| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <218503f6-eec1-94b0-8404-6f92c55799e3@intel.com>
Date: Tue, 8 Dec 2020 10:25:15 -0800
From: "Yu, Yu-cheng" <yu-cheng.yu@...el.com>
To: Borislav Petkov <bp@...en8.de>
Cc: x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, linux-mm@...ck.org,
linux-arch@...r.kernel.org, linux-api@...r.kernel.org,
Arnd Bergmann <arnd@...db.de>,
Andy Lutomirski <luto@...nel.org>,
Balbir Singh <bsingharora@...il.com>,
Cyrill Gorcunov <gorcunov@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Eugene Syromiatnikov <esyr@...hat.com>,
Florian Weimer <fweimer@...hat.com>,
"H.J. Lu" <hjl.tools@...il.com>, Jann Horn <jannh@...gle.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Nadav Amit <nadav.amit@...il.com>,
Oleg Nesterov <oleg@...hat.com>, Pavel Machek <pavel@....cz>,
Peter Zijlstra <peterz@...radead.org>,
Randy Dunlap <rdunlap@...radead.org>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
Vedvyas Shanbhogue <vedvyas.shanbhogue@...el.com>,
Dave Martin <Dave.Martin@....com>,
Weijiang Yang <weijiang.yang@...el.com>,
Pengfei Xu <pengfei.xu@...el.com>
Subject: Re: [PATCH v15 08/26] x86/mm: Introduce _PAGE_COW
On 12/8/2020 9:50 AM, Borislav Petkov wrote:
> On Tue, Nov 10, 2020 at 08:21:53AM -0800, Yu-cheng Yu wrote:
>> There is essentially no room left in the x86 hardware PTEs on some OSes
>> (not Linux). That left the hardware architects looking for a way to
>> represent a new memory type (shadow stack) within the existing bits.
>> They chose to repurpose a lightly-used state: Write=0,Dirty=1.
>
> It is not clear to me what the definition and semantics of that bit is.
>
> +#define _PAGE_BIT_COW _PAGE_BIT_SOFTW5 /* copy-on-write */
>
> Is it set by hw or by sw and hw uses it to know it is a shadow stack
> page, and so on.
>
> I think you should lead with its definition.
Ok.
...
>> Write=0,Dirty=1 PTEs. In places where we do create them, we need to find
>> an alternative way to represent them _without_ using the same hardware bit
>> combination. Thus, enter _PAGE_COW. This results in the following:
>>
>> (a) A modified, copy-on-write (COW) page: (R/O + _PAGE_COW)
>> (b) A R/O page that has been COW'ed: (R/O + _PAGE_COW)
>
> Both are "R/O + _PAGE_COW". Where's the difference? The dirty bit?
The PTEs are the same for both (a) and (b), but come from different routes.
>> The user page is in a R/O VMA, and get_user_pages() needs a writable
>> copy. The page fault handler creates a copy of the page and sets
>> the new copy's PTE as R/O and _PAGE_COW.
>> (c) A shadow stack PTE: (R/O + _PAGE_DIRTY_HW)
>
> So W=0, D=1 ?
Yes.
>> (d) A shared shadow stack PTE: (R/O + _PAGE_COW)
>> When a shadow stack page is being shared among processes (this happens
>> at fork()), its PTE is cleared of _PAGE_DIRTY_HW, so the next shadow
>> stack access causes a fault, and the page is duplicated and
>> _PAGE_DIRTY_HW is set again. This is the COW equivalent for shadow
>> stack pages, even though it's copy-on-access rather than copy-on-write.
>> (e) A page where the processor observed a Write=1 PTE, started a write, set
>> Dirty=1, but then observed a Write=0 PTE.
>
> How does that happen? Something changed the PTE's W bit to 0 in-between?
Yes.
...
>> diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
>> index b23697658b28..c88c7ccf0318 100644
>> --- a/arch/x86/include/asm/pgtable.h
>> +++ b/arch/x86/include/asm/pgtable.h
>> @@ -121,9 +121,9 @@ extern pmdval_t early_pmd_flags;
>> * The following only work if pte_present() is true.
>> * Undefined behaviour if not..
>> */
>> -static inline int pte_dirty(pte_t pte)
>> +static inline bool pte_dirty(pte_t pte)
>> {
>> - return pte_flags(pte) & _PAGE_DIRTY_HW;
>> + return pte_flags(pte) & _PAGE_DIRTY_BITS;
>
> Why?
>
> Does _PAGE_COW mean dirty too?
Yes. Basically [read-only & dirty] is created by software. Now the
software uses a different bit.
>> @@ -343,6 +349,17 @@ static inline pte_t pte_mkold(pte_t pte)
>>
>> static inline pte_t pte_wrprotect(pte_t pte)
>> {
>> + /*
>> + * Blindly clearing _PAGE_RW might accidentally create
>> + * a shadow stack PTE (RW=0,Dirty=1). Move the hardware
>> + * dirty value to the software bit.
>> + */
>> + if (cpu_feature_enabled(X86_FEATURE_SHSTK)) {
>> + pte.pte |= (pte.pte & _PAGE_DIRTY_HW) >>
>> + _PAGE_BIT_DIRTY_HW << _PAGE_BIT_COW;
>
> Let that line stick out. And that shifting is not grokkable at a quick
> glance, at least not to me. Simplify?
Ok.
>> static inline pmd_t pmd_wrprotect(pmd_t pmd)
>> {
>> + /*
>> + * Blindly clearing _PAGE_RW might accidentally create
>> + * a shadow stack PMD (RW=0,Dirty=1). Move the hardware
>> + * dirty value to the software bit.
>
> This whole carefully sidestepping the possiblity of creating a shadow
> stack pXd is kinda sucky...
>
>> diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
>> index 7462a574fc93..5f764d8d9bae 100644
>> --- a/arch/x86/include/asm/pgtable_types.h
>> +++ b/arch/x86/include/asm/pgtable_types.h
>> @@ -23,7 +23,8 @@
>> #define _PAGE_BIT_SOFTW2 10 /* " */
>> #define _PAGE_BIT_SOFTW3 11 /* " */
>> #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
>> -#define _PAGE_BIT_SOFTW4 58 /* available for programmer */
>> +#define _PAGE_BIT_SOFTW4 57 /* available for programmer */
>> +#define _PAGE_BIT_SOFTW5 58 /* available for programmer */
>> #define _PAGE_BIT_PKEY_BIT0 59 /* Protection Keys, bit 1/4 */
>> #define _PAGE_BIT_PKEY_BIT1 60 /* Protection Keys, bit 2/4 */
>> #define _PAGE_BIT_PKEY_BIT2 61 /* Protection Keys, bit 3/4 */
>> @@ -36,6 +37,16 @@
>> #define _PAGE_BIT_SOFT_DIRTY _PAGE_BIT_SOFTW3 /* software dirty tracking */
>> #define _PAGE_BIT_DEVMAP _PAGE_BIT_SOFTW4
>>
>> +/*
>> + * This bit indicates a copy-on-write page, and is different from
>> + * _PAGE_BIT_SOFT_DIRTY, which tracks which pages a task writes to.
>> + */
>> +#ifdef CONFIG_X86_64
>
> CONFIG_X86_64 ? Do all x86 machines out there support CET?
>
> If anything, CONFIG_X86_CET...
Ok.
--
Yu-cheng
Powered by blists - more mailing lists