linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Yisheng Xie <xieyisheng1@huawei.com>
To: Tycho Andersen <tycho@docker.com>, <linux-kernel@vger.kernel.org>
Cc: <linux-mm@kvack.org>, <kernel-hardening@lists.openwall.com>,
	Marco Benatto <marco.antonio.780@gmail.com>,
	Juerg Haefliger <juerg.haefliger@canonical.com>, <x86@kernel.org>
Subject: Re: [PATCH v6 03/11] mm, x86: Add support for eXclusive Page Frame Ownership (XPFO)
Date: Mon, 11 Sep 2017 15:24:09 +0800	[thread overview]
Message-ID: <302be94d-7e44-001d-286c-2b0cd6098f7b@huawei.com> (raw)
In-Reply-To: <20170907173609.22696-4-tycho@docker.com>

Hi Tycho,

On 2017/9/8 1:36, Tycho Andersen wrote:
> From: Juerg Haefliger <juerg.haefliger@canonical.com>
> 
> This patch adds support for XPFO which protects against 'ret2dir' kernel
> attacks. The basic idea is to enforce exclusive ownership of page frames
> by either the kernel or userspace, unless explicitly requested by the
> kernel. Whenever a page destined for userspace is allocated, it is
> unmapped from physmap (the kernel's page table). When such a page is
> reclaimed from userspace, it is mapped back to physmap.
> 
> Additional fields in the page_ext struct are used for XPFO housekeeping,
> specifically:
>   - two flags to distinguish user vs. kernel pages and to tag unmapped
>     pages.
>   - a reference counter to balance kmap/kunmap operations.
>   - a lock to serialize access to the XPFO fields.
> 
> This patch is based on the work of Vasileios P. Kemerlis et al. who
> published their work in this paper:
>   http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
> 
> [...]
> +void xpfo_alloc_pages(struct page *page, int order, gfp_t gfp)
> +{
> +	int i, flush_tlb = 0;
> +	struct xpfo *xpfo;
> +
> +	if (!static_branch_unlikely(&xpfo_inited))
> +		return;
> +
> +	for (i = 0; i < (1 << order); i++)  {
> +		xpfo = lookup_xpfo(page + i);
> +		if (!xpfo)
> +			continue;
> +
> +		WARN(test_bit(XPFO_PAGE_UNMAPPED, &xpfo->flags),
> +		     "xpfo: unmapped page being allocated\n");
> +
> +		/* Initialize the map lock and map counter */
> +		if (unlikely(!xpfo->inited)) {
> +			spin_lock_init(&xpfo->maplock);
> +			atomic_set(&xpfo->mapcount, 0);
> +			xpfo->inited = true;
> +		}
> +		WARN(atomic_read(&xpfo->mapcount),
> +		     "xpfo: already mapped page being allocated\n");
> +
> +		if ((gfp & GFP_HIGHUSER) == GFP_HIGHUSER) {
> +			/*
> +			 * Tag the page as a user page and flush the TLB if it
> +			 * was previously allocated to the kernel.
> +			 */
> +			if (!test_and_set_bit(XPFO_PAGE_USER, &xpfo->flags))
> +				flush_tlb = 1;

I'm not sure whether I am miss anything, however, when the page was previously allocated
to kernel,  should we unmap the physmap (the kernel's page table) here? For we allocate
the page to user now

Yisheng Xie
Thanks

  parent reply	other threads:[~2017-09-11  7:24 UTC|newest]

