| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jan 2017 09:56:45 -0700
From: Khalid Aziz <khalid.aziz@...cle.com>
To: Dave Hansen <dave.hansen@...ux.intel.com>, davem@...emloft.net,
corbet@....net, arnd@...db.de, akpm@...ux-foundation.org
Cc: hpa@...or.com, viro@...iv.linux.org.uk, nitin.m.gupta@...cle.com,
chris.hyser@...cle.com, tushar.n.dave@...cle.com,
sowmini.varadhan@...cle.com, mike.kravetz@...cle.com,
adam.buchbinder@...il.com, minchan@...nel.org, hughd@...gle.com,
kirill.shutemov@...ux.intel.com, keescook@...omium.org,
allen.pais@...cle.com, aryabinin@...tuozzo.com,
atish.patra@...cle.com, joe@...ches.com, pmladek@...e.com,
jslaby@...e.cz, cmetcalf@...lanox.com,
paul.gortmaker@...driver.com, mhocko@...e.com, jmarchan@...hat.com,
lstoakes@...il.com, 0x7f454c46@...il.com, vbabka@...e.cz,
tglx@...utronix.de, mingo@...hat.com, dan.j.williams@...el.com,
iamjoonsoo.kim@....com, mgorman@...hsingularity.net,
vdavydov.dev@...il.com, hannes@...xchg.org, namit@...are.com,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
sparclinux@...r.kernel.org, linux-arch@...r.kernel.org,
x86@...nel.org, linux-mm@...ck.org
Subject: Re: [PATCH v4 0/4] Application Data Integrity feature introduced by
SPARC M7
On 01/11/2017 09:33 AM, Dave Hansen wrote:
> On 01/11/2017 08:12 AM, Khalid Aziz wrote:
>> A userspace task enables ADI through mprotect(). This patch series adds
>> a page protection bit PROT_ADI and a corresponding VMA flag
>> VM_SPARC_ADI. VM_SPARC_ADI is used to trigger setting TTE.mcd bit in the
>> sparc pte that enables ADI checking on the corresponding page.
>
> Is there a cost in the hardware associated with doing this "ADI
> checking"? For instance, instead of having this new mprotect()
> interface, why not just always set TTE.mcd on all PTEs?
There is no performance penalty in the MMU to check tags, but if
PSTATE.mcd bit is set and TTE.mcde is set, the tag in VA must match what
was set on the physical page for all memory accesses. Potential for side
effects is too high in such case and would require kernel to either
track tags for every page as they are re-allocated or migrated, or scrub
pages constantly to ensure we do not get spurious tag mismatches. Unless
there is a very strong reason to blindly set TTE.mcd on every PTE, I
think the risk of instability is too high without lot of extra code.
>
> Also, should this be a privileged interface in some way? The hardware
> is storing these tags *somewhere* and that storage is consuming
> resources *somewhere*. What stops a crafty attacker from mmap()'ing a
> 128TB chunk of the zero pages and storing ADI tags for all of it?
> That'll be 128TB/64*4bits = 1TB worth of 4-bit tags. Page tables, for
> instance, consume a comparable amount of storage, but the OS *knows*
> about those and can factor them into OOM decisions.
Hardware resources used to store tags are managed entirely by MMU and
invisible to the kernel. Tags are stored in spare bits in memory. The
only tag resource consumption visible to OS will be the space it
allocates to store tags as pages are swapped in/out or migrated. If we
choose to implement subpage granularity for tags in future, resource
consumption will be a concern. You are right, each n pages of tagged
memory requires n/128 pages to store tags. Since each tag is just 4
bits, there are good possibilities to compress this data but that is for
future.
Thanks,
Khalid
Powered by blists - more mailing lists