lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 25 Nov 2017 15:10:54 -0700
From:   Andy Lutomirski <>
To:     Thomas Gleixner <>
Cc:     Ingo Molnar <>,,
        Dave Hansen <>,
        "H . Peter Anvin" <>,
        Peter Zijlstra <>,
        Borislav Petkov <>,
        Linus Torvalds <>
Subject: Re: [PATCH 42/43] x86/mm/kaiser: Allow KAISER to be enabled/disabled at runtime

> On Nov 25, 2017, at 1:05 PM, Thomas Gleixner <> wrote:
> On Sat, 25 Nov 2017, Andy Lutomirski wrote:
>>>> On Nov 25, 2017, at 12:18 PM, Thomas Gleixner <> wrote:
>>>> On Fri, 24 Nov 2017, Ingo Molnar wrote:
>>>> From: Dave Hansen <>
>>>> The KAISER CR3 switches are expensive for many reasons.  Not all systems
>>>> benefit from the protection provided by KAISER.  Some of them can not
>>>> pay the high performance cost.
>>>> This patch adds a debugfs file.  To disable KAISER, you do:
>>>>   echo 0 > /sys/kernel/debug/x86/kaiser-enabled
>>>> and to re-enable it, you can:
>>>>   echo 1 > /sys/kernel/debug/x86/kaiser-enabled
>>>> This is a *minimal* implementation.  There are certainly plenty of
>>>> optimizations that can be done on top of this by using ALTERNATIVES
>>>> among other things.
>>> It's not only minimal. It's naive and broken. That thing explodes when
>>> toggled in the wrong moment. I did not even attempt to debug that, because
>>> I think the approach is wrong.
>>> If you really want to make it runtime switchable, then:
>>> - the shadow tables need to be updated unconditionally. I did not check
>>>  whether thats done right now, but explosions are simpler to achieve when
>>>  switching it back on. Though switching it off crashes as well.
>>> - you need to make sure that no task is in user space or on the way to it.
>>>  The much I hate stop_machine(), that's probably the right tool.
>>>  Once everything is in stomp_machine() the switch can be flipped.
>>> - the poisoning/unpoisoning of the kernel tables does not need to be done
>>>  from stop_machine(). That can be done from regular context with a TIF
>>>  flag, so you can make sure that every task is up to date before
>>>  returning to user space. Though that needs a lot of thought.
>>> For now I really want to see that removed entirely and replaced by a simple
>>> boot time switch. We can use the global variable for now and optimize it
>>> later on.
>> Nah, let's do it right: use either X86_FEATURE_WHATEVER or a
>> static_branch.  We have nice asm support for both.
> Agreed.
>> Keep in mind that, for a static_branch, actually setting the thing needs
>> to be deferred, but that's straightforward.
> That's not an issue during boot. That would be an issue for a run time
> switch.

What I mean is: if you modify a static_branch too early, it blows up terribly.

Powered by blists - more mailing lists