiser: map trace interrupt entry
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (14 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 15/30] x86, kaiser: map entry stack variables Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 17/30] x86, kaiser: map debug IDT tables Dave Hansen
` (13 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
We put all of the interrupt entry/exit code into a special
section (.irqentry.text). This enables the ftrace code to figure
out when we are in a "grey area" of interrupt handling before the
C code has taken over and marked the data structures that we are
in an interrupt.
KAISER needs to map this section into the user page tables
because it contains the assembly that helps us enter interrupt
routines. In addition to the assembly which KAISER *needs*, the
section also contains the first C function that handles an
interrupt. This is unfortunate, but it doesn't really hurt
anything.
This patch also aligns the .entry.text and .irqentry.text. This
ensures that we KAISER-map the section we want and *only* the
section we want. Otherwise, we might pull in extra code that
should be explicitly KAISER-mapped, but just happened to get
pulled in with something that shared the same page. That also
generally does not hurt anything, but it can make things hard
to debug because random build alignment can cause things to
fail.
This was missed in the original KAISER patch.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/mm/kaiser.c | 14 ++++++++++++++
b/include/asm-generic/vmlinux.lds.h | 10 ++++++++++
2 files changed, 24 insertions(+)
diff -puN arch/x86/mm/kaiser.c~kaiser-user-map-trace-irqentry_text arch/x86/mm/kaiser.c
--- a/arch/x86/mm/kaiser.c~kaiser-user-map-trace-irqentry_text 2017-11-08 10:45:34.557681382 -0800
+++ b/arch/x86/mm/kaiser.c 2017-11-08 10:45:34.562681382 -0800
@@ -19,6 +19,7 @@
#include <linux/types.h>
#include <linux/bug.h>
#include <linux/init.h>
+#include <linux/interrupt.h>
#include <linux/spinlock.h>
#include <linux/mm.h>
#include <linux/uaccess.h>
@@ -371,6 +372,19 @@ void __init kaiser_init(void)
*/
kaiser_add_user_map_early(get_cpu_gdt_ro(0), PAGE_SIZE,
__PAGE_KERNEL_RO | _PAGE_GLOBAL);
+
+ /*
+ * .irqentry.text helps us identify code that runs before
+ * we get a chance to call entering_irq(). This includes
+ * the interrupt entry assembly plus the first C function
+ * that gets called. KAISER does not need the C code
+ * mapped. We just use the .irqentry.text section as-is
+ * to avoid having to carve out a new section for the
+ * assembly only.
+ */
+ kaiser_add_user_map_ptrs_early(__irqentry_text_start,
+ __irqentry_text_end,
+ __PAGE_KERNEL_RX | _PAGE_GLOBAL);
}
int kaiser_add_mapping(unsigned long addr, unsigned long size,
diff -puN include/asm-generic/vmlinux.lds.h~kaiser-user-map-trace-irqentry_text include/asm-generic/vmlinux.lds.h
--- a/include/asm-generic/vmlinux.lds.h~kaiser-user-map-trace-irqentry_text 2017-11-08 10:45:34.559681382 -0800
+++ b/include/asm-generic/vmlinux.lds.h 2017-11-08 10:45:34.563681382 -0800
@@ -59,6 +59,12 @@
/* Align . to a 8 byte boundary equals to maximum function alignment. */
#define ALIGN_FUNCTION() . = ALIGN(8)
+#ifdef CONFIG_KAISER
+#define ALIGN_KAISER() . = ALIGN(PAGE_SIZE);
+#else
+#define ALIGN_KAISER()
+#endif
+
/*
* LD_DEAD_CODE_DATA_ELIMINATION option enables -fdata-sections, which
* generates .data.identifier sections, which need to be pulled in with
@@ -493,15 +499,19 @@
VMLINUX_SYMBOL(__kprobes_text_end) = .;
#define ENTRY_TEXT \
+ ALIGN_KAISER(); \
ALIGN_FUNCTION(); \
VMLINUX_SYMBOL(__entry_text_start) = .; \
*(.entry.text) \
+ ALIGN_KAISER(); \
VMLINUX_SYMBOL(__entry_text_end) = .;
#define IRQENTRY_TEXT \
+ ALIGN_KAISER(); \
ALIGN_FUNCTION(); \
VMLINUX_SYMBOL(__irqentry_text_start) = .; \
*(.irqentry.text) \
+ ALIGN_KAISER(); \
VMLINUX_SYMBOL(__irqentry_text_end) = .;
#define SOFTIRQENTRY_TEXT \
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 17/30] x86, kaiser: map debug IDT tables
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (15 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 16/30] x86, kaiser: map trace interrupt entry Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 18/30] x86, kaiser: map virtually-addressed performance monitoring buffers Dave Hansen
` (12 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
The IDT table it references are another structure where the
CPU references a virtual address. It also obviously needs these
to handle an interrupt in userspace, so these need to be mapped into
the user copy of the page tables.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/mm/kaiser.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff -puN arch/x86/mm/kaiser.c~kaiser-user-map-trace-and-debug-idt arch/x86/mm/kaiser.c
--- a/arch/x86/mm/kaiser.c~kaiser-user-map-trace-and-debug-idt 2017-11-08 10:45:35.124681380 -0800
+++ b/arch/x86/mm/kaiser.c 2017-11-08 10:45:35.127681380 -0800
@@ -275,6 +275,14 @@ int kaiser_add_user_map_ptrs(const void
flags);
}
+static int kaiser_user_map_ptr_early(const void *start_addr, unsigned long size,
+ unsigned long flags)
+{
+ int ret = kaiser_add_user_map(start_addr, size, flags);
+ WARN_ON(ret);
+ return ret;
+}
+
/*
* Ensure that the top level of the (shadow) page tables are
* entirely populated. This ensures that all processes that get
@@ -363,6 +371,10 @@ void __init kaiser_init(void)
sizeof(gate_desc) * NR_VECTORS,
__PAGE_KERNEL_RO | _PAGE_GLOBAL);
+ kaiser_user_map_ptr_early(&debug_idt_table,
+ sizeof(gate_desc) * NR_VECTORS,
+ __PAGE_KERNEL | _PAGE_GLOBAL);
+
/*
* We could theoretically do this in setup_fixmap_gdt().
* But, we would need to rewrite the above page table
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 18/30] x86, kaiser: map virtually-addressed performance monitoring buffers
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (16 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 17/30] x86, kaiser: map debug IDT tables Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-10 12:17 ` Peter Zijlstra
2017-11-08 19:47 ` [PATCH 19/30] x86, mm: Move CR3 construction functions Dave Hansen
` (11 subsequent siblings)
29 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, hughd, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook, x86
From: Hugh Dickins <hughd@google.com>
[Dave] Add explicit _PAGE_GLOBAL
The BTS and PEBS buffers both have their virtual addresses programmed
into the hardware. This means that we have to access them via the page
tables. The times that the hardware accesses these are entirely
dependent on how the performance monitoring hardware events are set up.
In other words, we have no idea when we might need to access these
buffers.
Avoid perf crashes: place debug_store in the user-mapped per-cpu area
instead of allocating, and use page allocator plus kaiser_add_mapping()
to keep the BTS and PEBS buffers user-mapped (that is, present in the
user mapping, though visible only to kernel and hardware). The PEBS
fixup buffer does not need this treatment.
The need for a user-mapped struct debug_store showed up before doing
any conscious perf testing: in a couple of kernel paging oopses on
Westmere, implicating the debug_store offset of the per-cpu area.
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/events/intel/ds.c | 57 +++++++++++++++++++++++++++++++++----------
1 file changed, 45 insertions(+), 12 deletions(-)
diff -puN arch/x86/events/intel/ds.c~kaiser-user-map-virtually-addressed-performance-monitoring-buffers arch/x86/events/intel/ds.c
--- a/arch/x86/events/intel/ds.c~kaiser-user-map-virtually-addressed-performance-monitoring-buffers 2017-11-08 10:45:35.659681379 -0800
+++ b/arch/x86/events/intel/ds.c 2017-11-08 10:45:35.662681379 -0800
@@ -2,11 +2,15 @@
#include <linux/types.h>
#include <linux/slab.h>
+#include <asm/kaiser.h>
#include <asm/perf_event.h>
#include <asm/insn.h>
#include "../perf_event.h"
+static
+DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(struct debug_store, cpu_debug_store);
+
/* The size of a BTS record in bytes: */
#define BTS_RECORD_SIZE 24
@@ -278,6 +282,39 @@ void fini_debug_store_on_cpu(int cpu)
static DEFINE_PER_CPU(void *, insn_buffer);
+static void *dsalloc(size_t size, gfp_t flags, int node)
+{
+#ifdef CONFIG_KAISER
+ unsigned int order = get_order(size);
+ struct page *page;
+ unsigned long addr;
+
+ page = __alloc_pages_node(node, flags | __GFP_ZERO, order);
+ if (!page)
+ return NULL;
+ addr = (unsigned long)page_address(page);
+ if (kaiser_add_mapping(addr, size, __PAGE_KERNEL | _PAGE_GLOBAL) < 0) {
+ __free_pages(page, order);
+ addr = 0;
+ }
+ return (void *)addr;
+#else
+ return kmalloc_node(size, flags | __GFP_ZERO, node);
+#endif
+}
+
+static void dsfree(const void *buffer, size_t size)
+{
+#ifdef CONFIG_KAISER
+ if (!buffer)
+ return;
+ kaiser_remove_mapping((unsigned long)buffer, size);
+ free_pages((unsigned long)buffer, get_order(size));
+#else
+ kfree(buffer);
+#endif
+}
+
static int alloc_pebs_buffer(int cpu)
{
struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
@@ -288,7 +325,7 @@ static int alloc_pebs_buffer(int cpu)
if (!x86_pmu.pebs)
return 0;
- buffer = kzalloc_node(x86_pmu.pebs_buffer_size, GFP_KERNEL, node);
+ buffer = dsalloc(x86_pmu.pebs_buffer_size, GFP_KERNEL, node);
if (unlikely(!buffer))
return -ENOMEM;
@@ -299,7 +336,7 @@ static int alloc_pebs_buffer(int cpu)
if (x86_pmu.intel_cap.pebs_format < 2) {
ibuffer = kzalloc_node(PEBS_FIXUP_SIZE, GFP_KERNEL, node);
if (!ibuffer) {
- kfree(buffer);
+ dsfree(buffer, x86_pmu.pebs_buffer_size);
return -ENOMEM;
}
per_cpu(insn_buffer, cpu) = ibuffer;
@@ -325,7 +362,8 @@ static void release_pebs_buffer(int cpu)
kfree(per_cpu(insn_buffer, cpu));
per_cpu(insn_buffer, cpu) = NULL;
- kfree((void *)(unsigned long)ds->pebs_buffer_base);
+ dsfree((void *)(unsigned long)ds->pebs_buffer_base,
+ x86_pmu.pebs_buffer_size);
ds->pebs_buffer_base = 0;
}
@@ -339,7 +377,7 @@ static int alloc_bts_buffer(int cpu)
if (!x86_pmu.bts)
return 0;
- buffer = kzalloc_node(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, node);
+ buffer = dsalloc(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, node);
if (unlikely(!buffer)) {
WARN_ONCE(1, "%s: BTS buffer allocation failure\n", __func__);
return -ENOMEM;
@@ -365,19 +403,15 @@ static void release_bts_buffer(int cpu)
if (!ds || !x86_pmu.bts)
return;
- kfree((void *)(unsigned long)ds->bts_buffer_base);
+ dsfree((void *)(unsigned long)ds->bts_buffer_base, BTS_BUFFER_SIZE);
ds->bts_buffer_base = 0;
}
static int alloc_ds_buffer(int cpu)
{
- int node = cpu_to_node(cpu);
- struct debug_store *ds;
-
- ds = kzalloc_node(sizeof(*ds), GFP_KERNEL, node);
- if (unlikely(!ds))
- return -ENOMEM;
+ struct debug_store *ds = per_cpu_ptr(&cpu_debug_store, cpu);
+ memset(ds, 0, sizeof(*ds));
per_cpu(cpu_hw_events, cpu).ds = ds;
return 0;
@@ -391,7 +425,6 @@ static void release_ds_buffer(int cpu)
return;
per_cpu(cpu_hw_events, cpu).ds = NULL;
- kfree(ds);
}
void release_ds_buffers(void)
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 18/30] x86, kaiser: map virtually-addressed performance monitoring buffers
2017-11-08 19:47 ` [PATCH 18/30] x86, kaiser: map virtually-addressed performance monitoring buffers Dave Hansen
@ 2017-11-10 12:17 ` Peter Zijlstra
0 siblings, 0 replies; 64+ messages in thread
From: Peter Zijlstra @ 2017-11-10 12:17 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, hughd, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook, x86
On Wed, Nov 08, 2017 at 11:47:20AM -0800, Dave Hansen wrote:
> +static
> +DEFINE_PER_CPU_SHARED_ALIGNED_USER_MAPPED(struct debug_store, cpu_debug_store);
> +
> /* The size of a BTS record in bytes: */
> #define BTS_RECORD_SIZE 24
>
> @@ -278,6 +282,39 @@ void fini_debug_store_on_cpu(int cpu)
>
> static DEFINE_PER_CPU(void *, insn_buffer);
>
> +static void *dsalloc(size_t size, gfp_t flags, int node)
> +{
> +#ifdef CONFIG_KAISER
> + unsigned int order = get_order(size);
> + struct page *page;
> + unsigned long addr;
> +
> + page = __alloc_pages_node(node, flags | __GFP_ZERO, order);
> + if (!page)
> + return NULL;
> + addr = (unsigned long)page_address(page);
> + if (kaiser_add_mapping(addr, size, __PAGE_KERNEL | _PAGE_GLOBAL) < 0) {
> + __free_pages(page, order);
> + addr = 0;
> + }
> + return (void *)addr;
> +#else
> + return kmalloc_node(size, flags | __GFP_ZERO, node);
> +#endif
> +}
> +
> +static void dsfree(const void *buffer, size_t size)
> +{
> +#ifdef CONFIG_KAISER
> + if (!buffer)
> + return;
> + kaiser_remove_mapping((unsigned long)buffer, size);
> + free_pages((unsigned long)buffer, get_order(size));
> +#else
> + kfree(buffer);
> +#endif
> +}
You might as well use __alloc_pages_node() / free_pages()
unconditionally. Those buffers are at least one page in size.
