linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jeff Xu <jeffxu@chromium.org>
To: "Liam R. Howlett" <Liam.Howlett@oracle.com>,
	jeffxu@chromium.org,  Jonathan Corbet <corbet@lwn.net>,
	akpm@linux-foundation.org, keescook@chromium.org,
	 jannh@google.com, sroettger@google.com, willy@infradead.org,
	 gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
	 usama.anjum@collabora.com, rdunlap@infradead.org,
	jeffxu@google.com,  jorgelo@chromium.org, groeck@chromium.org,
	linux-kernel@vger.kernel.org,  linux-kselftest@vger.kernel.org,
	linux-mm@kvack.org, pedro.falcato@gmail.com,
	 dave.hansen@intel.com, linux-hardening@vger.kernel.org,
	deraadt@openbsd.org
Subject: Re: [PATCH v8 0/4] Introduce mseal
Date: Wed, 31 Jan 2024 17:27:11 -0800	[thread overview]
Message-ID: <CABi2SkXOX4SRMs0y8FYccoj+XrEiPCJk2seqT+sgO7Na7NWwLg@mail.gmail.com> (raw)
In-Reply-To: <20240131193411.opisg5yoyxkwoyil@revolver>

On Wed, Jan 31, 2024 at 11:34 AM Liam R. Howlett
<Liam.Howlett@oracle.com> wrote:
>
> Please add me to the Cc list of these patches.
Ok.
>
> * jeffxu@chromium.org <jeffxu@chromium.org> [240131 12:50]:
> > From: Jeff Xu <jeffxu@chromium.org>
> >
> > This patchset proposes a new mseal() syscall for the Linux kernel.
> >
> > In a nutshell, mseal() protects the VMAs of a given virtual memory
> > range against modifications, such as changes to their permission bits.
> >
> > Modern CPUs support memory permissions, such as the read/write (RW)
> > and no-execute (NX) bits. Linux has supported NX since the release of
> > kernel version 2.6.8 in August 2004 [1]. The memory permission feature
> > improves the security stance on memory corruption bugs, as an attacker
> > cannot simply write to arbitrary memory and point the code to it. The
> > memory must be marked with the X bit, or else an exception will occur.
> > Internally, the kernel maintains the memory permissions in a data
> > structure called VMA (vm_area_struct). mseal() additionally protects
> > the VMA itself is against modifications of the selected seal type.
>
> ... The v8 cut Jonathan's email discussion [1] off and
> instead of
> replying there, I'm going to add my question here.
>
> The best plan to ensure it is a general safety measure for all of linux
> is to work with the community before it lands upstream.  It's much
> harder to change functionality provided to users after it is upstream.
> I'm happy to hear google is super excited about sharing this, but so
> far, the community isn't as excited.
>
> It seems Theo has a lot of experience trying to add a feature very close
> to what you are doing and has real data on how this went [2].  Can we
> see if there is a solution that is, at least, different enough from what
> he tried to do for a shot of success?  Do we have anyone in the
> toolchain groups that sees this working well?  If this means Stephen
> needs to do something, can we get that to happen please?
>
For Theo's input from OpenBSD's perspective;
IIUC: as today, the mseal-Linux and mimmutable-OpenBSD has the same
scope on what operations to seal, e.g. considering the progress made
on both sides since the beginning of the RFC:
- mseal(Linux): dropped "multiple-bit" approach.
- mimmutable(OpenBSD): Dropped "downgradable"; Added madvise(DONOTNEED).

The difference is in mmap(), i.e.
- mseal(Linux): support of PROT_SEAL in mmap().
- mseal(Linux): use of MAP_SEALABLE in mmap().

I considered Theo's inputs from OpenBSD's perspective regarding the
difference, and I wasn't convinced that Linux should remove these. In
my view, those are two different kernels code, and the difference in
Linux is not added without reasons (for MAP_SEALABLE, there is a note
in the documentation section with details).

I would love to hear more from Linux developers on this.

> I mean, you specifically state that this is a 'very specific
> requirement' in your cover letter.  Does this mean even other browsers
> have no use for it?
>
No, I don’t mean “other browsers have no use for it”.

About specific requirements from Chrome, that refers to "The lifetime
of those mappings are not tied to the lifetime of the process, which
is not the case of libc" as in the cover letter. This addition to the
cover letter was made in V3, thus, it might be beneficial to provide
additional context to help answer the question.

This patch series begins with multiple-bit approaches (v1,v2,v3), the
rationale for this is that I am uncertain if Chrome's specific needs
are common enough for other use cases.  Consequently, I am unable to
make this decision myself without input from the community. To
accommodate this, multiple bits are selected initially due to their
adaptability.

Since V1, after hearing from the community, Chrome has changed its
design (no longer relying on separating out mprotect), and Linus
acknowledged the defect of madvise(DONOTNEED) [1]. With those inputs,
today mseal() has a simple design that:
 - meet Chrome's specific needs.
 - meet Libc's needs.
 - Chrome's specific need doesn't interfere with Libc's.

