lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <92171412-eed7-40e9-2554-adb358e65767@shipmail.org>
Date:   Tue, 10 Sep 2019 21:26:43 +0200
From:   Thomas Hellström (VMware) 
        <thomas_os@...pmail.org>
To:     Andy Lutomirski <luto@...capital.net>,
        Christoph Hellwig <hch@...radead.org>
Cc:     Dave Hansen <dave.hansen@...el.com>, linux-kernel@...r.kernel.org,
        x86@...nel.org, pv-drivers@...are.com,
        Thomas Hellstrom <thellstrom@...are.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Andy Lutomirski <luto@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        Christian König <christian.koenig@....com>,
        Marek Szyprowski <m.szyprowski@...sung.com>,
        Tom Lendacky <thomas.lendacky@....com>
Subject: Re: [RFC PATCH 1/2] x86: Don't let pgprot_modify() change the page
 encryption bit

On 9/10/19 6:11 PM, Andy Lutomirski wrote:
>
>> On Sep 5, 2019, at 8:24 AM, Christoph Hellwig <hch@...radead.org> wrote:
>>
>>> On Thu, Sep 05, 2019 at 05:21:24PM +0200, Thomas Hellström (VMware) wrote:
>>>> On 9/5/19 4:15 PM, Dave Hansen wrote:
>>>> Hi Thomas,
>>>>
>>>> Thanks for the second batch of patches!  These look much improved on all
>>>> fronts.
>>> Yes, although the TTM functionality isn't in yet. Hopefully we won't have to
>>> bother you with those though, since this assumes TTM will be using the dma
>>> API.
>> Please take a look at dma_mmap_prepare and dma_mmap_fault in this
>> branch:
>>
>>     http://git.infradead.org/users/hch/misc.git/shortlog/refs/heads/dma-mmap-improvements
>>
>> they should allow to fault dma api pages in the page fault handler.  But
>> this is totally hot off the press and not actually tested for the last
>> few patches.  Note that I've also included your two patches from this
>> series to handle SEV.
> I read that patch, and it seems like you’ve built in the assumption that all pages in the mapping use identical protection or, if not, that the same fake vma hack that TTM already has is used to fudge around it.  Could it be reworked slightly to avoid this?
>
> I wonder if it’s a mistake to put the encryption bits in vm_page_prot at all.

 From my POW, the encryption bits behave quite similar in behaviour to 
the caching mode bits, and they're also in vm_page_prot. They're the 
reason TTM needs to modify the page protection in the fault handler in 
the first place.

The problem seen in TTM is that we want to be able to change the 
vm_page_prot from the fault handler, but it's problematic since we have 
the mmap_sem typically only in read mode. Hence the fake vma hack. From 
what I can tell it's reasonably well-behaved, since pte_modify() skips 
the bits TTM updates, so mprotect() and mremap() works OK. I think 
split_huge_pmd may run into trouble, but we don't support it (yet) with 
TTM.

We could probably get away with a WRITE_ONCE() update of the 
vm_page_prot before taking the page table lock since

a) We're locking out all other writers.
b) We can't race with another fault to the same vma since we hold an 
address space lock ("buffer object reservation")
c) When we need to update there are no valid page table entries in the 
vma, since it only happens directly after mmap(), or after an 
unmap_mapping_range() with the same address space lock. When another 
reader (for example split_huge_pmd()) sees a valid page table entry, it 
also sees the new page protection and things are fine.

But that would really be a special case. To solve this properly we'd 
probably need an additional lock to protect the vm_flags and 
vm_page_prot, taken after mmap_sem and i_mmap_lock.

/Thomas




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