Thread overview: 76+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-07 17:35 [PATCH v6 00/11] Add support for eXclusive Page Frame Ownership Tycho Andersen
2017-09-07 17:35 ` [PATCH v6 01/11] mm: add MAP_HUGETLB support to vm_mmap Tycho Andersen
2017-09-08  7:42   ` Christoph Hellwig
2017-09-07 17:36 ` [PATCH v6 02/11] x86: always set IF before oopsing from page fault Tycho Andersen
2017-09-07 17:36 ` [PATCH v6 03/11] mm, x86: Add support for eXclusive Page Frame Ownership (XPFO) Tycho Andersen
2017-09-07 18:33   ` Ralph Campbell
2017-09-07 18:50     ` Tycho Andersen
2017-09-08  7:51   ` Christoph Hellwig
2017-09-08 14:58     ` Tycho Andersen
2017-09-09 15:35   ` Laura Abbott
2017-09-11 15:03     ` Tycho Andersen
2017-09-11  7:24   ` Yisheng Xie [this message]
2017-09-11 14:50     ` Tycho Andersen
2017-09-11 16:03       ` Juerg Haefliger
2017-09-11 16:59         ` Tycho Andersen
2017-09-12  8:05         ` Yisheng Xie
2017-09-12 14:36           ` Tycho Andersen
2017-09-12 18:13             ` Tycho Andersen
2017-09-14  6:15               ` Yisheng Xie
2017-09-20 23:46               ` Dave Hansen
2017-09-21  0:02                 ` Tycho Andersen
2017-09-21  0:04                   ` Dave Hansen
2017-09-11 18:32   ` Tycho Andersen
2017-09-11 21:54     ` Marco Benatto
2017-09-20 15:48   ` Dave Hansen
2017-09-20 22:34     ` Tycho Andersen
2017-09-20 23:21       ` Dave Hansen
2017-09-21  0:09         ` Tycho Andersen
2017-09-21  0:27           ` Dave Hansen
2017-09-21  1:37             ` Tycho Andersen
2017-11-10  1:09             ` Tycho Andersen
2017-11-13 22:20               ` Dave Hansen
2017-11-13 22:46                 ` Dave Hansen
2017-11-15  0:33                   ` [kernel-hardening] " Tycho Andersen
2017-11-15  0:37                     ` Dave Hansen
2017-11-15  0:42                       ` Tycho Andersen
2017-11-15  3:44                   ` Matthew Wilcox
2017-11-15  7:00                     ` Dave Hansen
2017-11-15 14:58                       ` Matthew Wilcox
2017-11-15 16:20                         ` [kernel-hardening] " Tycho Andersen
2017-11-15 21:34                           ` Matthew Wilcox
2017-09-21  0:03   ` Dave Hansen
2017-09-21  0:28   ` Dave Hansen
2017-09-21  1:04     ` Tycho Andersen
2017-09-07 17:36 ` [PATCH v6 04/11] swiotlb: Map the buffer if it was unmapped by XPFO Tycho Andersen
2017-09-07 18:10   ` Christoph Hellwig
2017-09-07 18:44     ` Tycho Andersen
2017-09-08  7:13       ` Christoph Hellwig
2017-09-07 17:36 ` [PATCH v6 05/11] arm64/mm: Add support for XPFO Tycho Andersen
2017-09-08  7:53   ` Christoph Hellwig
2017-09-08 17:24     ` Tycho Andersen
2017-09-14 10:41       ` Julien Grall
2017-09-14 11:29         ` Juergen Gross
2017-09-14 18:22   ` [kernel-hardening] " Mark Rutland
2017-09-18 21:27     ` Tycho Andersen
2017-09-07 17:36 ` [PATCH v6 06/11] xpfo: add primitives for mapping underlying memory Tycho Andersen
2017-09-07 17:36 ` [PATCH v6 07/11] arm64/mm, xpfo: temporarily map dcache regions Tycho Andersen
2017-09-14 18:25   ` Mark Rutland
2017-09-18 21:29     ` Tycho Andersen
2017-09-07 17:36 ` [PATCH v6 08/11] arm64/mm: Add support for XPFO to swiotlb Tycho Andersen
2017-09-07 17:36 ` [PATCH v6 09/11] arm64/mm: disable section/contiguous mappings if XPFO is enabled Tycho Andersen
2017-09-09 15:38   ` Laura Abbott
2017-09-07 17:36 ` [PATCH v6 10/11] mm: add a user_virt_to_phys symbol Tycho Andersen
2017-09-08  7:55   ` Christoph Hellwig
2017-09-08 15:44     ` Kees Cook
2017-09-11  7:36       ` Christoph Hellwig
2017-09-14 18:34   ` [kernel-hardening] " Mark Rutland
2017-09-18 20:56     ` Tycho Andersen
2017-09-07 17:36 ` [PATCH v6 11/11] lkdtm: Add test for XPFO Tycho Andersen
2017-09-07 19:08   ` Kees Cook
2017-09-10  0:57   ` kbuild test robot
2017-09-11 10:34 ` [PATCH v6 00/11] Add support for eXclusive Page Frame Ownership Yisheng Xie
2017-09-11 15:02   ` Tycho Andersen
2017-09-12  7:07     ` Yisheng Xie
2017-09-12  7:40       ` Juerg Haefliger
2017-09-12  8:11         ` Yisheng Xie

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=302be94d-7e44-001d-286c-2b0cd6098f7b@huawei.com \
    --to=xieyisheng1@huawei.com \
    --cc=juerg.haefliger@canonical.com \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=marco.antonio.780@gmail.com \
    --cc=tycho@docker.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).