lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170217182313.GB25876@leverpostej>
Date:   Fri, 17 Feb 2017 18:23:13 +0000
From:   Mark Rutland <mark.rutland@....com>
To:     Kees Cook <keescook@...omium.org>
Cc:     Pavel Machek <pavel@....cz>, Laura Abbott <labbott@...hat.com>,
        "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
        Catalin Marinas <catalin.marinas@....com>,
        Heiko Carstens <heiko.carstens@...ibm.com>,
        "James E.J. Bottomley" <jejb@...isc-linux.org>,
        "H. Peter Anvin" <hpa@...or.com>,
        "kernel-hardening@...ts.openwall.com" 
        <kernel-hardening@...ts.openwall.com>,
        Rob Herring <robh@...nel.org>, Jessica Yu <jeyu@...hat.com>,
        Jonathan Corbet <corbet@....net>, Helge Deller <deller@....de>,
        "x86@...nel.org" <x86@...nel.org>,
        Russell King <linux@...linux.org.uk>,
        Ingo Molnar <mingo@...hat.com>,
        Len Brown <len.brown@...el.com>,
        "linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>,
        Will Deacon <will.deacon@....com>,
        Thomas Gleixner <tglx@...utronix.de>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        linux-parisc <linux-parisc@...r.kernel.org>,
        Linux PM list <linux-pm@...r.kernel.org>,
        "Rafael J. Wysocki" <rjw@...ysocki.net>,
        LKML <linux-kernel@...r.kernel.org>,
        Jason Wessel <jason.wessel@...driver.com>,
        Martin Schwidefsky <schwidefsky@...ibm.com>,
        Robin Murphy <robin.murphy@....com>
Subject: Re: [PATCHv3 2/2] arch: Rename CONFIG_DEBUG_RODATA and
 CONFIG_DEBUG_MODULE_RONX

On Thu, Feb 16, 2017 at 05:08:20PM -0800, Kees Cook wrote:
> On Thu, Feb 16, 2017 at 2:25 PM, Pavel Machek <pavel@....cz> wrote:
> > Hi!
> >
> >>
> >> -config DEBUG_RODATA
> >> +config STRICT_KERNEL_RWX
> >>       bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX
> >>       depends on ARCH_HAS_STRICT_KERNEL_RWX
> >>       default !ARCH_OPTIONAL_KERNEL_RWX ||
> >
> > Debug features are expected to have runtime cost, so kconfig help is
> > silent about those. But there are runtime costs, right? It would be
> > nice to mention them in the help text...
> 
> It depends on the architecture. The prior help text for arm said:
> 
>          The tradeoff is that each region is padded to section-size (1MiB)
>          boundaries (because their permissions are different and splitting
>          the 1M pages into 4K ones causes TLB performance problems), which
>          can waste memory.
> 
> parisc (somewhat inaccurately) said:
> 
>          This option may have a slight performance impact because a
>          portion of the kernel code won't be covered by a TLB anymore.
> 
> IIUC, arm64 does what parisc is hinting at: mappings at the end are
> broken down to PAGE_SIZE. On x86, IIUC, there's actually no change to
> TLB performance due to how the mappings are already set up.

On arm64, we split down to page granularity if needed, but use the
largest possible mapping we can (e.g. if we can use a 2M block, we do).

Because of the way we freed the init area, we already couldn't use
larger mappings anyway. Applying the strict permissions didn't come at a
measureable overhead in any real testing.

> I'm not sure the best way to express this in the new help text. Do you
> have some suggestions on wording? Personally, I don't really think
> it's worth mentioning this in Kconfig help, which, in theory, is
> supposed to limit how technical it gets. And I think the performance
> impact is almost entirely negligible compared to the risks addressed.

I also don't see much point in describing some hypothetical architecture
specific overhead here. In most cases this can't be turned off (so there
isn't anything to comapre it to, and hence no cost). Where people want
to turn it off, they already know why they wish to do so.

Thanks,
Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