That should also get rid of the #ifdef muck.
> static int alloc_ds_buffer(int cpu)
> {
> - int node = cpu_to_node(cpu);
> - struct debug_store *ds;
> -
> - ds = kzalloc_node(sizeof(*ds), GFP_KERNEL, node);
> - if (unlikely(!ds))
> - return -ENOMEM;
> + struct debug_store *ds = per_cpu_ptr(&cpu_debug_store, cpu);
>
> + memset(ds, 0, sizeof(*ds));
Why the memset() ? isn't static per-cpu memory 0 initialized
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 19/30] x86, mm: Move CR3 construction functions
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (17 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 18/30] x86, kaiser: map virtually-addressed performance monitoring buffers Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 20/30] x86, mm: remove hard-coded ASID limit checks Dave Hansen
` (10 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
For flushing the TLB, we need to know which ASID has been programmed
into the hardware. Since that differs from what is in 'cpu_tlbstate',
we need to be able to transform the ASID in cpu_tlbstate to the one
programmed into the hardware.
It's not easy to include mmu_context.h into tlbflush.h, so just move
the CR3 building over to tlbflush.h.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/mmu_context.h | 29 +----------------------------
b/arch/x86/include/asm/tlbflush.h | 27 +++++++++++++++++++++++++++
b/arch/x86/mm/tlb.c | 8 ++++----
3 files changed, 32 insertions(+), 32 deletions(-)
diff -puN arch/x86/include/asm/mmu_context.h~kaiser-pcid-pre-build-func-move arch/x86/include/asm/mmu_context.h
--- a/arch/x86/include/asm/mmu_context.h~kaiser-pcid-pre-build-func-move 2017-11-08 10:45:36.197681378 -0800
+++ b/arch/x86/include/asm/mmu_context.h 2017-11-08 10:45:36.205681378 -0800
@@ -281,33 +281,6 @@ static inline bool arch_vma_access_permi
}
/*
- * If PCID is on, ASID-aware code paths put the ASID+1 into the PCID
- * bits. This serves two purposes. It prevents a nasty situation in
- * which PCID-unaware code saves CR3, loads some other value (with PCID
- * == 0), and then restores CR3, thus corrupting the TLB for ASID 0 if
- * the saved ASID was nonzero. It also means that any bugs involving
- * loading a PCID-enabled CR3 with CR4.PCIDE off will trigger
- * deterministically.
- */
-
-static inline unsigned long build_cr3(struct mm_struct *mm, u16 asid)
-{
- if (static_cpu_has(X86_FEATURE_PCID)) {
- VM_WARN_ON_ONCE(asid > 4094);
- return __sme_pa(mm->pgd) | (asid + 1);
- } else {
- VM_WARN_ON_ONCE(asid != 0);
- return __sme_pa(mm->pgd);
- }
-}
-
-static inline unsigned long build_cr3_noflush(struct mm_struct *mm, u16 asid)
-{
- VM_WARN_ON_ONCE(asid > 4094);
- return __sme_pa(mm->pgd) | (asid + 1) | CR3_NOFLUSH;
-}
-
-/*
* This can be used from process context to figure out what the value of
* CR3 is without needing to do a (slow) __read_cr3().
*
@@ -316,7 +289,7 @@ static inline unsigned long build_cr3_no
*/
static inline unsigned long __get_current_cr3_fast(void)
{
- unsigned long cr3 = build_cr3(this_cpu_read(cpu_tlbstate.loaded_mm),
+ unsigned long cr3 = build_cr3(this_cpu_read(cpu_tlbstate.loaded_mm)->pgd,
this_cpu_read(cpu_tlbstate.loaded_mm_asid));
/* For now, be very restrictive about when this can be called. */
diff -puN arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-build-func-move arch/x86/include/asm/tlbflush.h
--- a/arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-build-func-move 2017-11-08 10:45:36.199681378 -0800
+++ b/arch/x86/include/asm/tlbflush.h 2017-11-08 10:45:36.205681378 -0800
@@ -74,6 +74,33 @@ static inline u64 inc_mm_tlb_gen(struct
return new_tlb_gen;
}
+/*
+ * If PCID is on, ASID-aware code paths put the ASID+1 into the PCID
+ * bits. This serves two purposes. It prevents a nasty situation in
+ * which PCID-unaware code saves CR3, loads some other value (with PCID
+ * == 0), and then restores CR3, thus corrupting the TLB for ASID 0 if
+ * the saved ASID was nonzero. It also means that any bugs involving
+ * loading a PCID-enabled CR3 with CR4.PCIDE off will trigger
+ * deterministically.
+ */
+struct pgd_t;
+static inline unsigned long build_cr3(pgd_t *pgd, u16 asid)
+{
+ if (static_cpu_has(X86_FEATURE_PCID)) {
+ VM_WARN_ON_ONCE(asid > 4094);
+ return __sme_pa(pgd) | (asid + 1);
+ } else {
+ VM_WARN_ON_ONCE(asid != 0);
+ return __sme_pa(pgd);
+ }
+}
+
+static inline unsigned long build_cr3_noflush(pgd_t *pgd, u16 asid)
+{
+ VM_WARN_ON_ONCE(asid > 4094);
+ return __sme_pa(pgd) | (asid + 1) | CR3_NOFLUSH;
+}
+
#ifdef CONFIG_PARAVIRT
#include <asm/paravirt.h>
#else
diff -puN arch/x86/mm/tlb.c~kaiser-pcid-pre-build-func-move arch/x86/mm/tlb.c
--- a/arch/x86/mm/tlb.c~kaiser-pcid-pre-build-func-move 2017-11-08 10:45:36.201681378 -0800
+++ b/arch/x86/mm/tlb.c 2017-11-08 10:45:36.206681378 -0800
@@ -127,7 +127,7 @@ void switch_mm_irqs_off(struct mm_struct
* isn't free.
*/
#ifdef CONFIG_DEBUG_VM
- if (WARN_ON_ONCE(__read_cr3() != build_cr3(real_prev, prev_asid))) {
+ if (WARN_ON_ONCE(__read_cr3() != build_cr3(real_prev->pgd, prev_asid))) {
/*
* If we were to BUG here, we'd be very likely to kill
* the system so hard that we don't see the call trace.
@@ -194,12 +194,12 @@ void switch_mm_irqs_off(struct mm_struct
if (need_flush) {
this_cpu_write(cpu_tlbstate.ctxs[new_asid].ctx_id, next->context.ctx_id);
this_cpu_write(cpu_tlbstate.ctxs[new_asid].tlb_gen, next_tlb_gen);
- write_cr3(build_cr3(next, new_asid));
+ write_cr3(build_cr3(next->pgd, new_asid));
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH,
TLB_FLUSH_ALL);
} else {
/* The new ASID is already up to date. */
- write_cr3(build_cr3_noflush(next, new_asid));
+ write_cr3(build_cr3_noflush(next->pgd, new_asid));
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, 0);
}
@@ -277,7 +277,7 @@ void initialize_tlbstate_and_flush(void)
!(cr4_read_shadow() & X86_CR4_PCIDE));
/* Force ASID 0 and force a TLB flush. */
- write_cr3(build_cr3(mm, 0));
+ write_cr3(build_cr3(mm->pgd, 0));
/* Reinitialize tlbstate. */
this_cpu_write(cpu_tlbstate.loaded_mm_asid, 0);
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 20/30] x86, mm: remove hard-coded ASID limit checks
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (18 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 19/30] x86, mm: Move CR3 construction functions Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-10 12:20 ` Peter Zijlstra
2017-11-08 19:47 ` [PATCH 21/30] x86, mm: put mmu-to-h/w ASID translation in one place Dave Hansen
` (9 subsequent siblings)
29 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
First, it's nice to remove the magic numbers.
Second, KAISER is going to eat up half of the available ASID
space. We do not use it today, but we need to at least spell
out this new restriction.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/tlbflush.h | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff -puN arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-build-asids-macros arch/x86/include/asm/tlbflush.h
--- a/arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-build-asids-macros 2017-11-08 10:45:36.780681376 -0800
+++ b/arch/x86/include/asm/tlbflush.h 2017-11-08 10:45:36.784681376 -0800
@@ -74,6 +74,18 @@ static inline u64 inc_mm_tlb_gen(struct
return new_tlb_gen;
}
+/* There are 12 bits of space for ASIDS in CR3 */
+#define CR3_HW_ASID_BITS 12
+/* When enabled, KAISER consumes a single bit for user/kernel switches */
+#define KAISER_CONSUMED_ASID_BITS 0
+
+#define CR3_AVAIL_ASID_BITS (CR3_HW_ASID_BITS-KAISER_CONSUMED_ASID_BITS)
+/*
+ * We lose a single extra ASID because 0 is reserved for use
+ * by non-PCID-aware users.
+ */
+#define NR_AVAIL_ASIDS ((1<<CR3_AVAIL_ASID_BITS) - 1)
+
/*
* If PCID is on, ASID-aware code paths put the ASID+1 into the PCID
* bits. This serves two purposes. It prevents a nasty situation in
@@ -87,7 +99,7 @@ struct pgd_t;
static inline unsigned long build_cr3(pgd_t *pgd, u16 asid)
{
if (static_cpu_has(X86_FEATURE_PCID)) {
- VM_WARN_ON_ONCE(asid > 4094);
+ VM_WARN_ON_ONCE(asid > NR_AVAIL_ASIDS);
return __sme_pa(pgd) | (asid + 1);
} else {
VM_WARN_ON_ONCE(asid != 0);
@@ -97,7 +109,7 @@ static inline unsigned long build_cr3(pg
static inline unsigned long build_cr3_noflush(pgd_t *pgd, u16 asid)
{
- VM_WARN_ON_ONCE(asid > 4094);
+ VM_WARN_ON_ONCE(asid > NR_AVAIL_ASIDS);
return __sme_pa(pgd) | (asid + 1) | CR3_NOFLUSH;
}
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 20/30] x86, mm: remove hard-coded ASID limit checks
2017-11-08 19:47 ` [PATCH 20/30] x86, mm: remove hard-coded ASID limit checks Dave Hansen
@ 2017-11-10 12:20 ` Peter Zijlstra
2017-11-10 18:41 ` Dave Hansen
0 siblings, 1 reply; 64+ messages in thread
From: Peter Zijlstra @ 2017-11-10 12:20 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On Wed, Nov 08, 2017 at 11:47:24AM -0800, Dave Hansen wrote:
> +#define CR3_HW_ASID_BITS 12
> +#define NR_AVAIL_ASIDS ((1<<CR3_AVAIL_ASID_BITS) - 1)
That evaluates to 4095
> - VM_WARN_ON_ONCE(asid > 4094);
> + VM_WARN_ON_ONCE(asid > NR_AVAIL_ASIDS);
Not the same number
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 20/30] x86, mm: remove hard-coded ASID limit checks
2017-11-10 12:20 ` Peter Zijlstra
@ 2017-11-10 18:41 ` Dave Hansen
0 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-10 18:41 UTC (permalink / raw)
To: Peter Zijlstra
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On 11/10/2017 04:20 AM, Peter Zijlstra wrote:
> On Wed, Nov 08, 2017 at 11:47:24AM -0800, Dave Hansen wrote:
>> +#define CR3_HW_ASID_BITS 12
>> +#define NR_AVAIL_ASIDS ((1<<CR3_AVAIL_ASID_BITS) - 1)
> That evaluates to 4095
>
>> - VM_WARN_ON_ONCE(asid > 4094);
>> + VM_WARN_ON_ONCE(asid > NR_AVAIL_ASIDS);
> Not the same number
I think this got fixed up in the next patch (the check becomes a >=),
but I'll fix this to make it more clean and fix the intermediate breakage.
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 21/30] x86, mm: put mmu-to-h/w ASID translation in one place
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (19 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 20/30] x86, mm: remove hard-coded ASID limit checks Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 22/30] x86, pcid, kaiser: allow flushing for future ASID switches Dave Hansen
` (8 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
We effectively have two ASID types:
1. The one stored in the mmu_context that goes from 0->5
2. The one we program into the hardware that goes from 1->6
Let's just put the +1 in a single place which gives us a
nice place to comment. KAISER will also need to, given an
ASID, know which hardware ASID to flush for the userspace
mapping.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/tlbflush.h | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff -puN arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-build-kern arch/x86/include/asm/tlbflush.h
--- a/arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-build-kern 2017-11-08 10:45:37.314681375 -0800
+++ b/arch/x86/include/asm/tlbflush.h 2017-11-08 10:45:37.317681375 -0800
@@ -86,21 +86,26 @@ static inline u64 inc_mm_tlb_gen(struct
*/
#define NR_AVAIL_ASIDS ((1<<CR3_AVAIL_ASID_BITS) - 1)
-/*
- * If PCID is on, ASID-aware code paths put the ASID+1 into the PCID
- * bits. This serves two purposes. It prevents a nasty situation in
- * which PCID-unaware code saves CR3, loads some other value (with PCID
- * == 0), and then restores CR3, thus corrupting the TLB for ASID 0 if
- * the saved ASID was nonzero. It also means that any bugs involving
- * loading a PCID-enabled CR3 with CR4.PCIDE off will trigger
- * deterministically.
- */
+static inline u16 kern_asid(u16 asid)
+{
+ VM_WARN_ON_ONCE(asid >= NR_AVAIL_ASIDS);
+ /*
+ * If PCID is on, ASID-aware code paths put the ASID+1 into the PCID
+ * bits. This serves two purposes. It prevents a nasty situation in
+ * which PCID-unaware code saves CR3, loads some other value (with PCID
+ * == 0), and then restores CR3, thus corrupting the TLB for ASID 0 if
+ * the saved ASID was nonzero. It also means that any bugs involving
+ * loading a PCID-enabled CR3 with CR4.PCIDE off will trigger
+ * deterministically.
