From: Jon Masters <jcm@jonmasters.org>
To: Will Deacon <will.deacon@arm.com>,
Jayachandran C <jnair@caviumnetworks.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>,
linux-arm-kernel@lists.infradead.org, lorenzo.pieralisi@arm.com,
ard.biesheuvel@linaro.org, catalin.marinas@arm.com,
linux-kernel@vger.kernel.org, labbott@redhat.com,
christoffer.dall@linaro.org
Subject: Re: [v2,03/11] arm64: Take into account ID_AA64PFR0_EL1.CSV3
Date: Thu, 18 Jan 2018 20:00:47 -0500 [thread overview]
Message-ID: <b0edc0ab-c61e-e70b-f339-5777add46575@jonmasters.org> (raw)
In-Reply-To: <20180109100034.GD4297@arm.com>
On 01/09/2018 05:00 AM, Will Deacon wrote:
> On Mon, Jan 08, 2018 at 08:06:27PM -0800, Jayachandran C wrote:
>> On Mon, Jan 08, 2018 at 05:51:00PM +0000, Will Deacon wrote:
>>> On Mon, Jan 08, 2018 at 09:40:17AM -0800, Jayachandran C wrote:
>>>> On Mon, Jan 08, 2018 at 09:20:09AM +0000, Marc Zyngier wrote:
>>>>> On 08/01/18 07:24, Jayachandran C wrote:
>>>>>> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
>>>>>> index 19ed09b..202b037 100644
>>>>>> --- a/arch/arm64/kernel/cpufeature.c
>>>>>> +++ b/arch/arm64/kernel/cpufeature.c
>>>>>> @@ -862,6 +862,13 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
>>>>>> return __kpti_forced > 0;
>>>>>> }
>>>>>>
>>>>>> + /* Don't force KPTI for CPUs that are not vulnerable */
>>>>>> + switch (read_cpuid_id() & MIDR_CPU_MODEL_MASK) {
>>>>>> + case MIDR_CAVIUM_THUNDERX2:
>>>>>> + case MIDR_BRCM_VULCAN:
>>>>>> + return false;
>>>>>> + }
>>>>>> +
>>>>>> /* Useful for KASLR robustness */
>>>>>> if (IS_ENABLED(CONFIG_RANDOMIZE_BASE))
>>>>>> return true;
>>>>>>
>>>>>
>>>>> KPTI is also an improvement for KASLR. Why would you deprive a user of
>>>>> the choice to further secure their system?
>>>>
>>>> The user has a choice with kpti= at the kernel command line, so we are
>>>> not depriving the user of a choice. KASLR is expected to be enabled by
>>>> distributions, and KPTI will be enabled by default as well.
>>>>
>>>> On systems that are not vulnerable to variant 3, this is an unnecessary
>>>> overhead.
>>>
>>> KASLR can be bypassed on CPUs that are not vulnerable to variant 3 simply
>>> by timing how long accesses to kernel addresses from EL0 take -- please read
>>> the original KAISER paper for details about that attack on x86. kpti
>>> mitigates that. If you don't care about KASLR, don't enable it (arguably
>>> it's useless without kpti).
>>
>> The code above assumes that all ARM CPUs (now and future) will be vulnerable
>> to timing attacks that can bypass KASLR. I don't think that is a correct
>> assumption to make.
>
> Well, the code is assuming that the difference between a TLB hit and a miss
> can be measured and that permission faulting entries can be cached in the
> TLB. I think that's a safe assumption for the moment. You can also disable
> kaslr on the command line and at compile-time if you don't want to use it,
> and the same thing applies to kpti. I really see this more as user
> preference, rather than something that should be keyed off the MIDR and we
> already provide those controls via the command line.
>
> To be clear: I'll take the MIDR whitelisting, but only after the KASLR check
> above.
>
>> If ThunderX2 is shown to be vulnerable to any timing based attack we can
>> certainly move the MIDR check after the check for the CONFIG_RANDOMIZE_BASE.
>> But I don't think that is the case now, if you have any PoC code to check
>> this I can run on the processor and make the change.
>
> I haven't tried, but if you have a TLB worth its salt, I suspect you can
> defeat kaslr by timing prefetches or faulting loads to kernel addresses.
>
>> It is pretty clear that we need a whitelist check either before or after the
>> CONFIG_RANDOMIZE_BASE check.
>
> Please send a patch implementing this after the check.
JC: what's the plan here from Cavium? I didn't see such a patch (but
might have missed it). I've asked that we follow the same logic as on
x86 within Red Hat and default to disabling (k)pti on hardware known not
to be vulnerable to that explicit attack. Sure, KASLR bypass is "not
good"(TM) and there are ton(ne)s of new ways to do that found all the
time, but the performance hit is non-zero and there is a difference
between breaking randomization vs. leaking cache data, and HPC folks are
among those who are going to come asking why they need to turn off PTI
all over the place. The equivalent would be on x86 where one vendor
always has PTI enabled, the other only if the user explicitly requests
that it be turned on at boot time.