[1] https://lore.kernel.org/all/CAHk-=wiVhHmnXviy1xqStLRozC4ziSugTk=1JOc8ORWd2_0h7g@mail.gmail.com/

> I am very concerned this feature will land and have to be maintained by
> the core mm people for the one user it was specifically targeting.
>
See above. This feature is not specifically targeting Chrome.

> Can we also get some benchmarking on the impact of this feature?  I
> believe my answer in v7 removed the worst offender, but since there is
> no benchmarking we really are guessing (educated or not, hard data would
> help).  We still have an extra loop in madvise, mprotect_pkey, mremap_to
> (and mreamp syscall?).
>
Yes. There is an extra loop in mmap(FIXED), munmap(),
madvise(DONOTNEED), mremap(), to emulate the VMAs for the given
address range. I suspect the impact would be low, but having some hard
data would be good. I will see what I can find to assist the perf
testing. If you have a specific test suite in mind, I can also try it.

> You also did not clean up the loop you copied from mlock, which I
> pointed out [3].  Stating that your copy/paste is easier to review is
> not sufficient to keep unneeded assignments around.
>
OK.

> [1]. https://lore.kernel.org/linux-mm/87a5ong41h.fsf@meer.lwn.net/
> [2]. https://lore.kernel.org/linux-mm/86181.1705962897@cvs.openbsd.org/
> [3]. https://lore.kernel.org/linux-mm/20240124200628.ti327diy7arb7byb@revolver/

  reply	other threads:[~2024-02-01  1:27 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-31 17:50 [PATCH v8 0/4] Introduce mseal jeffxu
2024-01-31 17:50 ` [PATCH v8 1/4] mseal: Wire up mseal syscall jeffxu
2024-01-31 17:50 ` [PATCH v8 2/4] mseal: add " jeffxu
2024-02-01 23:11   ` Eric Biggers
2024-02-02  3:30     ` Jeff Xu
2024-02-02  3:54       ` Theo de Raadt
2024-02-02  4:03         ` Jeff Xu
2024-02-02  4:10           ` Theo de Raadt
2024-02-02  4:22             ` Jeff Xu
2024-01-31 17:50 ` [PATCH v8 3/4] selftest mm/mseal memory sealing jeffxu
2024-01-31 17:50 ` [PATCH v8 4/4] mseal:add documentation jeffxu
2024-01-31 19:34 ` [PATCH v8 0/4] Introduce mseal Liam R. Howlett
2024-02-01  1:27   ` Jeff Xu [this message]
2024-02-01  1:46     ` Theo de Raadt
2024-02-01 16:56       ` Bird, Tim
2024-02-01  1:55     ` Theo de Raadt
2024-02-01 20:45     ` Liam R. Howlett
2024-02-01 22:24       ` Theo de Raadt
2024-02-02  1:06         ` Greg KH
2024-02-02  3:24           ` Jeff Xu
2024-02-02  3:29             ` Linus Torvalds
2024-02-02  3:46               ` Jeff Xu
2024-02-02 15:18             ` Greg KH
2024-02-01 22:37       ` Jeff Xu
2024-02-01 22:54         ` Theo de Raadt
2024-02-01 23:15           ` Linus Torvalds
2024-02-01 23:43             ` Theo de Raadt
2024-02-02  0:26             ` Theo de Raadt
2024-02-02  3:20             ` Jeff Xu
2024-02-02  4:05               ` Theo de Raadt
2024-02-02  4:54                 ` Jeff Xu
2024-02-02  5:00                   ` Theo de Raadt
2024-02-02 17:58                     ` Jeff Xu
2024-02-02 18:51                       ` Pedro Falcato
2024-02-02 21:20                         ` Jeff Xu
2024-02-04 19:39                         ` David Laight
2024-02-02 17:05             ` Theo de Raadt
2024-02-02 21:02               ` Jeff Xu
2024-02-02  3:14       ` Jeff Xu
2024-02-02 15:13         ` Liam R. Howlett
2024-02-02 17:24           ` Jeff Xu
2024-02-02 19:21             ` Liam R. Howlett
2024-02-02 19:32               ` Theo de Raadt
2024-02-02 20:36                 ` Linus Torvalds
2024-02-02 20:57                   ` Jeff Xu
2024-02-02 21:18                   ` Liam R. Howlett
2024-02-02 23:36                     ` Linus Torvalds
2024-02-03  4:45                       ` Liam R. Howlett
2024-02-05 22:13                         ` Suren Baghdasaryan
2024-02-02 20:14               ` Jeff Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CABi2SkXOX4SRMs0y8FYccoj+XrEiPCJk2seqT+sgO7Na7NWwLg@mail.gmail.com \
    --to=jeffxu@chromium.org \
    --cc=Liam.Howlett@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=corbet@lwn.net \
    --cc=dave.hansen@intel.com \
    --cc=deraadt@openbsd.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=groeck@chromium.org \
    --cc=jannh@google.com \
    --cc=jeffxu@google.com \
    --cc=jorgelo@chromium.org \
    --cc=keescook@chromium.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=pedro.falcato@gmail.com \
    --cc=rdunlap@infradead.org \
    --cc=sroettger@google.com \
    --cc=torvalds@linux-foundation.org \
    --cc=usama.anjum@collabora.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).