[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20171031223152.B5D241B2@viggo.jf.intel.com>
Date: Tue, 31 Oct 2017 15:31:52 -0700
From: Dave Hansen <dave.hansen@...ux.intel.com>
To: linux-kernel@...r.kernel.org
Cc: linux-mm@...ck.org, dave.hansen@...ux.intel.com,
moritz.lipp@...k.tugraz.at, daniel.gruss@...k.tugraz.at,
michael.schwarz@...k.tugraz.at, luto@...nel.org,
torvalds@...ux-foundation.org, keescook@...gle.com,
hughd@...gle.com, x86@...nel.org
Subject: [PATCH 03/23] x86, kaiser: disable global pages
Global pages stay in the TLB across context switches. Since all
contexts share the same kernel mapping, we use global pages to
allow kernel entries in the TLB to survive when we context
switch.
But, even having these entries in the TLB opens up something that
an attacker can use [1].
Disable global pages so that kernel TLB entries are flushed when
we run userspace. This way, all accesses to kernel memory result
in a TLB miss whether there is good data there or not. Without
this, even when KAISER switches pages tables, the kernel entries
might remain in the TLB.
1. The double-page-fault attack:
http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Moritz Lipp <moritz.lipp@...k.tugraz.at>
Cc: Daniel Gruss <daniel.gruss@...k.tugraz.at>
Cc: Michael Schwarz <michael.schwarz@...k.tugraz.at>
Cc: Andy Lutomirski <luto@...nel.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Kees Cook <keescook@...gle.com>
Cc: Hugh Dickins <hughd@...gle.com>
Cc: x86@...nel.org
---
b/arch/x86/Kconfig | 4 ++++
b/arch/x86/include/asm/pgtable_types.h | 5 +++++
2 files changed, 9 insertions(+)
diff -puN arch/x86/include/asm/pgtable_types.h~kaiser-prep-disable-global-pages arch/x86/include/asm/pgtable_types.h
--- a/arch/x86/include/asm/pgtable_types.h~kaiser-prep-disable-global-pages 2017-10-31 15:03:49.314064402 -0700
+++ b/arch/x86/include/asm/pgtable_types.h 2017-10-31 15:03:49.323064827 -0700
@@ -47,7 +47,12 @@
#define _PAGE_ACCESSED (_AT(pteval_t, 1) << _PAGE_BIT_ACCESSED)
#define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
#define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
+#ifdef CONFIG_X86_GLOBAL_PAGES
#define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
+#else
+/* We must ensure that kernel TLBs are unusable while in userspace */
+#define _PAGE_GLOBAL (_AT(pteval_t, 0))
+#endif
#define _PAGE_SOFTW1 (_AT(pteval_t, 1) << _PAGE_BIT_SOFTW1)
#define _PAGE_SOFTW2 (_AT(pteval_t, 1) << _PAGE_BIT_SOFTW2)
#define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
diff -puN arch/x86/Kconfig~kaiser-prep-disable-global-pages arch/x86/Kconfig
--- a/arch/x86/Kconfig~kaiser-prep-disable-global-pages 2017-10-31 15:03:49.318064591 -0700
+++ b/arch/x86/Kconfig 2017-10-31 15:03:49.325064922 -0700
@@ -327,6 +327,10 @@ config ARCH_SUPPORTS_UPROBES
config FIX_EARLYCON_MEM
def_bool y
+config X86_GLOBAL_PAGES
+ def_bool y
+ depends on ! KAISER
+
config PGTABLE_LEVELS
int
default 5 if X86_5LEVEL
_
Powered by blists - more mailing lists