| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Sep 2019 21:26:43 +0200
From: Thomas Hellström (VMware)
<thomas_os@...pmail.org>
To: Andy Lutomirski <luto@...capital.net>,
Christoph Hellwig <hch@...radead.org>
Cc: Dave Hansen <dave.hansen@...el.com>, linux-kernel@...r.kernel.org,
x86@...nel.org, pv-drivers@...are.com,
Thomas Hellstrom <thellstrom@...are.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
"H. Peter Anvin" <hpa@...or.com>,
Christian König <christian.koenig@....com>,
Marek Szyprowski <m.szyprowski@...sung.com>,
Tom Lendacky <thomas.lendacky@....com>
Subject: Re: [RFC PATCH 1/2] x86: Don't let pgprot_modify() change the page
encryption bit
On 9/10/19 6:11 PM, Andy Lutomirski wrote:
>
>> On Sep 5, 2019, at 8:24 AM, Christoph Hellwig <hch@...radead.org> wrote:
>>
>>> On Thu, Sep 05, 2019 at 05:21:24PM +0200, Thomas Hellström (VMware) wrote:
>>>> On 9/5/19 4:15 PM, Dave Hansen wrote:
>>>> Hi Thomas,
>>>>
>>>> Thanks for the second batch of patches! These look much improved on all
>>>> fronts.
>>> Yes, although the TTM functionality isn't in yet. Hopefully we won't have to
>>> bother you with those though, since this assumes TTM will be using the dma
>>> API.
>> Please take a look at dma_mmap_prepare and dma_mmap_fault in this
>> branch:
>>
>> http://git.infradead.org/users/hch/misc.git/shortlog/refs/heads/dma-mmap-improvements
>>
>> they should allow to fault dma api pages in the page fault handler. But
>> this is totally hot off the press and not actually tested for the last
>> few patches. Note that I've also included your two patches from this
>> series to handle SEV.
> I read that patch, and it seems like you’ve built in the assumption that all pages in the mapping use identical protection or, if not, that the same fake vma hack that TTM already has is used to fudge around it. Could it be reworked slightly to avoid this?
>
> I wonder if it’s a mistake to put the encryption bits in vm_page_prot at all.
From my POW, the encryption bits behave quite similar in behaviour to
the caching mode bits, and they're also in vm_page_prot. They're the
reason TTM needs to modify the page protection in the fault handler in
the first place.
The problem seen in TTM is that we want to be able to change the
vm_page_prot from the fault handler, but it's problematic since we have
the mmap_sem typically only in read mode. Hence the fake vma hack. From
what I can tell it's reasonably well-behaved, since pte_modify() skips
the bits TTM updates, so mprotect() and mremap() works OK. I think
split_huge_pmd may run into trouble, but we don't support it (yet) with
TTM.
We could probably get away with a WRITE_ONCE() update of the
vm_page_prot before taking the page table lock since
a) We're locking out all other writers.
b) We can't race with another fault to the same vma since we hold an
address space lock ("buffer object reservation")
c) When we need to update there are no valid page table entries in the
vma, since it only happens directly after mmap(), or after an
unmap_mapping_range() with the same address space lock. When another
reader (for example split_huge_pmd()) sees a valid page table entry, it
also sees the new page protection and things are fine.
But that would really be a special case. To solve this properly we'd
probably need an additional lock to protect the vm_flags and
vm_page_prot, taken after mmap_sem and i_mmap_lock.
/Thomas
Powered by blists - more mailing lists