From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757524AbcDAAVN (ORCPT ); Thu, 31 Mar 2016 20:21:13 -0400 Received: from mail-yw0-f180.google.com ([209.85.161.180]:35059 "EHLO mail-yw0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752160AbcDAAVM (ORCPT ); Thu, 31 Mar 2016 20:21:12 -0400 MIME-Version: 1.0 In-Reply-To: <56EFB486.2090501@hpe.com> References: <1456496467-14247-1-git-send-email-juerg.haefliger@hpe.com> <56D4FA15.9060700@gmail.com> <56EFB486.2090501@hpe.com> Date: Fri, 1 Apr 2016 11:21:11 +1100 Message-ID: Subject: Re: [RFC PATCH] Add support for eXclusive Page Frame Ownership (XPFO) From: Balbir Singh To: Juerg Haefliger Cc: "linux-kernel@vger.kernel.org" , linux-mm , vpk@cs.brown.edu Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 21, 2016 at 7:44 PM, Juerg Haefliger wrote: > Hi Balbir, > > Apologies for the slow reply. > No problem, I lost this in my inbox as well due to the reply latency. > > On 03/01/2016 03:10 AM, Balbir Singh wrote: >> >> >> On 27/02/16 01:21, Juerg Haefliger wrote: >>> This patch adds support for XPFO which protects against 'ret2dir' kernel >>> attacks. The basic idea is to enforce exclusive ownership of page frames >>> by either the kernel or userland, unless explicitly requested by the >>> kernel. Whenever a page destined for userland is allocated, it is >>> unmapped from physmap. When such a page is reclaimed from userland, it is >>> mapped back to physmap. >> physmap == xen physmap? Please clarify > > No, it's not XEN related. I might have the terminology wrong. Physmap is what > the original authors used for describing a large, contiguous virtual > memory region inside kernel address space that contains a direct mapping of part > or all (depending on the architecture) physical memory. > Thanks for clarifying > >>> Mapping/unmapping from physmap is accomplished by modifying the PTE >>> permission bits to allow/disallow access to the page. >>> >>> Additional fields are added to the page struct for XPFO housekeeping. >>> Specifically a flags field to distinguish user vs. kernel pages, a >>> reference counter to track physmap map/unmap operations and a lock to >>> protect the XPFO fields. >>> >>> Known issues/limitations: >>> - Only supported on x86-64. >> Is it due to lack of porting or a design limitation? > > Lack of porting. Support for other architectures will come later. > OK > >>> - Only supports 4k pages. >>> - Adds additional data to the page struct. >>> - There are most likely some additional and legitimate uses cases where >>> the kernel needs to access userspace. Those need to be identified and >>> made XPFO-aware. >> Why not build an audit mode for it? > > Can you elaborate what you mean by this? > What I meant is when the kernel needs to access userspace and XPFO is not aware of it and is going to block it, write to a log/trace buffer so that it can be audited for correctness > >>> - There's a performance impact if XPFO is turned on. Per the paper >>> referenced below it's in the 1-3% ballpark. More performance testing >>> wouldn't hurt. What tests to run though? >>> >>> Reference paper by the original patch authors: >>> http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf >>> >>> Suggested-by: Vasileios P. Kemerlis >>> Signed-off-by: Juerg Haefliger >> This patch needs to be broken down into smaller patches - a series > > Agreed. > I think it will be good to describe what is XPFO aware 1. How are device mmap'd shared between kernel/user covered? 2. How is copy_from/to_user covered? 3. How is vdso covered? 4. More... Balbir Singh.