+ */
+ return asid + 1;
+}
+
struct pgd_t;
static inline unsigned long build_cr3(pgd_t *pgd, u16 asid)
{
if (static_cpu_has(X86_FEATURE_PCID)) {
- VM_WARN_ON_ONCE(asid > NR_AVAIL_ASIDS);
- return __sme_pa(pgd) | (asid + 1);
+ return __sme_pa(pgd) | kern_asid(asid);
} else {
VM_WARN_ON_ONCE(asid != 0);
return __sme_pa(pgd);
@@ -110,7 +115,8 @@ static inline unsigned long build_cr3(pg
static inline unsigned long build_cr3_noflush(pgd_t *pgd, u16 asid)
{
VM_WARN_ON_ONCE(asid > NR_AVAIL_ASIDS);
- return __sme_pa(pgd) | (asid + 1) | CR3_NOFLUSH;
+ VM_WARN_ON_ONCE(!this_cpu_has(X86_FEATURE_PCID));
+ return __sme_pa(pgd) | kern_asid(asid) | CR3_NOFLUSH;
}
#ifdef CONFIG_PARAVIRT
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 22/30] x86, pcid, kaiser: allow flushing for future ASID switches
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (20 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 21/30] x86, mm: put mmu-to-h/w ASID translation in one place Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-10 12:25 ` Peter Zijlstra
2017-11-08 19:47 ` [PATCH 23/30] x86, kaiser: use PCID feature to make user and kernel switches faster Dave Hansen
` (7 subsequent siblings)
29 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
If we change the page tables in such a way that we need an
invalidation of all contexts (aka. PCIDs / ASIDs) we can
actively invalidate them by:
1. INVPCID for each PCID (works for single pages too).
2. Load CR3 with each PCID without the NOFLUSH bit set
3. Load CR3 with the NOFLUSH bit set for each and do
INVLPG for each address.
But, none of these are really feasible since we have ~6 ASIDs (12 with
KAISER) at the time that we need to do an invalidation. So, we just
invalidate the *current* context and then mark the cpu_tlbstate
_quickly_.
Then, at the next context-switch, we notice that we had
'all_other_ctxs_invalid' marked, and go invalidate all of the
cpu_tlbstate.ctxs[] entries.
This ensures that any future context switches will do a full flush
of the TLB so they pick up the changes.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/tlbflush.h | 47 +++++++++++++++++++++++++++++---------
b/arch/x86/mm/tlb.c | 35 ++++++++++++++++++++++++++++
2 files changed, 72 insertions(+), 10 deletions(-)
diff -puN arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-clear-pcid-cache arch/x86/include/asm/tlbflush.h
--- a/arch/x86/include/asm/tlbflush.h~kaiser-pcid-pre-clear-pcid-cache 2017-11-08 10:45:37.846681374 -0800
+++ b/arch/x86/include/asm/tlbflush.h 2017-11-08 10:45:37.852681374 -0800
@@ -183,6 +183,17 @@ struct tlb_state {
bool is_lazy;
/*
+ * If set we changed the page tables in such a way that we
+ * needed an invalidation of all contexts (aka. PCIDs / ASIDs).
+ * This tells us to go invalidate all the non-loaded ctxs[]
+ * on the next context switch.
+ *
+ * The current ctx was kept up-to-date as it ran and does not
+ * need to be invalidated.
+ */
+ bool all_other_ctxs_invalid;
+
+ /*
* Access to this CR4 shadow and to H/W CR4 is protected by
* disabling interrupts when modifying either one.
*/
@@ -259,6 +270,19 @@ static inline unsigned long cr4_read_sha
return this_cpu_read(cpu_tlbstate.cr4);
}
+static inline void tlb_flush_shared_nonglobals(void)
+{
+ /*
+ * With global pages, all of the shared kenel page tables
+ * are set as _PAGE_GLOBAL. We have no shared nonglobals
+ * and nothing to do here.
+ */
+ if (IS_ENABLED(CONFIG_X86_GLOBAL_PAGES))
+ return;
+
+ this_cpu_write(cpu_tlbstate.all_other_ctxs_invalid, true);
+}
+
/*
* Save some of cr4 feature set we're using (e.g. Pentium 4MB
* enable and PPro Global page enable), so that any CPU's that boot
@@ -288,6 +312,10 @@ static inline void __native_flush_tlb(vo
preempt_disable();
native_write_cr3(__native_read_cr3());
preempt_enable();
+ /*
+ * Does not need tlb_flush_shared_nonglobals() since the CR3 write
+ * without PCIDs flushes all non-globals.
+ */
}
static inline void __native_flush_tlb_global_irq_disabled(void)
@@ -346,24 +374,23 @@ static inline void __native_flush_tlb_si
static inline void __flush_tlb_all(void)
{
- if (boot_cpu_has(X86_FEATURE_PGE))
+ if (boot_cpu_has(X86_FEATURE_PGE)) {
__flush_tlb_global();
- else
+ } else {
__flush_tlb();
-
- /*
- * Note: if we somehow had PCID but not PGE, then this wouldn't work --
- * we'd end up flushing kernel translations for the current ASID but
- * we might fail to flush kernel translations for other cached ASIDs.
- *
- * To avoid this issue, we force PCID off if PGE is off.
- */
+ tlb_flush_shared_nonglobals();
+ }
}
static inline void __flush_tlb_one(unsigned long addr)
{
count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ONE);
__flush_tlb_single(addr);
+ /*
+ * Invalidate other address spaces inaccessible to single-page
+ * invalidation:
+ */
+ tlb_flush_shared_nonglobals();
}
#define TLB_FLUSH_ALL -1UL
diff -puN arch/x86/mm/tlb.c~kaiser-pcid-pre-clear-pcid-cache arch/x86/mm/tlb.c
--- a/arch/x86/mm/tlb.c~kaiser-pcid-pre-clear-pcid-cache 2017-11-08 10:45:37.848681374 -0800
+++ b/arch/x86/mm/tlb.c 2017-11-08 10:45:37.852681374 -0800
@@ -28,6 +28,38 @@
* Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
*/
+/*
+ * We get here when we do something requiring a TLB invalidation
+ * but could not go invalidate all of the contexts. We do the
+ * necessary invalidation by clearing out the 'ctx_id' which
+ * forces a TLB flush when the context is loaded.
+ */
+void clear_non_loaded_ctxs(void)
+{
+ u16 asid;
+
+ /*
+ * This is only expected to be set if we have disabled
+ * kernel _PAGE_GLOBAL pages.
+ */
+ if (IS_ENABLED(CONFIG_X86_GLOBAL_PAGES)) {
+ WARN_ON_ONCE(1);
+ return;
+ }
+
+ for (asid = 0; asid < TLB_NR_DYN_ASIDS; asid++) {
+ /* Do not need to flush the current asid */
+ if (asid == this_cpu_read(cpu_tlbstate.loaded_mm_asid))
+ continue;
+ /*
+ * Make sure the next time we go to switch to
+ * this asid, we do a flush:
+ */
+ this_cpu_write(cpu_tlbstate.ctxs[asid].ctx_id, 0);
+ }
+ this_cpu_write(cpu_tlbstate.all_other_ctxs_invalid, false);
+}
+
atomic64_t last_mm_ctx_id = ATOMIC64_INIT(1);
@@ -42,6 +74,9 @@ static void choose_new_asid(struct mm_st
return;
}
+ if (this_cpu_read(cpu_tlbstate.all_other_ctxs_invalid))
+ clear_non_loaded_ctxs();
+
for (asid = 0; asid < TLB_NR_DYN_ASIDS; asid++) {
if (this_cpu_read(cpu_tlbstate.ctxs[asid].ctx_id) !=
next->context.ctx_id)
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 22/30] x86, pcid, kaiser: allow flushing for future ASID switches
2017-11-08 19:47 ` [PATCH 22/30] x86, pcid, kaiser: allow flushing for future ASID switches Dave Hansen
@ 2017-11-10 12:25 ` Peter Zijlstra
0 siblings, 0 replies; 64+ messages in thread
From: Peter Zijlstra @ 2017-11-10 12:25 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
On Wed, Nov 08, 2017 at 11:47:28AM -0800, Dave Hansen wrote:
> +/*
> + * We get here when we do something requiring a TLB invalidation
> + * but could not go invalidate all of the contexts. We do the
> + * necessary invalidation by clearing out the 'ctx_id' which
> + * forces a TLB flush when the context is loaded.
> + */
> +void clear_non_loaded_ctxs(void)
> +{
> + u16 asid;
> +
> + /*
> + * This is only expected to be set if we have disabled
> + * kernel _PAGE_GLOBAL pages.
> + */
> + if (IS_ENABLED(CONFIG_X86_GLOBAL_PAGES)) {
> + WARN_ON_ONCE(1);
> + return;
> + }
Whitespace damage..
> +
> + for (asid = 0; asid < TLB_NR_DYN_ASIDS; asid++) {
> + /* Do not need to flush the current asid */
> + if (asid == this_cpu_read(cpu_tlbstate.loaded_mm_asid))
> + continue;
> + /*
> + * Make sure the next time we go to switch to
> + * this asid, we do a flush:
> + */
> + this_cpu_write(cpu_tlbstate.ctxs[asid].ctx_id, 0);
> + }
> + this_cpu_write(cpu_tlbstate.all_other_ctxs_invalid, false);
> +}
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 23/30] x86, kaiser: use PCID feature to make user and kernel switches faster
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (21 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 22/30] x86, pcid, kaiser: allow flushing for future ASID switches Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 24/30] x86, kaiser: disable native VSYSCALL Dave Hansen
` (6 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
Short summary: Use x86 PCID feature to avoid flushing the TLB at all
interrupts and syscalls. Speed them up. Makes context switches
and TLB flushing slower.
Background:
KAISER keeps two copies of the page tables. We switch between them
with the the CR3 register. But, CR3 was really designed for context
switches and changing it also flushes the entire TLB (modulo global
pages). This TLB flush increases the cost of interrupts and context
switches. For syscall-heavy microbenchmarks it can cut the rate of
syscalls by 2/3.
But, now we have suppport for and Intel CPU feature called Process
Context IDentifiers (PCID) in the kernel thanks to Andy Lutomirski.
This feature is intended to allow you to switch between contexts
without flushing the TLB.
Implementation:
We can use PCIDs to avoid flushing the TLB at kernel entry/exit.
This is speeds up both interrupts and syscalls.
We do this by assigning the kernel and userspace different ASIDs. On
entry from userspace, we move over to the kernel page tables *and*
ASID. On exit, we restore the user page tables and ASID. Fortunately,
the ASID is programmed via CR3, which we are already using to switch
between the page table copies. So, we get one-stop shopping.
In current kernels, CR3 is used to switch between processes which also
provides all the TLB flushing that we need at a context switch. But,
with KAISER, that CR3 move only flushes the current (kernel) ASID. We
need an extra TLB flushing operation to flush the user ASID: invpcid.
This is probably ~100 cycles, but this is done with the assumption that
the time we lose in context switches is more than made up for in
interrupts and syscalls.
Support:
PCIDs are generally available on Sandybridge and newer CPUs. However,
the accompanying INVPCID instruction did not become available until
Haswell (the ones with "v4", or called fourth-generation Core). This
instruction allows non-current-PCID TLB entries to be flushed without
switching CR3 and global pages to be flushed without a double
MOV-to-CR4.
Without INVPCID, PCIDs are much harder to use. TLB invalidation gets
much more onerous:
1. Every kernel TLB flush (even for a single page) requires an
interrupts-off MOV-to-CR4 which is very expensive. This is because
there is no way to flush a kernel address that might be loaded
in *EVERY* PCID. Right now, there are "only" ~12 of these per-cpu,
but that's too painful to use the MOV-to-CR3 to flush them. That
leaves only the MOV-to-CR4.
2. Every userspace flush (even for a single page requires one of the
following:
a. A pair of flushing (bit 63 clear) CR3 writes: one for
the kernel ASID and another for userspace.
b. A pair of non-flushing CR3 writes (bit 63 set) with the
flush done for each. For instance, what is currently a
single instruction without KAISER:
invpcid_flush_one(current_pcid, addr);
becomes this with KAISER:
invpcid_flush_one(current_kern_pcid, addr);
invpcid_flush_one(current_user_pcid, addr);
and this without INVPCID:
__native_flush_tlb_single(addr);
write_cr3(mm->pgd | current_user_pcid | NOFLUSH);
__native_flush_tlb_single(addr);
write_cr3(mm->pgd | current_kern_pcid | NOFLUSH);
So, for now, we fully disable PCIDs with KAISER when INVPCID is
not available. This is fixable, but it's an optimization that
we can do later.
Hugh Dickins also points out that PCIDs really have two distinct
use-cases in the context of KAISER. The first way they can be used
is as "TLB preservation across context-swtich", which is what
Andy Lutomirksi's 4.14 PCID code does. They can also be used as
a "KAISER syscall/interrupt accelerator". If we just use them to
speed up syscall/interrupts (and ignore the context-switch TLB
preservation), then the deficiency of not having INVPCID
becomes much less onerous.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/entry/calling.h | 25 +++-
b/arch/x86/entry/entry_64.S | 1
b/arch/x86/include/asm/cpufeatures.h | 1
b/arch/x86/include/asm/pgtable_types.h | 11 ++
b/arch/x86/include/asm/tlbflush.h | 141 +++++++++++++++++++++-----
b/arch/x86/include/uapi/asm/processor-flags.h | 3
b/arch/x86/kvm/x86.c | 3
b/arch/x86/mm/init.c | 75 +++++++++----
b/arch/x86/mm/tlb.c | 66 +++++++++++-
9 files changed, 264 insertions(+), 62 deletions(-)
diff -puN arch/x86/entry/calling.h~kaiser-pcid arch/x86/entry/calling.h
--- a/arch/x86/entry/calling.h~kaiser-pcid 2017-11-08 10:45:38.410681372 -0800
+++ b/arch/x86/entry/calling.h 2017-11-08 10:45:38.429681372 -0800
@@ -2,6 +2,7 @@
#include <asm/unwind_hints.h>
#include <asm/cpufeatures.h>
#include <asm/page_types.h>
+#include <asm/pgtable_types.h>
/*
@@ -191,16 +192,20 @@ For 32-bit we have the following convent
#ifdef CONFIG_KAISER
/* KAISER PGDs are 8k. We flip bit 12 to switch between the two halves: */
-#define KAISER_SWITCH_MASK (1<<PAGE_SHIFT)
+#define KAISER_SWITCH_PGTABLES_MASK (1<<PAGE_SHIFT)
+#define KAISER_SWITCH_MASK (KAISER_SWITCH_PGTABLES_MASK|\
+ (1<<X86_CR3_KAISER_SWITCH_BIT))
.macro ADJUST_KERNEL_CR3 reg:req
- /* Clear "KAISER bit", point CR3 at kernel pagetables: */
- andq $(~KAISER_SWITCH_MASK), \reg
+ ALTERNATIVE "", "bts $63, \reg", X86_FEATURE_PCID
+ /* Clear PCID and "KAISER bit", point CR3 at kernel pagetables: */
+ andq $(~KAISER_SWITCH_MASK), \reg
.endm
.macro ADJUST_USER_CR3 reg:req
- /* Move CR3 up a page to the user page tables: */
- orq $(KAISER_SWITCH_MASK), \reg
+ ALTERNATIVE "", "bts $63, \reg", X86_FEATURE_PCID
+ /* Set user PCID bit, and move CR3 up a page to the user page tables: */
+ orq $(KAISER_SWITCH_MASK), \reg
.endm
.macro SWITCH_TO_KERNEL_CR3 scratch_reg:req
@@ -219,8 +224,14 @@ For 32-bit we have the following convent
movq %cr3, %r\scratch_reg
movq %r\scratch_reg, \save_reg
/*
- * Is the switch bit zero? This means the address is
- * up in real KAISER patches in a moment.
