linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Chris von Recklinghausen <crecklin@redhat.com>
To: keescook@chromium.org, linux-kernel@vger.kernel.org,
	linux-mm@vger.kernel.org
Subject: [PATCH] add param that allows bootline control of hardened usercopy
Date: Mon, 25 Jun 2018 11:08:20 -0400	[thread overview]
Message-ID: <1529939300-27461-1-git-send-email-crecklin@redhat.com> (raw)

Enabling HARDENED_USER_COPY causes measurable regressions in the
networking performances, up to 8% under UDP flood.

A generic distro may want to enable HARDENED_USER_COPY in their default
kernel config, but at the same time, such distro may want to be able to
avoid the performance penalties in with the default configuration and
enable the stricter check on a per-boot basis.

This change adds a config variable and a boot parameter to conditionally
enable HARDENED_USER_COPY at boot time, and switch HUC to off if
HUC_DEFAULT_OFF is set.

Signed-off-by: Chris von Recklinghausen <crecklin@redhat.com>
---
 .../admin-guide/kernel-parameters.rst         |  2 ++
 .../admin-guide/kernel-parameters.txt         |  3 ++
 include/linux/thread_info.h                   |  7 +++++
 mm/usercopy.c                                 | 28 +++++++++++++++++++
 security/Kconfig                              | 10 +++++++
 5 files changed, 50 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.rst b/Documentation/admin-guide/kernel-parameters.rst
index b8d0bc07ed0a..c3035038e3ae 100644
--- a/Documentation/admin-guide/kernel-parameters.rst
+++ b/Documentation/admin-guide/kernel-parameters.rst
@@ -100,6 +100,8 @@ parameter is applicable::
 	FB	The frame buffer device is enabled.
 	FTRACE	Function tracing enabled.
 	GCOV	GCOV profiling is enabled.
+	HUC	Hardened usercopy is enabled
+	HUCF	Hardened usercopy disabled at boot
 	HW	Appropriate hardware is enabled.
 	IA-64	IA-64 architecture is enabled.
 	IMA     Integrity measurement architecture is enabled.
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index efc7aa7a0670..cd3354bc14d3 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -816,6 +816,9 @@
 	disable=	[IPV6]
 			See Documentation/networking/ipv6.txt.
 
+	enable_hardened_usercopy [HUC,HUCF]
+			Enable hardened usercopy checks
+
 	disable_radix	[PPC]
 			Disable RADIX MMU mode on POWER9
 
diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
index 8d8821b3689a..140a36cc1c2c 100644
--- a/include/linux/thread_info.h
+++ b/include/linux/thread_info.h
@@ -109,12 +109,19 @@ static inline int arch_within_stack_frames(const void * const stack,
 #endif
 
 #ifdef CONFIG_HARDENED_USERCOPY
+#include <linux/jump_label.h>
+
+DECLARE_STATIC_KEY_FALSE(bypass_usercopy_checks);
+
 extern void __check_object_size(const void *ptr, unsigned long n,
 					bool to_user);
 
 static __always_inline void check_object_size(const void *ptr, unsigned long n,
 					      bool to_user)
 {
+	if (static_branch_likely(&bypass_usercopy_checks))
+		return;
+
 	if (!__builtin_constant_p(n))
 		__check_object_size(ptr, n, to_user);
 }
diff --git a/mm/usercopy.c b/mm/usercopy.c
index e9e9325f7638..ce3996da1b2e 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -279,3 +279,31 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
 	check_kernel_text_object((const unsigned long)ptr, n, to_user);
 }
 EXPORT_SYMBOL(__check_object_size);
+
+DEFINE_STATIC_KEY_FALSE(bypass_usercopy_checks);
+EXPORT_SYMBOL(bypass_usercopy_checks);
+
+#ifdef CONFIG_HUC_DEFAULT_OFF
+#define HUC_DEFAULT false
+#else
+#define HUC_DEFAULT true
+#endif
+
+static bool enable_huc_atboot = HUC_DEFAULT;
+
+static int __init parse_enable_usercopy(char *str)
+{
+	enable_huc_atboot = true;
+	return 1;
+}
+
+static int __init set_enable_usercopy(void)
+{
+	if (enable_huc_atboot == false)
+		static_branch_enable(&bypass_usercopy_checks);
+	return 1;
+}
+
+__setup("enable_hardened_usercopy", parse_enable_usercopy);
+
+late_initcall(set_enable_usercopy);
diff --git a/security/Kconfig b/security/Kconfig
index c4302067a3ad..a6173897b85c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -189,6 +189,16 @@ config HARDENED_USERCOPY_PAGESPAN
 	  been removed. This config is intended to be used only while
 	  trying to find such users.
 
+config HUC_DEFAULT_OFF
+	bool "allow CONFIG_HARDENED_USERCOPY to be configured but disabled"
+	depends on HARDENED_USERCOPY
+	help
+	  When CONFIG_HARDENED_USERCOPY is enabled, disable its
+	  functionality unless it is enabled via at boot time
+	  via the "enable_hardened_usercopy" boot parameter. This allows
+	  the functionality of hardened usercopy to be present but not
+	  impact performance unless it is needed.
+
 config FORTIFY_SOURCE
 	bool "Harden common str/mem functions against buffer overflows"
 	depends on ARCH_HAS_FORTIFY_SOURCE
-- 
2.17.0

next             reply	other threads:[~2018-06-25 15:08 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-25 15:08 Chris von Recklinghausen [this message]
2018-06-25 15:22 ` [PATCH] add param that allows bootline control of hardened usercopy Christoph von Recklinghausen
2018-06-25 19:44   ` Laura Abbott
2018-06-25 22:29     ` Christoph von Recklinghausen
2018-06-25 22:35       ` Kees Cook
2018-06-25 23:17         ` Christoph von Recklinghausen
2018-06-25 16:09 ` Randy Dunlap
2018-06-25 18:05 ` kbuild test robot
2018-06-25 18:21 ` Kees Cook
     [not found]   ` <64bf81fa-0363-4b46-d8da-94285b592caa@redhat.com>
2018-06-26  9:48     ` Paolo Abeni
2018-06-26 16:54       ` Kees Cook
2018-06-26 17:14         ` Paolo Abeni
2018-06-25 18:53 ` kbuild test robot

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:b8d0bc07ed0 dfblob:efc7aa7a067 dfblob:8d8821b3689
dfblob:e9e9325f763 dfblob:c4302067a3a dfblob:c3035038e3a
dfblob:cd3354bc14d dfblob:140a36cc1c2 dfblob:ce3996da1b2
dfblob:a6173897b85
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1529939300-27461-1-git-send-email-crecklin@redhat.com \
    --to=crecklin@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).