[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20160902113909.32631-1-juerg.haefliger@hpe.com>
Date: Fri, 2 Sep 2016 13:39:06 +0200
From: Juerg Haefliger <juerg.haefliger@....com>
To: linux-kernel@...r.kernel.org, linux-mm@...ck.org,
kernel-hardening@...ts.openwall.com, linux-x86_64@...r.kernel.org
Cc: juerg.haefliger@....com, vpk@...columbia.edu
Subject: [RFC PATCH v2 0/3] Add support for eXclusive Page Frame Ownership (XPFO)
Changes from:
v1 -> v2:
- Moved the code from arch/x86/mm/ to mm/ since it's (mostly)
arch-agnostic.
- Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO
for x86.
- Use page_ext for the additional per-page data.
- Removed the clearing of pages. This can be accomplished by using
PAGE_POISONING.
- Split up the patch into multiple patches.
- Fixed additional issues identified by reviewers.
This patch series adds support for XPFO which protects against 'ret2dir'
kernel attacks. The basic idea is to enforce exclusive ownership of page
frames by either the kernel or userspace, unless explicitly requested by
the kernel. Whenever a page destined for userspace is allocated, it is
unmapped from physmap (the kernel's page table). When such a page is
reclaimed from userspace, it is mapped back to physmap.
Additional fields in the page_ext struct are used for XPFO housekeeping.
Specifically two flags to distinguish user vs. kernel pages and to tag
unmapped pages and a reference counter to balance kmap/kunmap operations
and a lock to serialize access to the XPFO fields.
Known issues/limitations:
- Only supports x86-64 (for now)
- Only supports 4k pages (for now)
- There are most likely some legitimate uses cases where the kernel needs
to access userspace which need to be made XPFO-aware
- Performance penalty
Reference paper by the original patch authors:
http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
Juerg Haefliger (3):
Add support for eXclusive Page Frame Ownership (XPFO)
xpfo: Only put previous userspace pages into the hot cache
block: Always use a bounce buffer when XPFO is enabled
arch/x86/Kconfig | 3 +-
arch/x86/mm/init.c | 2 +-
block/blk-map.c | 2 +-
include/linux/highmem.h | 15 +++-
include/linux/page_ext.h | 7 ++
include/linux/xpfo.h | 41 +++++++++
lib/swiotlb.c | 3 +-
mm/Makefile | 1 +
mm/page_alloc.c | 10 ++-
mm/page_ext.c | 4 +
mm/xpfo.c | 213 +++++++++++++++++++++++++++++++++++++++++++++++
security/Kconfig | 20 +++++
12 files changed, 314 insertions(+), 7 deletions(-)
create mode 100644 include/linux/xpfo.h
create mode 100644 mm/xpfo.c
--
2.9.3
Powered by blists - more mailing lists