+ * Is the "switch mask" all zero? That means that both of
+ * these are zero:
+ *
+ * 1. The user/kernel PCID bit, and
+ * 2. The user/kernel "bit" that points CR3 to the
+ * bottom half of the 8k PGD
+ *
+ * That indicates a kernel CR3 value, not user/shadow.
*/
testq $(KAISER_SWITCH_MASK), %r\scratch_reg
jz .Ldone_\@
diff -puN arch/x86/entry/entry_64.S~kaiser-pcid arch/x86/entry/entry_64.S
--- a/arch/x86/entry/entry_64.S~kaiser-pcid 2017-11-08 10:45:38.412681372 -0800
+++ b/arch/x86/entry/entry_64.S 2017-11-08 10:45:38.430681372 -0800
@@ -602,6 +602,7 @@ END(irq_entries_start)
* tracking that we're in kernel mode.
*/
SWAPGS
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
movq %rsp, %rdi /* pt_regs pointer */
call sync_regs
diff -puN arch/x86/include/asm/cpufeatures.h~kaiser-pcid arch/x86/include/asm/cpufeatures.h
--- a/arch/x86/include/asm/cpufeatures.h~kaiser-pcid 2017-11-08 10:45:38.414681372 -0800
+++ b/arch/x86/include/asm/cpufeatures.h 2017-11-08 10:45:38.430681372 -0800
@@ -198,6 +198,7 @@
#define X86_FEATURE_CAT_L3 ( 7*32+ 4) /* Cache Allocation Technology L3 */
#define X86_FEATURE_CAT_L2 ( 7*32+ 5) /* Cache Allocation Technology L2 */
#define X86_FEATURE_CDP_L3 ( 7*32+ 6) /* Code and Data Prioritization L3 */
+#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 7) /* Effectively INVPCID && CR4.PCIDE=1 */
#define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */
#define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
diff -puN arch/x86/include/asm/pgtable_types.h~kaiser-pcid arch/x86/include/asm/pgtable_types.h
--- a/arch/x86/include/asm/pgtable_types.h~kaiser-pcid 2017-11-08 10:45:38.416681372 -0800
+++ b/arch/x86/include/asm/pgtable_types.h 2017-11-08 10:45:38.430681372 -0800
@@ -139,6 +139,17 @@
_PAGE_SOFT_DIRTY)
#define _HPAGE_CHG_MASK (_PAGE_CHG_MASK | _PAGE_PSE)
+/* The ASID is the lower 12 bits of CR3 */
+#define X86_CR3_PCID_ASID_MASK (_AC((1<<12)-1, UL))
+
+/* Mask for all the PCID-related bits in CR3: */
+#define X86_CR3_PCID_MASK (X86_CR3_PCID_NOFLUSH | X86_CR3_PCID_ASID_MASK)
+
+/* Make sure this is only usable in KAISER #ifdef'd code: */
+#ifdef CONFIG_KAISER
+#define X86_CR3_KAISER_SWITCH_BIT 11
+#endif
+
/*
* The cache modes defined here are used to translate between pure SW usage
* and the HW defined cache mode bits and/or PAT entries.
diff -puN arch/x86/include/asm/tlbflush.h~kaiser-pcid arch/x86/include/asm/tlbflush.h
--- a/arch/x86/include/asm/tlbflush.h~kaiser-pcid 2017-11-08 10:45:38.418681372 -0800
+++ b/arch/x86/include/asm/tlbflush.h 2017-11-08 10:45:38.431681372 -0800
@@ -77,7 +77,12 @@ static inline u64 inc_mm_tlb_gen(struct
/* There are 12 bits of space for ASIDS in CR3 */
#define CR3_HW_ASID_BITS 12
/* When enabled, KAISER consumes a single bit for user/kernel switches */
+#ifdef CONFIG_KAISER
+#define X86_CR3_KAISER_SWITCH_BIT 11
+#define KAISER_CONSUMED_ASID_BITS 1
+#else
#define KAISER_CONSUMED_ASID_BITS 0
+#endif
#define CR3_AVAIL_ASID_BITS (CR3_HW_ASID_BITS-KAISER_CONSUMED_ASID_BITS)
/*
@@ -86,21 +91,62 @@ static inline u64 inc_mm_tlb_gen(struct
*/
#define NR_AVAIL_ASIDS ((1<<CR3_AVAIL_ASID_BITS) - 1)
+/*
+ * 6 because 6 should be plenty and struct tlb_state will fit in
+ * two cache lines.
+ */
+#define TLB_NR_DYN_ASIDS 6
+
static inline u16 kern_asid(u16 asid)
{
VM_WARN_ON_ONCE(asid >= NR_AVAIL_ASIDS);
+
+#ifdef CONFIG_KAISER
+ /*
+ * Make sure that the dynamic ASID space does not confict
+ * with the bit we are using to switch between user and
+ * kernel ASIDs.
+ */
+ BUILD_BUG_ON(TLB_NR_DYN_ASIDS >= (1<<X86_CR3_KAISER_SWITCH_BIT));
+
/*
- * If PCID is on, ASID-aware code paths put the ASID+1 into the PCID
- * bits. This serves two purposes. It prevents a nasty situation in
- * which PCID-unaware code saves CR3, loads some other value (with PCID
- * == 0), and then restores CR3, thus corrupting the TLB for ASID 0 if
- * the saved ASID was nonzero. It also means that any bugs involving
- * loading a PCID-enabled CR3 with CR4.PCIDE off will trigger
- * deterministically.
+ * The ASID being passed in here should have respected
+ * the NR_AVAIL_ASIDS and thus never have the switch
+ * bit set.
+ */
+ VM_WARN_ON_ONCE(asid & (1<<X86_CR3_KAISER_SWITCH_BIT));
+#endif
+ /*
+ * The dynamically-assigned ASIDs that get passed in are
+ * small (<TLB_NR_DYN_ASIDS). They never have the high
+ * switch bit set, so do not bother to clear it.
+ */
+
+ /*
+ * If PCID is on, ASID-aware code paths put the ASID+1
+ * into the PCID bits. This serves two purposes. It
+ * prevents a nasty situation in which PCID-unaware code
+ * saves CR3, loads some other value (with PCID == 0),
+ * and then restores CR3, thus corrupting the TLB for
+ * ASID 0 if the saved ASID was nonzero. It also means
+ * that any bugs involving loading a PCID-enabled CR3
+ * with CR4.PCIDE off will trigger deterministically.
*/
return asid + 1;
}
+/*
+ * The user ASID is just the kernel one, plus the "switch bit".
+ */
+static inline u16 user_asid(u16 asid)
+{
+ u16 ret = kern_asid(asid);
+#ifdef CONFIG_KAISER
+ ret |= 1<<X86_CR3_KAISER_SWITCH_BIT;
+#endif
+ return ret;
+}
+
struct pgd_t;
static inline unsigned long build_cr3(pgd_t *pgd, u16 asid)
{
@@ -143,12 +189,6 @@ static inline bool tlb_defer_switch_to_i
return !static_cpu_has(X86_FEATURE_PCID);
}
-/*
- * 6 because 6 should be plenty and struct tlb_state will fit in
- * two cache lines.
- */
-#define TLB_NR_DYN_ASIDS 6
-
struct tlb_context {
u64 ctx_id;
u64 tlb_gen;
@@ -304,18 +344,42 @@ extern void initialize_tlbstate_and_flus
static inline void __native_flush_tlb(void)
{
- /*
- * If current->mm == NULL then we borrow a mm which may change during a
- * task switch and therefore we must not be preempted while we write CR3
- * back:
- */
- preempt_disable();
- native_write_cr3(__native_read_cr3());
- preempt_enable();
- /*
- * Does not need tlb_flush_shared_nonglobals() since the CR3 write
- * without PCIDs flushes all non-globals.
- */
+ if (!cpu_feature_enabled(X86_FEATURE_INVPCID)) {
+ /*
+ * native_write_cr3() only clears the current PCID if
+ * CR4 has X86_CR4_PCIDE set. In other words, this does
+ * not fully flush the TLB if PCIDs are in use.
+ *
+ * With KAISER and PCIDs, the means that we did not
+ * flush the user PCID. Warn if it gets called.
+ */
+ if (IS_ENABLED(CONFIG_KAISER))
+ WARN_ON_ONCE(this_cpu_read(cpu_tlbstate.cr4) &
+ X86_CR4_PCIDE);
+ /*
+ * If current->mm == NULL then we borrow a mm
+ * which may change during a task switch and
+ * therefore we must not be preempted while we
+ * write CR3 back:
+ */
+ preempt_disable();
+ native_write_cr3(__native_read_cr3());
+ preempt_enable();
+ /*
+ * Does not need tlb_flush_shared_nonglobals()
+ * since the CR3 write without PCIDs flushes all
+ * non-globals.
+ */
+ return;
+ }
+ /*
+ * We are no longer using globals with KAISER, so a
+ * "nonglobals" flush would work too. But, this is more
+ * conservative.
+ *
+ * Note, this works with CR4.PCIDE=0 or 1.
+ */
+ invpcid_flush_all();
}
static inline void __native_flush_tlb_global_irq_disabled(void)
@@ -350,6 +414,8 @@ static inline void __native_flush_tlb_gl
/*
* Using INVPCID is considerably faster than a pair of writes
* to CR4 sandwiched inside an IRQ flag save/restore.
+ *
+ * Note, this works with CR4.PCIDE=0 or 1.
*/
invpcid_flush_all();
return;
@@ -369,7 +435,30 @@ static inline void __native_flush_tlb_gl
static inline void __native_flush_tlb_single(unsigned long addr)
{
- asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
+ u32 loaded_mm_asid = this_cpu_read(cpu_tlbstate.loaded_mm_asid);
+
+ /*
+ * Some platforms #GP if we call invpcid(type=1/2) before
+ * CR4.PCIDE=1. Just call invpcid in the case we are called
+ * early.
+ */
+ if (!this_cpu_has(X86_FEATURE_INVPCID_SINGLE)) {
+ asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
+ return;
+ }
+ /* Flush the address out of both PCIDs. */
+ /*
+ * An optimization here might be to determine addresses
+ * that are only kernel-mapped and only flush the kernel
+ * ASID. But, userspace flushes are probably much more
+ * important performance-wise.
+ *
+ * Make sure to do only a single invpcid when KAISER is
+ * disabled and we have only a single ASID.
+ */
+ if (kern_asid(loaded_mm_asid) != user_asid(loaded_mm_asid))
+ invpcid_flush_one(user_asid(loaded_mm_asid), addr);
+ invpcid_flush_one(kern_asid(loaded_mm_asid), addr);
}
static inline void __flush_tlb_all(void)
diff -puN arch/x86/include/uapi/asm/processor-flags.h~kaiser-pcid arch/x86/include/uapi/asm/processor-flags.h
--- a/arch/x86/include/uapi/asm/processor-flags.h~kaiser-pcid 2017-11-08 10:45:38.420681372 -0800
+++ b/arch/x86/include/uapi/asm/processor-flags.h 2017-11-08 10:45:38.431681372 -0800
@@ -77,7 +77,8 @@
#define X86_CR3_PWT _BITUL(X86_CR3_PWT_BIT)
#define X86_CR3_PCD_BIT 4 /* Page Cache Disable */
#define X86_CR3_PCD _BITUL(X86_CR3_PCD_BIT)
-#define X86_CR3_PCID_MASK _AC(0x00000fff,UL) /* PCID Mask */
+#define X86_CR3_PCID_NOFLUSH_BIT 63 /* Preserve old PCID */
+#define X86_CR3_PCID_NOFLUSH _BITULL(X86_CR3_PCID_NOFLUSH_BIT)
/*
* Intel CPU features in CR4
diff -puN arch/x86/kvm/x86.c~kaiser-pcid arch/x86/kvm/x86.c
--- a/arch/x86/kvm/x86.c~kaiser-pcid 2017-11-08 10:45:38.422681372 -0800
+++ b/arch/x86/kvm/x86.c 2017-11-08 10:45:38.433681372 -0800
@@ -805,7 +805,8 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, u
return 1;
/* PCID can not be enabled when cr3[11:0]!=000H or EFER.LMA=0 */
- if ((kvm_read_cr3(vcpu) & X86_CR3_PCID_MASK) || !is_long_mode(vcpu))
+ if ((kvm_read_cr3(vcpu) & X86_CR3_PCID_ASID_MASK) ||
+ !is_long_mode(vcpu))
return 1;
}
diff -puN arch/x86/mm/init.c~kaiser-pcid arch/x86/mm/init.c
--- a/arch/x86/mm/init.c~kaiser-pcid 2017-11-08 10:45:38.424681372 -0800
+++ b/arch/x86/mm/init.c 2017-11-08 10:45:38.434681372 -0800
@@ -196,34 +196,59 @@ static void __init probe_page_size_mask(
static void setup_pcid(void)
{
-#ifdef CONFIG_X86_64
- if (boot_cpu_has(X86_FEATURE_PCID)) {
- if (boot_cpu_has(X86_FEATURE_PGE)) {
- /*
- * This can't be cr4_set_bits_and_update_boot() --
- * the trampoline code can't handle CR4.PCIDE and
- * it wouldn't do any good anyway. Despite the name,
- * cr4_set_bits_and_update_boot() doesn't actually
- * cause the bits in question to remain set all the
- * way through the secondary boot asm.