Jon.
next prev parent reply other threads:[~2018-01-19 1:00 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-05 13:12 [PATCH v2 00/11] arm64 kpti hardening and variant 2 workarounds Will Deacon
2018-01-05 13:12 ` [PATCH v2 01/11] arm64: use RET instruction for exiting the trampoline Will Deacon
2018-01-06 13:13 ` Ard Biesheuvel
2018-01-08 14:33 ` Will Deacon
2018-01-08 14:38 ` Ard Biesheuvel
2018-01-08 14:45 ` Will Deacon
2018-01-08 14:56 ` Ard Biesheuvel
2018-01-08 15:27 ` David Laight
2018-01-05 13:12 ` [PATCH v2 02/11] arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry Will Deacon
2018-01-05 13:12 ` [PATCH v2 03/11] arm64: Take into account ID_AA64PFR0_EL1.CSV3 Will Deacon
2018-01-08 7:24 ` [v2,03/11] " Jayachandran C
2018-01-08 9:20 ` Marc Zyngier
2018-01-08 17:40 ` Jayachandran C
2018-01-08 17:51 ` Will Deacon
2018-01-08 18:22 ` Alan Cox
2018-01-09 4:06 ` Jayachandran C
2018-01-09 10:00 ` Will Deacon
2018-01-19 1:00 ` Jon Masters [this message]
2018-01-08 17:52 ` Marc Zyngier
2018-01-08 17:06 ` Will Deacon
2018-01-08 17:50 ` Jayachandran C
2018-01-05 13:12 ` [PATCH v2 04/11] arm64: cpufeature: Pass capability structure to ->enable callback Will Deacon
2018-01-05 13:12 ` [PATCH v2 05/11] drivers/firmware: Expose psci_get_version through psci_ops structure Will Deacon
2018-01-05 13:12 ` [PATCH v2 06/11] arm64: Move post_ttbr_update_workaround to C code Will Deacon
2018-01-05 13:12 ` [PATCH v2 07/11] arm64: Add skeleton to harden the branch predictor against aliasing attacks Will Deacon
2018-01-08 0:15 ` Jon Masters
2018-01-08 12:16 ` James Morse
2018-01-08 14:26 ` Will Deacon
2018-01-17 4:10 ` Yisheng Xie
2018-01-17 10:07 ` Will Deacon
2018-01-18 8:37 ` Yisheng Xie
2018-01-19 3:37 ` Li Kun
2018-01-19 14:28 ` Will Deacon
2018-01-22 6:52 ` Li Kun
2018-01-05 13:12 ` [PATCH v2 08/11] arm64: KVM: Use per-CPU vector when BP hardening is enabled Will Deacon
2018-01-05 13:12 ` [PATCH v2 09/11] arm64: KVM: Make PSCI_VERSION a fast path Will Deacon
2018-01-05 13:12 ` [PATCH v2 10/11] arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75 Will Deacon
2018-01-05 13:12 ` [PATCH v2 11/11] arm64: Implement branch predictor hardening for affected Cortex-A CPUs Will Deacon
2018-01-05 14:46 ` James Morse
2018-01-05 14:57 ` Marc Zyngier
2018-01-08 6:31 ` [v2, " Jayachandran C
2018-01-08 6:53 ` [PATCH 1/2] arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs Jayachandran C
2018-01-08 6:53 ` [PATCH 2/2] arm64: Branch predictor hardening for Cavium ThunderX2 Jayachandran C
2018-01-08 16:46 ` Will Deacon
2018-01-08 17:19 ` Jayachandran C
2018-01-08 17:23 ` Will Deacon
2018-01-09 2:26 ` Jayachandran C
2018-01-09 9:53 ` Will Deacon
2018-01-09 12:47 ` [PATCH v2] " Jayachandran C
2018-01-16 21:50 ` Jon Masters
2018-01-16 21:52 ` Jon Masters
2018-01-16 23:45 ` Jayachandran C
2018-01-17 18:34 ` Jon Masters
2018-01-18 13:53 ` Will Deacon
2018-01-18 17:56 ` Jayachandran C
2018-01-18 18:27 ` Jon Masters
2018-01-18 23:28 ` Jayachandran C
2018-01-19 1:17 ` Jon Masters
2018-01-19 12:22 ` [PATCH v3 1/2] " Jayachandran C
2018-01-19 12:22 ` [PATCH v3 2/2] arm64: Turn on KPTI only on CPUs that need it Jayachandran C
2018-01-22 11:41 ` Will Deacon
2018-01-22 11:51 ` Ard Biesheuvel
2018-01-22 11:55 ` Will Deacon
2018-01-22 18:59 ` Jon Masters
2018-01-19 19:08 ` [PATCH v3 1/2] arm64: Branch predictor hardening for Cavium ThunderX2 Jon Masters
2018-01-22 11:33 ` Will Deacon
2018-01-22 19:00 ` Jon Masters
2018-01-23 9:51 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b0edc0ab-c61e-e70b-f339-5777add46575@jonmasters.org \
--to=jcm@jonmasters.org \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=christoffer.dall@linaro.org \
--cc=jnair@caviumnetworks.com \
--cc=labbott@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo.pieralisi@arm.com \
--cc=marc.zyngier@arm.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).