lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180108170531.um2sb5wm6u4dc3rb@gmail.com>
Date:   Mon, 8 Jan 2018 18:05:31 +0100
From:   Ingo Molnar <mingo@...nel.org>
To:     Willy Tarreau <w@....eu>
Cc:     linux-kernel@...r.kernel.org, x86@...nel.org, tglx@...utronix.de,
        gnomes@...rguk.ukuu.org.uk, torvalds@...ux-foundation.org,
        Peter Zijlstra <a.p.zijlstra@...llo.nl>,
        Borislav Petkov <bp@...en8.de>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Andy Lutomirski <luto@...nel.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>
Subject: Re: [PATCH RFC 2/4] x86/arch_prctl: add ARCH_GET_NOPTI and
 ARCH_SET_NOPTI to enable/disable PTI


(Expanded the Cc: list.)

* Willy Tarreau <w@....eu> wrote:

> This allows to report the current state of the PTI protection and to
> enable or disable it for the current task.
> 
> Signed-off-by: Willy Tarreau <w@....eu>
> ---
>  arch/x86/include/uapi/asm/prctl.h |  3 +++
>  arch/x86/kernel/process_64.c      | 24 ++++++++++++++++++++++++
>  2 files changed, 27 insertions(+)
> 
> diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
> index 5a6aac9..1f1b5bc 100644
> --- a/arch/x86/include/uapi/asm/prctl.h
> +++ b/arch/x86/include/uapi/asm/prctl.h
> @@ -10,6 +10,9 @@
>  #define ARCH_GET_CPUID		0x1011
>  #define ARCH_SET_CPUID		0x1012
>  
> +#define ARCH_GET_NOPTI		0x1021
> +#define ARCH_SET_NOPTI		0x1022
> +
>  #define ARCH_MAP_VDSO_X32	0x2001
>  #define ARCH_MAP_VDSO_32	0x2002
>  #define ARCH_MAP_VDSO_64	0x2003
> diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
> index c754662..1686d3d 100644
> --- a/arch/x86/kernel/process_64.c
> +++ b/arch/x86/kernel/process_64.c
> @@ -654,6 +654,30 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2)
>  		ret = put_user(base, (unsigned long __user *)arg2);
>  		break;
>  	}
> +	case ARCH_GET_NOPTI: {
> +		unsigned long flag;
> +
> +		printk(KERN_DEBUG "get1: task=%p ti=%p fl=%16lx\n", task, task_thread_info(task), task_thread_info(task)->flags);
> +		flag = !!(task_thread_info(task)->flags & _TIF_NOPTI);
> +		ret = put_user(flag, (unsigned long __user *)arg2);
> +		break;
> +	}
> +
> +	case ARCH_SET_NOPTI:
> +		if (!capable(CAP_SYS_RAWIO))
> +			return -EPERM;
> +
> +		printk(KERN_DEBUG "set1: task=%p ti=%p fl=%16lx doit=%d arg2=%ld\n", task, task_thread_info(task), task_thread_info(task)->flags, doit, arg2);
> +
> +		if (doit) {
> +			if (arg2)
> +				task_thread_info(task)->flags |= _TIF_NOPTI;
> +			else
> +				task_thread_info(task)->flags &= ~_TIF_NOPTI;
> +
> +			printk(KERN_DEBUG "set2: task=%p ti=%p fl=%16lx\n", task, task_thread_info(task), task_thread_info(task)->flags);
> +		}
> +		break;

Btw., we could enforce the CAP_SYS_RAWIO permission check only if it's _clearing_ 
the PTI flag.

I.e. this would allow apps and runtime environments to opt into PTI, without 
having to rely on external security frameworks getting it right.

Note that there is somewhat of a fuzzy detail regarding AMD CPUs which are marked 
as 'Meltdown safe': should an explicit request to turn on PTI be honored by the 
kernel? Should that be some sort of separate 'force PTI on' attribute?

Thanks,

	Ingo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