- *
- * Instead, we brute-force it and set CR4.PCIDE
- * manually in start_secondary().
- */
- cr4_set_bits(X86_CR4_PCIDE);
- } else {
- /*
- * flush_tlb_all(), as currently implemented, won't
- * work if PCID is on but PGE is not. Since that
- * combination doesn't exist on real hardware, there's
- * no reason to try to fully support it, but it's
- * polite to avoid corrupting data if we're on
- * an improperly configured VM.
- */
+ if (!IS_ENABLED(CONFIG_X86_64))
+ return;
+
+ if (!boot_cpu_has(X86_FEATURE_PCID))
+ return;
+
+ if (boot_cpu_has(X86_FEATURE_PGE)) {
+ /*
+ * KAISER uses a PCID for the kernel and another
+ * for userspace. Both PCIDs need to be flushed
+ * when the TLB flush functions are called. But,
+ * flushing *another* PCID is insane without
+ * INVPCID. Just avoid using PCIDs at all if we
+ * have KAISER and do not have INVPCID.
+ */
+ if (!IS_ENABLED(CONFIG_X86_GLOBAL_PAGES) &&
+ !boot_cpu_has(X86_FEATURE_INVPCID)) {
setup_clear_cpu_cap(X86_FEATURE_PCID);
+ return;
}
+ /*
+ * This can't be cr4_set_bits_and_update_boot() --
+ * the trampoline code can't handle CR4.PCIDE and
+ * it wouldn't do any good anyway. Despite the name,
+ * cr4_set_bits_and_update_boot() doesn't actually
+ * cause the bits in question to remain set all the
+ * way through the secondary boot asm.
+ *
+ * Instead, we brute-force it and set CR4.PCIDE
+ * manually in start_secondary().
+ */
+ cr4_set_bits(X86_CR4_PCIDE);
+
+ /*
+ * INVPCID's single-context modes (2/3) only work
+ * if we set X86_CR4_PCIDE, *and* we INVPCID
+ * support. It's unusable on systems that have
+ * X86_CR4_PCIDE clear, or that have no INVPCID
+ * support at all.
+ */
+ if (boot_cpu_has(X86_FEATURE_INVPCID))
+ setup_force_cpu_cap(X86_FEATURE_INVPCID_SINGLE);
+ } else {
+ /*
+ * flush_tlb_all(), as currently implemented, won't
+ * work if PCID is on but PGE is not. Since that
+ * combination doesn't exist on real hardware, there's
+ * no reason to try to fully support it, but it's
+ * polite to avoid corrupting data if we're on
+ * an improperly configured VM.
+ */
+ setup_clear_cpu_cap(X86_FEATURE_PCID);
}
-#endif
}
#ifdef CONFIG_X86_32
diff -puN arch/x86/mm/tlb.c~kaiser-pcid arch/x86/mm/tlb.c
--- a/arch/x86/mm/tlb.c~kaiser-pcid 2017-11-08 10:45:38.426681372 -0800
+++ b/arch/x86/mm/tlb.c 2017-11-08 10:45:38.434681372 -0800
@@ -100,6 +100,68 @@ static void choose_new_asid(struct mm_st
*need_flush = true;
}
+/*
+ * Given a kernel asid, flush the corresponding KAISER
+ * user ASID.
+ */
+static void flush_user_asid(pgd_t *pgd, u16 kern_asid)
+{
+ /* There is no user ASID if KAISER is off */
+ if (!IS_ENABLED(CONFIG_KAISER))
+ return;
+ /*
+ * We only have a single ASID if PCID is off and the CR3
+ * write will have flushed it.
+ */
+ if (!cpu_feature_enabled(X86_FEATURE_PCID))
+ return;
+ /*
+ * With PCIDs enabled, write_cr3() only flushes TLB
+ * entries for the current (kernel) ASID. This leaves
+ * old TLB entries for the user ASID in place and we must
+ * flush that context separately. We can theoretically
+ * delay doing this until we actually load up the
+ * userspace CR3, but do it here for simplicity.
+ */
+ if (cpu_feature_enabled(X86_FEATURE_INVPCID)) {
+ invpcid_flush_single_context(user_asid(kern_asid));
+ } else {
+ /*
+ * On systems with PCIDs, but no INVPCID, the only
+ * way to flush a PCID is a CR3 write. Note that
+ * we use the kernel page tables with the *user*
+ * ASID here.
+ */
+ unsigned long user_asid_flush_cr3;
+ user_asid_flush_cr3 = build_cr3(pgd, user_asid(kern_asid));
+ write_cr3(user_asid_flush_cr3);
+ /*
+ * We do not use PCIDs with KAISER unless we also
+ * have INVPCID. Getting here is unexpected.
+ */
+ WARN_ON_ONCE(1);
+ }
+}
+
+static void load_new_mm_cr3(pgd_t *pgdir, u16 new_asid, bool need_flush)
+{
+ unsigned long new_mm_cr3;
+
+ if (need_flush) {
+ flush_user_asid(pgdir, new_asid);
+ new_mm_cr3 = build_cr3(pgdir, new_asid);
+ } else {
+ new_mm_cr3 = build_cr3_noflush(pgdir, new_asid);
+ }
+
+ /*
+ * Caution: many callers of this function expect
+ * that load_cr3() is serializing and orders TLB
+ * fills with respect to the mm_cpumask writes.
+ */
+ write_cr3(new_mm_cr3);
+}
+
void leave_mm(int cpu)
{
struct mm_struct *loaded_mm = this_cpu_read(cpu_tlbstate.loaded_mm);
@@ -229,12 +291,12 @@ void switch_mm_irqs_off(struct mm_struct
if (need_flush) {
this_cpu_write(cpu_tlbstate.ctxs[new_asid].ctx_id, next->context.ctx_id);
this_cpu_write(cpu_tlbstate.ctxs[new_asid].tlb_gen, next_tlb_gen);
- write_cr3(build_cr3(next->pgd, new_asid));
+ load_new_mm_cr3(next->pgd, new_asid, true);
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH,
TLB_FLUSH_ALL);
} else {
/* The new ASID is already up to date. */
- write_cr3(build_cr3_noflush(next->pgd, new_asid));
+ load_new_mm_cr3(next->pgd, new_asid, false);
trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, 0);
}
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (22 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 23/30] x86, kaiser: use PCID feature to make user and kernel switches faster Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-09 19:04 ` Andy Lutomirski
2017-11-08 19:47 ` [PATCH 25/30] x86, kaiser: add debugfs file to turn KAISER on/off at runtime Dave Hansen
` (5 subsequent siblings)
29 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
The VSYSCALL page is mapped by kernel page tables at a kernel address.
It is troublesome to support with KAISER in place, so disable the
native case.
Also add some help text about how KAISER might affect the emulation
case as well.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/Kconfig | 8 ++++++++
1 file changed, 8 insertions(+)
diff -puN arch/x86/Kconfig~kaiser-no-vsyscall arch/x86/Kconfig
--- a/arch/x86/Kconfig~kaiser-no-vsyscall 2017-11-08 10:45:39.157681370 -0800
+++ b/arch/x86/Kconfig 2017-11-08 10:45:39.162681370 -0800
@@ -2231,6 +2231,9 @@ choice
config LEGACY_VSYSCALL_NATIVE
bool "Native"
+ # The VSYSCALL page comes from the kernel page tables
+ # and is not available when KAISER is enabled.
+ depends on ! KAISER
help
Actual executable code is located in the fixed vsyscall
address mapping, implementing time() efficiently. Since
@@ -2248,6 +2251,11 @@ choice
exploits. This configuration is recommended when userspace
still uses the vsyscall area.
+ When KAISER is enabled, the vsyscall area will become
+ unreadable. This emulation option still works, but KAISER
+ will make it harder to do things like trace code using the
+ emulation.
+
config LEGACY_VSYSCALL_NONE
bool "None"
help
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-08 19:47 ` [PATCH 24/30] x86, kaiser: disable native VSYSCALL Dave Hansen
@ 2017-11-09 19:04 ` Andy Lutomirski
2017-11-09 19:26 ` Dave Hansen
0 siblings, 1 reply; 64+ messages in thread
From: Andy Lutomirski @ 2017-11-09 19:04 UTC (permalink / raw)
To: Dave Hansen
Cc: linux-kernel, linux-mm, moritz.lipp, Daniel Gruss,
michael.schwarz, richard.fellner, Andrew Lutomirski,
Linus Torvalds, Kees Cook, Hugh Dickins, X86 ML
On Wed, Nov 8, 2017 at 11:47 AM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
>
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> The VSYSCALL page is mapped by kernel page tables at a kernel address.
> It is troublesome to support with KAISER in place, so disable the
> native case.
>
> Also add some help text about how KAISER might affect the emulation
> case as well.
Can you re-explain why this is helpful?
Also, I'm about to send patches that may cause a rethinking of how
KAISER handles the fixmap.
--Andy
>
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
> Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
> Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
> Cc: Richard Fellner <richard.fellner@student.tugraz.at>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Kees Cook <keescook@google.com>
> Cc: Hugh Dickins <hughd@google.com>
> Cc: x86@kernel.org
>
> ---
>
> b/arch/x86/Kconfig | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff -puN arch/x86/Kconfig~kaiser-no-vsyscall arch/x86/Kconfig
> --- a/arch/x86/Kconfig~kaiser-no-vsyscall 2017-11-08 10:45:39.157681370 -0800
> +++ b/arch/x86/Kconfig 2017-11-08 10:45:39.162681370 -0800
> @@ -2231,6 +2231,9 @@ choice
>
> config LEGACY_VSYSCALL_NATIVE
> bool "Native"
> + # The VSYSCALL page comes from the kernel page tables
> + # and is not available when KAISER is enabled.
> + depends on ! KAISER
> help
> Actual executable code is located in the fixed vsyscall
> address mapping, implementing time() efficiently. Since
> @@ -2248,6 +2251,11 @@ choice
> exploits. This configuration is recommended when userspace
> still uses the vsyscall area.
>
> + When KAISER is enabled, the vsyscall area will become
> + unreadable. This emulation option still works, but KAISER
> + will make it harder to do things like trace code using the
> + emulation.
> +
> config LEGACY_VSYSCALL_NONE
> bool "None"
> help
> _
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-09 19:04 ` Andy Lutomirski
@ 2017-11-09 19:26 ` Dave Hansen
2017-11-10 0:53 ` Andy Lutomirski
0 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-09 19:26 UTC (permalink / raw)
To: Andy Lutomirski
Cc: linux-kernel, linux-mm, moritz.lipp, Daniel Gruss,
michael.schwarz, richard.fellner, Linus Torvalds, Kees Cook,
Hugh Dickins, X86 ML
On 11/09/2017 11:04 AM, Andy Lutomirski wrote:
> On Wed, Nov 8, 2017 at 11:47 AM, Dave Hansen
> <dave.hansen@linux.intel.com> wrote:
>>
>> From: Dave Hansen <dave.hansen@linux.intel.com>
>>
>> The VSYSCALL page is mapped by kernel page tables at a kernel address.
>> It is troublesome to support with KAISER in place, so disable the
>> native case.
>>
>> Also add some help text about how KAISER might affect the emulation
>> case as well.
>
> Can you re-explain why this is helpful?
How about this?
The KAISER code attempts to "poison" the user portion of the kernel page
tables. It detects the entries pages that it wants that it wants to
poison in two ways:
* Looking for addresses >= PAGE_OFFSET
* Looking for entries without _PAGE_USER set
But, to allow the _PAGE_USER check to work, we stopped it from being
set on all init_mm entries.
The VDSO is at a address >= PAGE_OFFSET and it is also mapped by the
init_mm. The fact that we remove _PAGE_USER from the page tables makes
it unreadable to userspace.
This makes the "NATIVE" case totally unusable since userspace can not
even see the memory any more. Disable it whenever KAISER is enabled.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-09 19:26 ` Dave Hansen
@ 2017-11-10 0:53 ` Andy Lutomirski
2017-11-10 0:57 ` Dave Hansen
0 siblings, 1 reply; 64+ messages in thread
From: Andy Lutomirski @ 2017-11-10 0:53 UTC (permalink / raw)
To: Dave Hansen
Cc: Andy Lutomirski, linux-kernel, linux-mm, moritz.lipp,
Daniel Gruss, michael.schwarz, richard.fellner, Linus Torvalds,
Kees Cook, Hugh Dickins, X86 ML
On Thu, Nov 9, 2017 at 11:26 AM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
> On 11/09/2017 11:04 AM, Andy Lutomirski wrote:
>> On Wed, Nov 8, 2017 at 11:47 AM, Dave Hansen
>> <dave.hansen@linux.intel.com> wrote:
>>>
>>> From: Dave Hansen <dave.hansen@linux.intel.com>
>>>
>>> The VSYSCALL page is mapped by kernel page tables at a kernel address.
>>> It is troublesome to support with KAISER in place, so disable the
>>> native case.
>>>
>>> Also add some help text about how KAISER might affect the emulation
>>> case as well.
>>
>> Can you re-explain why this is helpful?
>
> How about this?
>
> The KAISER code attempts to "poison" the user portion of the kernel page
> tables. It detects the entries pages that it wants that it wants to
> poison in two ways:
> * Looking for addresses >= PAGE_OFFSET
> * Looking for entries without _PAGE_USER set
What do you mean "poison"?
Anyway, the stuff here:
https://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git/log/?h=x86/entry_stack
is an attempt to create the infrastructure needed to move (almost?)
everything needed in the user tables into the fixmap. If that ends up
working well, then perhaps the fixmap should just be completely
special-cased, in which case I think this issue goes away. What I
have in mind is something like:
set_user_fixmap(index, pa, prot);
that sets an entry in the *user* fixmap. All user mms would get the
same PGD entry for the user fixmap.
(And yes, it quite correctly fails kbuild bot right now. That's why I
haven't emailed out the patches yet.)
