lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 27 Nov 2017 21:47:21 +0100 (CET)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Josh Poimboeuf <jpoimboe@...hat.com>
cc:     Dave Hansen <dave.hansen@...ux.intel.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Andy Lutomirski <luto@...nel.org>,
        Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>,
        Brian Gerst <brgerst@...il.com>,
        Denys Vlasenko <dvlasenk@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Rik van Riel <riel@...hat.com>, daniel.gruss@...k.tugraz.at,
        hughd@...gle.com, keescook@...gle.com, linux-mm@...ck.org,
        michael.schwarz@...k.tugraz.at, moritz.lipp@...k.tugraz.at,
        richard.fellner@...dent.tugraz.at
Subject: Re: [patch V2 5/5] x86/kaiser: Add boottime disable switch

On Mon, 27 Nov 2017, Josh Poimboeuf wrote:

> On Mon, Nov 27, 2017 at 08:00:19PM +0100, Thomas Gleixner wrote:
> > On Mon, 27 Nov 2017, Dave Hansen wrote:
> > 
> > > On 11/26/2017 03:14 PM, Thomas Gleixner wrote:
> > > > --- a/security/Kconfig
> > > > +++ b/security/Kconfig
> > > > @@ -56,7 +56,7 @@ config SECURITY_NETWORK
> > > >  
> > > >  config KAISER
> > > >  	bool "Remove the kernel mapping in user mode"
> > > > -	depends on X86_64 && SMP && !PARAVIRT
> > > > +	depends on X86_64 && SMP && !PARAVIRT && JUMP_LABEL
> > > >  	help
> > > >  	  This feature reduces the number of hardware side channels by
> > > >  	  ensuring that the majority of kernel addresses are not mapped
> > > 
> > > One of the reasons for doing the runtime-disable was to get rid of the
> > > !PARAVIRT dependency.  I can add a follow-on here that will act as if we
> > > did "nokaiser" whenever Xen is in play so we can remove this dependency.
> > > 
> > > I just hope Xen is detectable early enough to do the static patching.
> > 
> > Yes, it is. I'm currently trying to figure out why it fails on a KVM guest.
> > 
> > If I boot with 'nokaiser' on the command line it works. If kaiser is
> > runtime enabled then some early klibc user space in the ramdisk
> > explodes. Not sure yet whats going on.
> 
> I'm also seeing weirdness with PARAVIRT+KAISER on kvm.  The symptoms
> aren't consistent.  Sometimes it boots, sometimes it hangs before the
> login prompt, sometimes there are user space seg faults.
> 
> It almost seems like the interrupt handler is corrupting user space
> state somehow.
> 
> This is with tip/WIP.x86/mm plus a patch to remove the KAISER dependency
> on !PARAVIRT.

See the patches I posted. Its the PV patching of flush_tlb_single() ...

Thanks,

	tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