lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 8 Jan 2018 18:17:07 +0100
From:   Willy Tarreau <w@....eu>
To:     Dave Hansen <dave.hansen@...el.com>
Cc:     linux-kernel@...r.kernel.org, x86@...nel.org, tglx@...utronix.de,
        gnomes@...rguk.ukuu.org.uk, torvalds@...ux-foundation.org,
        Ingo Molnar <mingo@...nel.org>,
        Peter Zijlstra <a.p.zijlstra@...llo.nl>,
        Borislav Petkov <bp@...en8.de>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Andy Lutomirski <luto@...nel.org>
Subject: Re: [PATCH RFC 3/4] x86/pti: don't mark the user PGD with _PAGE_NX.

[ expanded the Cc list a bit ]

On Mon, Jan 08, 2018 at 09:03:36AM -0800, Dave Hansen wrote:
> On 01/08/2018 08:12 AM, Willy Tarreau wrote:
> > Since we're going to keep running on the same PGD when returning to
> > userspace for certain performance-critical tasks, we'll need the user
> > pages to be executable. So this code disables the extra protection
> > that was added consisting in marking user pages _PAGE_NX so that this
> > pgd remains usable for userspace.
> > 
> > Note: it isn't necessarily the best approach, but one way or another
> >       if we want to be able to return to userspace from the kernel,
> >       we'll have to have this executable anyway. Another approach
> >       might consist in using another pgd for userland+kernel but
> >       the current core really looks like an extra careful measure
> >       to catch early bugs if any.
> 
> I don't like this.

This is the purpose of the review.

> I think the prctl() should apply to an entire process, not to a thread.

As I mentionned in another mail, I didn't know how to do it, even less
how to do it fast enough so that we didn't add more cycles to the syscall
code.

> If it applies to a process, you can unpoison the PGD.  I even had code
> to do this in an earlier version of the (whole system) runtime PTI
> on/off stuff.
> 
> Why are you even posting half-baked hacks like this now?  Is there
> something super-pressing about this set that we need to lock in a new
> ABI now?

No need to lock in or whatever. It's just that a number of us simply
cannot use the current protection due to the huge cost it comes with
for their specific workload, and having to choose between performance
or protection remains a problem. Having a bit more available time and
being directly concerned by this problem I tried to propose something
to 1) see if there was any hope and 2) possibly help things move forward
in this direction. The patches are marked RFC, they're for discussing,
not for merging.

Willy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