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-10 0:53 ` Andy Lutomirski
@ 2017-11-10 0:57 ` Dave Hansen
2017-11-10 1:04 ` Andy Lutomirski
0 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-10 0:57 UTC (permalink / raw)
To: Andy Lutomirski
Cc: linux-kernel, linux-mm, moritz.lipp, Daniel Gruss,
michael.schwarz, richard.fellner, Linus Torvalds, Kees Cook,
Hugh Dickins, X86 ML
On 11/09/2017 04:53 PM, Andy Lutomirski wrote:
>> The KAISER code attempts to "poison" the user portion of the kernel page
>> tables. It detects the entries pages that it wants that it wants to
>> poison in two ways:
>> * Looking for addresses >= PAGE_OFFSET
>> * Looking for entries without _PAGE_USER set
> What do you mean "poison"?
I meant the _PAGE_NX magic that we do in here:
https://git.kernel.org/pub/scm/linux/kernel/git/daveh/x86-kaiser.git/commit/?h=kaiser-414rc7-20171108&id=c4f7d0819170761f092fcf2327b85b082368e73a
to ensure that userspace is unable to run on the kernel PGD.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-10 0:57 ` Dave Hansen
@ 2017-11-10 1:04 ` Andy Lutomirski
2017-11-10 1:22 ` Dave Hansen
0 siblings, 1 reply; 64+ messages in thread
From: Andy Lutomirski @ 2017-11-10 1:04 UTC (permalink / raw)
To: Dave Hansen
Cc: Andy Lutomirski, linux-kernel, linux-mm, moritz.lipp,
Daniel Gruss, michael.schwarz, richard.fellner, Linus Torvalds,
Kees Cook, Hugh Dickins, X86 ML
On Thu, Nov 9, 2017 at 4:57 PM, Dave Hansen <dave.hansen@linux.intel.com> wrote:
> On 11/09/2017 04:53 PM, Andy Lutomirski wrote:
>>> The KAISER code attempts to "poison" the user portion of the kernel page
>>> tables. It detects the entries pages that it wants that it wants to
>>> poison in two ways:
>>> * Looking for addresses >= PAGE_OFFSET
>>> * Looking for entries without _PAGE_USER set
>> What do you mean "poison"?
>
> I meant the _PAGE_NX magic that we do in here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/daveh/x86-kaiser.git/commit/?h=kaiser-414rc7-20171108&id=c4f7d0819170761f092fcf2327b85b082368e73a
>
> to ensure that userspace is unable to run on the kernel PGD.
Aha, I get it. Why not just drop the _PAGE_USER check? You could
instead warn if you see a _PAGE_USER page that doesn't have the
correct address for the vsyscall.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-10 1:04 ` Andy Lutomirski
@ 2017-11-10 1:22 ` Dave Hansen
2017-11-10 2:25 ` Andy Lutomirski
0 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-10 1:22 UTC (permalink / raw)
To: Andy Lutomirski
Cc: linux-kernel, linux-mm, moritz.lipp, Daniel Gruss,
michael.schwarz, richard.fellner, Linus Torvalds, Kees Cook,
Hugh Dickins, X86 ML
On 11/09/2017 05:04 PM, Andy Lutomirski wrote:
> On Thu, Nov 9, 2017 at 4:57 PM, Dave Hansen <dave.hansen@linux.intel.com> wrote:
>> On 11/09/2017 04:53 PM, Andy Lutomirski wrote:
>>>> The KAISER code attempts to "poison" the user portion of the kernel page
>>>> tables. It detects the entries pages that it wants that it wants to
>>>> poison in two ways:
>>>> * Looking for addresses >= PAGE_OFFSET
>>>> * Looking for entries without _PAGE_USER set
>>> What do you mean "poison"?
>>
>> I meant the _PAGE_NX magic that we do in here:
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/daveh/x86-kaiser.git/commit/?h=kaiser-414rc7-20171108&id=c4f7d0819170761f092fcf2327b85b082368e73a
>>
>> to ensure that userspace is unable to run on the kernel PGD.
>
> Aha, I get it. Why not just drop the _PAGE_USER check? You could
> instead warn if you see a _PAGE_USER page that doesn't have the
> correct address for the vsyscall.
The _PAGE_USER check helps us with kernel things that want to create
mappings below PAGE_OFFSET. The EFI code was the prime user for this.
Without this, we poison the EFI mappings and the EFI calls die.
I think there might have also been a case for the secondary CPU bringup
that needed hacking if we didn't do this.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-10 1:22 ` Dave Hansen
@ 2017-11-10 2:25 ` Andy Lutomirski
2017-11-10 6:31 ` Dave Hansen
0 siblings, 1 reply; 64+ messages in thread
From: Andy Lutomirski @ 2017-11-10 2:25 UTC (permalink / raw)
To: Dave Hansen
Cc: Andy Lutomirski, linux-kernel, linux-mm, moritz.lipp,
Daniel Gruss, michael.schwarz, richard.fellner, Linus Torvalds,
Kees Cook, Hugh Dickins, X86 ML
On Thu, Nov 9, 2017 at 5:22 PM, Dave Hansen <dave.hansen@linux.intel.com> wrote:
> On 11/09/2017 05:04 PM, Andy Lutomirski wrote:
>> On Thu, Nov 9, 2017 at 4:57 PM, Dave Hansen <dave.hansen@linux.intel.com> wrote:
>>> On 11/09/2017 04:53 PM, Andy Lutomirski wrote:
>>>>> The KAISER code attempts to "poison" the user portion of the kernel page
>>>>> tables. It detects the entries pages that it wants that it wants to
>>>>> poison in two ways:
>>>>> * Looking for addresses >= PAGE_OFFSET
>>>>> * Looking for entries without _PAGE_USER set
>>>> What do you mean "poison"?
>>>
>>> I meant the _PAGE_NX magic that we do in here:
>>>
>>> https://git.kernel.org/pub/scm/linux/kernel/git/daveh/x86-kaiser.git/commit/?h=kaiser-414rc7-20171108&id=c4f7d0819170761f092fcf2327b85b082368e73a
>>>
>>> to ensure that userspace is unable to run on the kernel PGD.
>>
>> Aha, I get it. Why not just drop the _PAGE_USER check? You could
>> instead warn if you see a _PAGE_USER page that doesn't have the
>> correct address for the vsyscall.
>
> The _PAGE_USER check helps us with kernel things that want to create
> mappings below PAGE_OFFSET. The EFI code was the prime user for this.
> Without this, we poison the EFI mappings and the EFI calls die.
OK, let's see if I understand. EFI and maybe some other stuff creates
low mappings with _PAGE_USER clear that are intended to be executed in
kernel mode, and, if you just set NX on all low mappings in kernel
mode, then it doesn't work.
Here are two proposals to address this without breaking vsyscalls.
1. Set NX on low mappings that are _PAGE_USER. Don't set NX on high
mappings but, optionally, warn if you see _PAGE_USER on any address
that isn't the vsyscall page.
2. Ignore _PAGE_USER entirely and just mark the EFI mm as special so
KAISER doesn't muck with it.
--Andy
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-10 2:25 ` Andy Lutomirski
@ 2017-11-10 6:31 ` Dave Hansen
2017-11-10 22:06 ` Andy Lutomirski
0 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-10 6:31 UTC (permalink / raw)
To: Andy Lutomirski
Cc: linux-kernel, linux-mm, moritz.lipp, Daniel Gruss,
michael.schwarz, richard.fellner, Linus Torvalds, Kees Cook,
Hugh Dickins, X86 ML
On 11/09/2017 06:25 PM, Andy Lutomirski wrote:
> Here are two proposals to address this without breaking vsyscalls.
>
> 1. Set NX on low mappings that are _PAGE_USER. Don't set NX on high
> mappings but, optionally, warn if you see _PAGE_USER on any address
> that isn't the vsyscall page.
>
> 2. Ignore _PAGE_USER entirely and just mark the EFI mm as special so
> KAISER doesn't muck with it.
These are totally doable. But, what's the big deal with breaking native
vsyscall? We can still do the emulation so nothing breaks: it is just slow.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-10 6:31 ` Dave Hansen
@ 2017-11-10 22:06 ` Andy Lutomirski
2017-11-10 23:04 ` Dave Hansen
0 siblings, 1 reply; 64+ messages in thread
From: Andy Lutomirski @ 2017-11-10 22:06 UTC (permalink / raw)
To: Dave Hansen
Cc: Andy Lutomirski, linux-kernel, linux-mm, moritz.lipp,
Daniel Gruss, michael.schwarz, richard.fellner, Linus Torvalds,
Kees Cook, Hugh Dickins, X86 ML
On Thu, Nov 9, 2017 at 10:31 PM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
> On 11/09/2017 06:25 PM, Andy Lutomirski wrote:
>> Here are two proposals to address this without breaking vsyscalls.
>>
>> 1. Set NX on low mappings that are _PAGE_USER. Don't set NX on high
>> mappings but, optionally, warn if you see _PAGE_USER on any address
>> that isn't the vsyscall page.
>>
>> 2. Ignore _PAGE_USER entirely and just mark the EFI mm as special so
>> KAISER doesn't muck with it.
>
> These are totally doable. But, what's the big deal with breaking native
> vsyscall? We can still do the emulation so nothing breaks: it is just slow.
I have nothing against disabling native. I object to breaking the
weird binary tracing behavior in the emulation mode, especially if
it's tangled up with KAISER. I got all kinds of flak in an earlier
version of the vsyscall emulation patches when I broke that use case.
KAISER may get very widely backported -- let's not make changes that
are already known to break things.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-10 22:06 ` Andy Lutomirski
@ 2017-11-10 23:04 ` Dave Hansen
2017-11-13 3:52 ` Andy Lutomirski
0 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-10 23:04 UTC (permalink / raw)
To: Andy Lutomirski
Cc: linux-kernel, linux-mm, moritz.lipp, Daniel Gruss,
michael.schwarz, richard.fellner, Linus Torvalds, Kees Cook,
Hugh Dickins, X86 ML
On 11/10/2017 02:06 PM, Andy Lutomirski wrote:
> On Thu, Nov 9, 2017 at 10:31 PM, Dave Hansen
> <dave.hansen@linux.intel.com> wrote:
>> On 11/09/2017 06:25 PM, Andy Lutomirski wrote:
>>> Here are two proposals to address this without breaking vsyscalls.
>>>
>>> 1. Set NX on low mappings that are _PAGE_USER. Don't set NX on high
>>> mappings but, optionally, warn if you see _PAGE_USER on any address
>>> that isn't the vsyscall page.
>>>
>>> 2. Ignore _PAGE_USER entirely and just mark the EFI mm as special so
>>> KAISER doesn't muck with it.
>>
>> These are totally doable. But, what's the big deal with breaking native
>> vsyscall? We can still do the emulation so nothing breaks: it is just slow.
>
> I have nothing against disabling native. I object to breaking the
> weird binary tracing behavior in the emulation mode, especially if
> it's tangled up with KAISER. I got all kinds of flak in an earlier
> version of the vsyscall emulation patches when I broke that use case.
> KAISER may get very widely backported -- let's not make changes that
> are already known to break things.
Is the thing that broke a "user mode program that actually looks at the
vsyscall page"? Like Linus is referring to here:
> http://lkml.kernel.org/r/CA+55aFyijHb4WnDMKgeXekTZHYT8pajqSAu2peo3O4EKiZbYPA@mail.gmail.com
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-10 23:04 ` Dave Hansen
@ 2017-11-13 3:52 ` Andy Lutomirski
2017-11-13 21:07 ` Dave Hansen
0 siblings, 1 reply; 64+ messages in thread
From: Andy Lutomirski @ 2017-11-13 3:52 UTC (permalink / raw)
To: Dave Hansen
Cc: Andy Lutomirski, linux-kernel, linux-mm, moritz.lipp,
Daniel Gruss, michael.schwarz, richard.fellner, Linus Torvalds,
Kees Cook, Hugh Dickins, X86 ML
On Fri, Nov 10, 2017 at 3:04 PM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
> On 11/10/2017 02:06 PM, Andy Lutomirski wrote:
>> On Thu, Nov 9, 2017 at 10:31 PM, Dave Hansen
>> <dave.hansen@linux.intel.com> wrote:
>>> On 11/09/2017 06:25 PM, Andy Lutomirski wrote:
>>>> Here are two proposals to address this without breaking vsyscalls.
>>>>
>>>> 1. Set NX on low mappings that are _PAGE_USER. Don't set NX on high
>>>> mappings but, optionally, warn if you see _PAGE_USER on any address
>>>> that isn't the vsyscall page.
>>>>
>>>> 2. Ignore _PAGE_USER entirely and just mark the EFI mm as special so
>>>> KAISER doesn't muck with it.
>>>
>>> These are totally doable. But, what's the big deal with breaking native
>>> vsyscall? We can still do the emulation so nothing breaks: it is just slow.
>>
>> I have nothing against disabling native. I object to breaking the
>> weird binary tracing behavior in the emulation mode, especially if
>> it's tangled up with KAISER. I got all kinds of flak in an earlier
>> version of the vsyscall emulation patches when I broke that use case.
>> KAISER may get very widely backported -- let's not make changes that
>> are already known to break things.
>
> Is the thing that broke a "user mode program that actually looks at the
> vsyscall page"? Like Linus is referring to here:
>
Yes. But I disagree with Linus. I think it would be perfectly
reasonable to enable KAISER and to use a tool like pin on a legacy
binary from some enterprise distribution. I bet there are lots of
enterprise distributions that are still supported that use vsyscalls.
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-13 3:52 ` Andy Lutomirski
@ 2017-11-13 21:07 ` Dave Hansen
2017-11-14 2:15 ` Andy Lutomirski
0 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-13 21:07 UTC (permalink / raw)
To: Andy Lutomirski
Cc: linux-kernel, linux-mm, moritz.lipp, Daniel Gruss,
michael.schwarz, richard.fellner, Linus Torvalds, Kees Cook,
Hugh Dickins, X86 ML
On 11/12/2017 07:52 PM, Andy Lutomirski wrote:
> On Fri, Nov 10, 2017 at 3:04 PM, Dave Hansen
> <dave.hansen@linux.intel.com> wrote:
>> On 11/10/2017 02:06 PM, Andy Lutomirski wrote:
>>> I have nothing against disabling native. I object to breaking the
>>> weird binary tracing behavior in the emulation mode, especially if
>>> it's tangled up with KAISER. I got all kinds of flak in an earlier
>>> version of the vsyscall emulation patches when I broke that use case.
>>> KAISER may get very widely backported -- let's not make changes that
>>> are already known to break things.
>>
>> Is the thing that broke a "user mode program that actually looks at the
>> vsyscall page"? Like Linus is referring to here:
>>
> Yes. But I disagree with Linus. I think it would be perfectly
> reasonable to enable KAISER and to use a tool like pin on a legacy
> binary from some enterprise distribution. I bet there are lots of
> enterprise distributions that are still supported that use vsyscalls.
All we need to do in the end here is to re-set _PAGE_USER on the user
page table PGD that is used by the vsyscall page. We should be able to
do that with a line or two of code in kaiser_init(). We can do it
conditionally on when the VDSO is not compile-time disabled.
I can do this as a follow-on patch, or as the last one in the KAISER
series and leave it up to our esteemed maintainers to decide whether
they want to do it or not. Sound good?
Are there any userspace tests around that I can use for this, or will I
have to cook something up?
^ permalink raw reply [flat|nested] 64+ messages in thread
* Re: [PATCH 24/30] x86, kaiser: disable native VSYSCALL
2017-11-13 21:07 ` Dave Hansen
@ 2017-11-14 2:15 ` Andy Lutomirski
0 siblings, 0 replies; 64+ messages in thread
From: Andy Lutomirski @ 2017-11-14 2:15 UTC (permalink / raw)
To: Dave Hansen
Cc: Andy Lutomirski, linux-kernel, linux-mm, moritz.lipp,
Daniel Gruss, michael.schwarz, richard.fellner, Linus Torvalds,
Kees Cook, Hugh Dickins, X86 ML
On Mon, Nov 13, 2017 at 1:07 PM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
> On 11/12/2017 07:52 PM, Andy Lutomirski wrote:
>> On Fri, Nov 10, 2017 at 3:04 PM, Dave Hansen
>> <dave.hansen@linux.intel.com> wrote:
>>> On 11/10/2017 02:06 PM, Andy Lutomirski wrote:
>>>> I have nothing against disabling native. I object to breaking the
>>>> weird binary tracing behavior in the emulation mode, especially if
>>>> it's tangled up with KAISER. I got all kinds of flak in an earlier
>>>> version of the vsyscall emulation patches when I broke that use case.
>>>> KAISER may get very widely backported -- let's not make changes that
>>>> are already known to break things.
>>>
>>> Is the thing that broke a "user mode program that actually looks at the
>>> vsyscall page"? Like Linus is referring to here:
>>>
>> Yes. But I disagree with Linus. I think it would be perfectly
>> reasonable to enable KAISER and to use a tool like pin on a legacy
>> binary from some enterprise distribution. I bet there are lots of
>> enterprise distributions that are still supported that use vsyscalls.
>
> All we need to do in the end here is to re-set _PAGE_USER on the user
> page table PGD that is used by the vsyscall page. We should be able to
> do that with a line or two of code in kaiser_init(). We can do it
> conditionally on when the VDSO is not compile-time disabled.
>
> I can do this as a follow-on patch, or as the last one in the KAISER
> series and leave it up to our esteemed maintainers to decide whether
> they want to do it or not. Sound good?
>
> Are there any userspace tests around that I can use for this, or will I
> have to cook something up?
I don't. This old test might be adaptable:
https://git.kernel.org/pub/scm/linux/kernel/git/luto/misc-tests.git/tree/test_vsyscall.cc
What you'd want to do is to add a variant that allocates some RWX
memory, memcpys the vsyscall page there, and tests that it still works
(but only if the vsyscall page worked in the first place).
^ permalink raw reply [flat|nested] 64+ messages in thread
* [PATCH 25/30] x86, kaiser: add debugfs file to turn KAISER on/off at runtime
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (23 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 24/30] x86, kaiser: disable native VSYSCALL Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 26/30] x86, kaiser: add a function to check for KAISER being enabled Dave Hansen
` (4 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
We will use this in a few patches. Right now, it's not wired up
to do anything useful.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/mm/kaiser.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff -puN arch/x86/mm/kaiser.c~kaiser-dynamic-debugfs arch/x86/mm/kaiser.c
--- a/arch/x86/mm/kaiser.c~kaiser-dynamic-debugfs 2017-11-08 10:45:39.690681369 -0800
+++ b/arch/x86/mm/kaiser.c 2017-11-08 10:45:39.693681369 -0800
@@ -18,6 +18,7 @@
#include <linux/string.h>
#include <linux/types.h>
#include <linux/bug.h>
+#include <linux/debugfs.h>
#include <linux/init.h>
#include <linux/interrupt.h>
#include <linux/spinlock.h>
@@ -446,3 +447,50 @@ void kaiser_remove_mapping(unsigned long
*/
__native_flush_tlb_global();
}
+
+int kaiser_enabled = 1;
+static ssize_t kaiser_enabled_read_file(struct file *file, char __user *user_buf,
+ size_t count, loff_t *ppos)
+{
+ char buf[32];
+ unsigned int len;
+
+ len = sprintf(buf, "%d\n", kaiser_enabled);
+ return simple_read_from_buffer(user_buf, count, ppos, buf, len);
+}
+
+static ssize_t kaiser_enabled_write_file(struct file *file,
+ const char __user *user_buf, size_t count, loff_t *ppos)
+{
+ char buf[32];
+ ssize_t len;
+ unsigned int enable;
+
+ len = min(count, sizeof(buf) - 1);
+ if (copy_from_user(buf, user_buf, len))
+ return -EFAULT;
+
+ buf[len] = '\0';
+ if (kstrtoint(buf, 0, &enable))
+ return -EINVAL;
+
+ if (enable > 1)
+ return -EINVAL;
+
+ WRITE_ONCE(kaiser_enabled, enable);
+ return count;
+}
+
+static const struct file_operations fops_kaiser_enabled = {
+ .read = kaiser_enabled_read_file,
+ .write = kaiser_enabled_write_file,
+ .llseek = default_llseek,
+};
+
+static int __init create_kaiser_enabled(void)
+{
+ debugfs_create_file("kaiser-enabled", S_IRUSR | S_IWUSR,
+ arch_debugfs_dir, NULL, &fops_kaiser_enabled);
+ return 0;
+}
+late_initcall(create_kaiser_enabled);
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 26/30] x86, kaiser: add a function to check for KAISER being enabled
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (24 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 25/30] x86, kaiser: add debugfs file to turn KAISER on/off at runtime Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 27/30] x86, kaiser: un-poison PGDs at runtime Dave Hansen
` (3 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
Currently, all of the checks for KAISER are compile-time checks.
We also need runtime checks if we are going to turn it on/off at
runtime.
Add a function to do that.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/kaiser.h | 5 +++++
b/include/linux/kaiser.h | 4 ++++
2 files changed, 9 insertions(+)
diff -puN arch/x86/include/asm/kaiser.h~kaiser-dynamic-check-func arch/x86/include/asm/kaiser.h
--- a/arch/x86/include/asm/kaiser.h~kaiser-dynamic-check-func 2017-11-08 10:45:40.224681368 -0800
+++ b/arch/x86/include/asm/kaiser.h 2017-11-08 10:45:40.229681368 -0800
@@ -50,6 +50,11 @@ extern void kaiser_remove_mapping(unsign
*/
extern void kaiser_init(void);
+static inline bool kaiser_active(void)
+{
+ extern int kaiser_enabled;
+ return kaiser_enabled;
+}
#endif
#endif /* __ASSEMBLY__ */
diff -puN include/linux/kaiser.h~kaiser-dynamic-check-func include/linux/kaiser.h
--- a/include/linux/kaiser.h~kaiser-dynamic-check-func 2017-11-08 10:45:40.225681368 -0800
+++ b/include/linux/kaiser.h 2017-11-08 10:45:40.229681368 -0800
@@ -25,5 +25,9 @@ static inline int kaiser_add_mapping(uns
return 0;
}
+static inline bool kaiser_active(void)
+{
+ return 0;
+}
#endif /* !CONFIG_KAISER */
#endif /* _INCLUDE_KAISER_H */
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 27/30] x86, kaiser: un-poison PGDs at runtime
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (25 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 26/30] x86, kaiser: add a function to check for KAISER being enabled Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 28/30] x86, kaiser: allow KAISER to be enabled/disabled " Dave Hansen
` (2 subsequent siblings)
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
We poison kernel PGDs that map userspace with the NX bit. This
ensures that if we miss a kernel->user CR3 switch, userspace
crashes instead of running in an unhardened state.
We will need this code in a moment when we turn kaiser on and off
at runtime.
Note that we now need an __ASSEMBLY__ #ifdef since we are now
indirectly including kaiser.h into assembly.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/include/asm/pgtable_64.h | 16 ++++++++++++++-
b/arch/x86/mm/kaiser.c | 38 ++++++++++++++++++++++++++++++++++++
b/include/linux/kaiser.h | 3 +-
3 files changed, 55 insertions(+), 2 deletions(-)
diff -puN arch/x86/include/asm/pgtable_64.h~kaiser-dynamic-unpoison-pgd arch/x86/include/asm/pgtable_64.h
--- a/arch/x86/include/asm/pgtable_64.h~kaiser-dynamic-unpoison-pgd 2017-11-08 10:45:40.781681366 -0800
+++ b/arch/x86/include/asm/pgtable_64.h 2017-11-08 10:45:40.788681366 -0800
@@ -2,6 +2,7 @@
#define _ASM_X86_PGTABLE_64_H
#include <linux/const.h>
+#include <linux/kaiser.h>
#include <asm/pgtable_64_types.h>
#ifndef __ASSEMBLY__
@@ -196,6 +197,18 @@ static inline bool pgd_userspace_access(
return (pgd.pgd & _PAGE_USER);
}
+static inline void kaiser_poison_pgd(pgd_t *pgd)
+{
+ if (pgd->pgd & _PAGE_PRESENT)
+ pgd->pgd |= _PAGE_NX;
+}
+
+static inline void kaiser_unpoison_pgd(pgd_t *pgd)
+{
+ if (pgd->pgd & _PAGE_PRESENT)
+ pgd->pgd &= ~_PAGE_NX;
+}
+
/*
* Returns the pgd_t that the kernel should use in its page tables.
*/
@@ -216,7 +229,8 @@ static inline pgd_t kaiser_set_shadow_pg
* wrong CR3 value, userspace will crash
* instead of running.
*/
- pgd.pgd |= _PAGE_NX;
+ if (kaiser_active())
+ kaiser_poison_pgd(&pgd);
}
} else if (!pgd.pgd) {
/*
diff -puN arch/x86/mm/kaiser.c~kaiser-dynamic-unpoison-pgd arch/x86/mm/kaiser.c
--- a/arch/x86/mm/kaiser.c~kaiser-dynamic-unpoison-pgd 2017-11-08 10:45:40.783681366 -0800
+++ b/arch/x86/mm/kaiser.c 2017-11-08 10:45:40.788681366 -0800
@@ -477,6 +477,9 @@ static ssize_t kaiser_enabled_write_file
if (enable > 1)
return -EINVAL;
+ if (kaiser_enabled == enable)
+ return count;
+
WRITE_ONCE(kaiser_enabled, enable);
return count;
}
@@ -494,3 +497,38 @@ static int __init create_kaiser_enabled(
return 0;
}
late_initcall(create_kaiser_enabled);
+
+enum poison {
+ KAISER_POISON,
+ KAISER_UNPOISON
+};
+void kaiser_poison_pgd_page(pgd_t *pgd_page, enum poison do_poison)
+{
+ int i = 0;
+
+ for (i = 0; i < PTRS_PER_PGD; i++) {
+ pgd_t *pgd = &pgd_page[i];
+
+ /* Stop once we hit kernel addresses: */
+ if (!pgdp_maps_userspace(pgd))
+ break;
+
+ if (do_poison == KAISER_POISON)
+ kaiser_poison_pgd(pgd);
+ else
+ kaiser_unpoison_pgd(pgd);
+ }
+
+}
+
+void kaiser_poison_pgds(enum poison do_poison)
+{
+ struct page *page;
+
+ spin_lock(&pgd_lock);
+ list_for_each_entry(page, &pgd_list, lru) {
+ pgd_t *pgd = (pgd_t *)page_address(page);
+ kaiser_poison_pgd_page(pgd, do_poison);
+ }
+ spin_unlock(&pgd_lock);
+}
diff -puN include/linux/kaiser.h~kaiser-dynamic-unpoison-pgd include/linux/kaiser.h
--- a/include/linux/kaiser.h~kaiser-dynamic-unpoison-pgd 2017-11-08 10:45:40.784681366 -0800
+++ b/include/linux/kaiser.h 2017-11-08 10:45:40.788681366 -0800
@@ -4,7 +4,7 @@
#ifdef CONFIG_KAISER
#include <asm/kaiser.h>
#else
-
+#ifndef __ASSEMBLY__
/*
* These stubs are used whenever CONFIG_KAISER is off, which
* includes architectures that support KAISER, but have it
@@ -29,5 +29,6 @@ static inline bool kaiser_active(void)
{
return 0;
}
+#endif /* __ASSEMBLY__ */
#endif /* !CONFIG_KAISER */
#endif /* _INCLUDE_KAISER_H */
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 28/30] x86, kaiser: allow KAISER to be enabled/disabled at runtime
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (26 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 27/30] x86, kaiser: un-poison PGDs at runtime Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 29/30] x86, kaiser: add Kconfig Dave Hansen
2017-11-08 19:47 ` [PATCH 30/30] x86, kaiser, xen: Dynamically disable KAISER when running under Xen PV Dave Hansen
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
The KAISER CR3 switches are expensive for many reasons. Not all systems
benefit from the protection provided by KAISER. Some of them can not
pay the high performance cost.
This patch adds a debugfs file. To disable KAISER, you do:
echo 0 > /sys/kernel/debug/x86/kaiser-enabled
and to reenable it, you can:
echo 1 > /sys/kernel/debug/x86/kaiser-enabled
This is a *minimal* implementation. There are certainly plenty of
optimizations that we can do on top of this by using ALTERNATIVES
among other things.
This does, however, completely remove all the KAISER-based CR3 writes.
So, a paravirtualized system that can not tolerate CR3 writes can
theretically survive with CONFIG_KAISER=y, but with
/sys/kernel/debug/x86/kaiser-enabled=0.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/arch/x86/entry/calling.h | 12 +++++++
b/arch/x86/mm/kaiser.c | 70 ++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 78 insertions(+), 4 deletions(-)
diff -puN arch/x86/entry/calling.h~kaiser-dynamic-asm arch/x86/entry/calling.h
--- a/arch/x86/entry/calling.h~kaiser-dynamic-asm 2017-11-08 10:45:41.361681365 -0800
+++ b/arch/x86/entry/calling.h 2017-11-08 10:45:41.366681365 -0800
@@ -208,19 +208,29 @@ For 32-bit we have the following convent
orq $(KAISER_SWITCH_MASK), \reg
.endm
+.macro JUMP_IF_KAISER_OFF label
+ testq $1, kaiser_asm_do_switch
+ jz \label
+.endm
+
.macro SWITCH_TO_KERNEL_CR3 scratch_reg:req
+ JUMP_IF_KAISER_OFF .Lswitch_done_\@
mov %cr3, \scratch_reg
ADJUST_KERNEL_CR3 \scratch_reg
mov \scratch_reg, %cr3
+.Lswitch_done_\@:
.endm
.macro SWITCH_TO_USER_CR3 scratch_reg:req
+ JUMP_IF_KAISER_OFF .Lswitch_done_\@
mov %cr3, \scratch_reg
ADJUST_USER_CR3 \scratch_reg
mov \scratch_reg, %cr3
+.Lswitch_done_\@:
.endm
.macro SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg:req save_reg:req
+ JUMP_IF_KAISER_OFF .Ldone_\@
movq %cr3, %r\scratch_reg
movq %r\scratch_reg, \save_reg
/*
@@ -243,11 +253,13 @@ For 32-bit we have the following convent
.endm
.macro RESTORE_CR3 save_reg:req
+ JUMP_IF_KAISER_OFF .Ldone_\@
/*
* We could avoid the CR3 write if not changing its value,
* but that requires a CR3 read *and* a scratch register.
*/
movq \save_reg, %cr3
+.Ldone_\@:
.endm
#else /* CONFIG_KAISER=n: */
diff -puN arch/x86/mm/kaiser.c~kaiser-dynamic-asm arch/x86/mm/kaiser.c
--- a/arch/x86/mm/kaiser.c~kaiser-dynamic-asm 2017-11-08 10:45:41.363681365 -0800
+++ b/arch/x86/mm/kaiser.c 2017-11-08 10:45:41.367681365 -0800
@@ -31,6 +31,9 @@
#include <asm/tlbflush.h>
#include <asm/desc.h>
+__aligned(PAGE_SIZE)
+unsigned long kaiser_asm_do_switch[PAGE_SIZE/sizeof(unsigned long)] = { 1 };
+
/*
* At runtime, the only things we map are some things for CPU
* hotplug, and stacks for new processes. No two CPUs will ever
@@ -355,6 +358,9 @@ void __init kaiser_init(void)
kaiser_init_all_pgds();
+ kaiser_add_user_map_early(&kaiser_asm_do_switch, PAGE_SIZE,
+ __PAGE_KERNEL | _PAGE_GLOBAL);
+
for_each_possible_cpu(cpu) {
void *percpu_vaddr = __per_cpu_user_mapped_start +
per_cpu_offset(cpu);
@@ -459,6 +465,56 @@ static ssize_t kaiser_enabled_read_file(
return simple_read_from_buffer(user_buf, count, ppos, buf, len);
}
+enum poison {
+ KAISER_POISON,
+ KAISER_UNPOISON
+};
+void kaiser_poison_pgds(enum poison do_poison);
+
+void kaiser_do_disable(void)
+{
+ /* Make sure the kernel PGDs are usable by userspace: */
+ kaiser_poison_pgds(KAISER_UNPOISON);
+
+ /*
+ * Make sure all the CPUs have the poison clear in their TLBs.
+ * This also functions as a barrier to ensure that everyone
+ * sees the unpoisoned PGDs.
+ */
+ flush_tlb_all();
+
+ /* Tell the assembly code to stop switching CR3. */
+ kaiser_asm_do_switch[0] = 0;
+
+ /*
+ * Make sure everybody does an interrupt. This means that
+ * they have gone through a SWITCH_TO_KERNEL_CR3 amd are no
+ * longer running on the userspace CR3. If we did not do
+ * this, we might have CPUs running on the shadow page tables
+ * that then enter the kernel and think they do *not* need to
+ * switch.
+ */
+ flush_tlb_all();
+}
+
+void kaiser_do_enable(void)
+{
+ /* Tell the assembly code to start switching CR3: */
+ kaiser_asm_do_switch[0] = 1;
+
+ /* Make sure everyone can see the kaiser_asm_do_switch update: */
+ synchronize_rcu();
+
+ /*
+ * Now that userspace is no longer using the kernel copy of
+ * the page tables, we can poison it:
+ */
+ kaiser_poison_pgds(KAISER_POISON);
+
+ /* Make sure all the CPUs see the poison: */
+ flush_tlb_all();
+}
+
static ssize_t kaiser_enabled_write_file(struct file *file,
const char __user *user_buf, size_t count, loff_t *ppos)
{
@@ -480,7 +536,17 @@ static ssize_t kaiser_enabled_write_file
if (kaiser_enabled == enable)
return count;
+ /*
+ * This tells the page table code to stop poisoning PGDs
+ */
WRITE_ONCE(kaiser_enabled, enable);
+ synchronize_rcu();
+
+ if (enable)
+ kaiser_do_enable();
+ else
+ kaiser_do_disable();
+
return count;
}
@@ -498,10 +564,6 @@ static int __init create_kaiser_enabled(
}
late_initcall(create_kaiser_enabled);
-enum poison {
- KAISER_POISON,
- KAISER_UNPOISON
-};
void kaiser_poison_pgd_page(pgd_t *pgd_page, enum poison do_poison)
{
int i = 0;
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 29/30] x86, kaiser: add Kconfig
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (27 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 28/30] x86, kaiser: allow KAISER to be enabled/disabled " Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-08 19:47 ` [PATCH 30/30] x86, kaiser, xen: Dynamically disable KAISER when running under Xen PV Dave Hansen
29 siblings, 0 replies; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
PARAVIRT generally requires that the kernel not manage its own page
tables. It also means that the hypervisor and kernel must agree
wholeheartedly about what format the page tables are in and what
they contain. KAISER, unfortunately, changes the rules and they
can not be used together.
I've seen conflicting feedback from maintainers lately about whether
they want the Kconfig magic to go first or last in a patch series.
It's going last here because the partially-applied series leads to
kernels that can not boot in a bunch of cases. I did a run through
the entire series with CONFIG_KAISER=y to look for build errors,
though.
Note from Hugh Dickins on why it depends on SMP:
It is absurd that KAISER should depend on SMP, but
apparently nobody has tried a UP build before: which
breaks on implicit declaration of function
'per_cpu_offset' in arch/x86/mm/kaiser.c.
Now, you would expect that to be trivially fixed up; but
looking at the System.map when that block is #ifdef'ed
out of kaiser_init(), I see that in a UP build
__per_cpu_user_mapped_end is precisely at
__per_cpu_user_mapped_start, and the items carefully
gathered into that section for user-mapping on SMP,
dispersed elsewhere on UP.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
---
b/security/Kconfig | 10 ++++++++++
1 file changed, 10 insertions(+)
diff -puN security/Kconfig~kaiser-kconfig security/Kconfig
--- a/security/Kconfig~kaiser-kconfig 2017-11-08 10:45:41.921681364 -0800
+++ b/security/Kconfig 2017-11-08 10:45:41.925681364 -0800
@@ -54,6 +54,16 @@ config SECURITY_NETWORK
implement socket and networking access controls.
If you are unsure how to answer this question, answer N.
+config KAISER
+ bool "Remove the kernel mapping in user mode"
+ depends on X86_64 && SMP && !PARAVIRT
+ help
+ This feature reduces the number of hardware side channels by
+ ensuring that the majority of kernel addresses are not mapped
+ into userspace.
+
+ See Documentation/x86/kaiser.txt for more details.
+
config SECURITY_INFINIBAND
bool "Infiniband Security Hooks"
depends on SECURITY && INFINIBAND
_
^ permalink raw reply [flat|nested] 64+ messages in thread* [PATCH 30/30] x86, kaiser, xen: Dynamically disable KAISER when running under Xen PV
2017-11-08 19:46 [PATCH 00/30] [v2] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
` (28 preceding siblings ...)
2017-11-08 19:47 ` [PATCH 29/30] x86, kaiser: add Kconfig Dave Hansen
@ 2017-11-08 19:47 ` Dave Hansen
2017-11-09 15:01 ` Juergen Gross
29 siblings, 1 reply; 64+ messages in thread
From: Dave Hansen @ 2017-11-08 19:47 UTC (permalink / raw)
To: linux-kernel
Cc: linux-mm, dave.hansen, moritz.lipp, daniel.gruss,
michael.schwarz, richard.fellner, luto, torvalds, keescook,
hughd, x86, jgross
From: Dave Hansen <dave.hansen@linux.intel.com>
If you paravirtualize the MMU, you can not use KAISER. This boils down
to the fact that KAISER needs to do CR3 writes in places that it is not
feasible to do real hypercalls.
If we detect that Xen PV is in use, do not do the KAISER CR3 switches.
I don't think this too bug of a deal for Xen. I was under the
impression that the Xen guest kernel and Xen guest userspace didn't
share an address space *anyway* so Xen PV is not normally even exposed
to the kinds of things that KAISER protects against.
This allows KAISER=y kernels to deployed in environments that also
require PARAVIRT=y.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
Cc: Richard Fellner <richard.fellner@student.tugraz.at>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kees Cook <keescook@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: x86@kernel.org
Cc: Juergen Gross <jgross@suse.com>
---
b/arch/x86/mm/kaiser.c | 24 ++++++++++++++++++++++--
b/security/Kconfig | 2 +-
2 files changed, 23 insertions(+), 3 deletions(-)
diff -puN arch/x86/mm/kaiser.c~kaiser-disable-for-xen-pv arch/x86/mm/kaiser.c
--- a/arch/x86/mm/kaiser.c~kaiser-disable-for-xen-pv 2017-11-08 10:46:16.913681276 -0800
+++ b/arch/x86/mm/kaiser.c 2017-11-08 10:46:16.918681276 -0800
@@ -31,8 +31,20 @@
#include <asm/tlbflush.h>
#include <asm/desc.h>
+/*
+ * We need a two-stage enable/disable. One (kaiser_enabled) to stop
+ * the ongoing work that keeps KAISER from being disabled (like PGD
+ * poisoning) and another (kaiser_asm_do_switch) that we set when it
+ * is completely safe to run without doing KAISER switches.
+ */
+int kaiser_enabled;
+
+/*
+ * Sized and aligned so that we can easily map it out to userspace
+ * for use before we have done the assembly CR3 switching.
+ */
__aligned(PAGE_SIZE)
-unsigned long kaiser_asm_do_switch[PAGE_SIZE/sizeof(unsigned long)] = { 1 };
+unsigned long kaiser_asm_do_switch[PAGE_SIZE/sizeof(unsigned long)];
/*
* At runtime, the only things we map are some things for CPU
@@ -404,6 +416,15 @@ void __init kaiser_init(void)
kaiser_add_user_map_ptrs_early(__irqentry_text_start,
__irqentry_text_end,
__PAGE_KERNEL_RX | _PAGE_GLOBAL);
+
+ if (cpu_feature_enabled(X86_FEATURE_XENPV)) {
+ pr_info("x86/kaiser: Xen PV detected, disabling "
+ "KAISER protection\n");
+ } else {
+ pr_info("x86/kaiser: Unmapping kernel while in userspace\n");
+ kaiser_asm_do_switch[0] = 1;
+ kaiser_enabled = 1;
+ }
}
int kaiser_add_mapping(unsigned long addr, unsigned long size,
@@ -454,7 +475,6 @@ void kaiser_remove_mapping(unsigned long
__native_flush_tlb_global();
}
-int kaiser_enabled = 1;
static ssize_t kaiser_enabled_read_file(struct file *file, char __user *user_buf,
size_t count, loff_t *ppos)
{
diff -puN security/Kconfig~kaiser-disable-for-xen-pv security/Kconfig
--- a/security/Kconfig~kaiser-disable-for-xen-pv 2017-11-08 10:46:16.914681276 -0800
+++ b/security/Kconfig 2017-11-08 10:46:16.918681276 -0800
@@ -56,7 +56,7 @@ config SECURITY_NETWORK
config KAISER
bool "Remove the kernel mapping in user mode"
- depends on X86_64 && SMP && !PARAVIRT
+ depends on X86_64 && SMP
help
This feature reduces the number of hardware side channels by
ensuring that the majority of kernel addresses are not mapped
_
^ permalink raw reply [flat|nested] 64+ messages in thread* Re: [PATCH 30/30] x86, kaiser, xen: Dynamically disable KAISER when running under Xen PV
2017-11-08 19:47 ` [PATCH 30/30] x86, kaiser, xen: Dynamically disable KAISER when running under Xen PV Dave Hansen
@ 2017-11-09 15:01 ` Juergen Gross
0 siblings, 0 replies; 64+ messages in thread
From: Juergen Gross @ 2017-11-09 15:01 UTC (permalink / raw)
To: Dave Hansen, linux-kernel
Cc: linux-mm, moritz.lipp, daniel.gruss, michael.schwarz,
richard.fellner, luto, torvalds, keescook, hughd, x86
On 08/11/17 20:47, Dave Hansen wrote:
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> If you paravirtualize the MMU, you can not use KAISER. This boils down
> to the fact that KAISER needs to do CR3 writes in places that it is not
> feasible to do real hypercalls.
>
> If we detect that Xen PV is in use, do not do the KAISER CR3 switches.
>
> I don't think this too bug of a deal for Xen. I was under the
> impression that the Xen guest kernel and Xen guest userspace didn't
> share an address space *anyway* so Xen PV is not normally even exposed
> to the kinds of things that KAISER protects against.
>
> This allows KAISER=y kernels to deployed in environments that also
> require PARAVIRT=y.
>
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Juergen Gross <jgross@suse.com>
Juergen
^ permalink raw reply [flat|nested] 64+ messages in thread