| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4c3bfc27-a542-8e91-7ccf-4be8b1e6c844@intel.com>
Date: Fri, 28 May 2021 09:11:09 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Thomas Gleixner <tglx@...utronix.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, linux-mm@...ck.org
Cc: linux-kernel@...r.kernel.org, mingo@...hat.com, bp@...en8.de,
x86@...nel.org, luto@...nel.org, shuah@...nel.org,
babu.moger@....com, dave.kleikamp@...cle.com, linuxram@...ibm.com,
bauerman@...ux.ibm.com
Subject: Re: [PATCH 0/5] x86/pkeys: PKRU manipulation bug fixes and cleanups
On 5/28/21 8:32 AM, Thomas Gleixner wrote:
>>
>> This series:
>> * Moves the PKRU manipulation to a more appropriate location,
>> away from the page table code
>> * Wraps get_xsave_addr() with more structured, less error-prone
>> interfaces.
>> * Conditionally hides a pkey debugfs file, eliminating the need
>> for new runtime checks to work with the new interface.
>> * Add a selftest to make it more likely to catch bugs like this
>> in the future. This improved selftest catches this issue on
>> Intel CPUs. Without the improvement, it only triggers on AMD.
> I think all of this is fundamentaly wrong.
>
> Contrary to FPU state, PKRU has to be updated at context switch
> time. There is absolutely no point in having PKRU XSAVES managed.
>
> It's broken in several ways. Anything which clears and loads the FPU
> will load the wrong PKRU value. Go figure...
>
> So the right thing is to disable PKRU in XCR0 and on sched out simply do
>
> task->thread.pkru = read_pkru();
>
> and on sched in
>
> write_pkru(task->thread.pkru);
>
> Simple, trivial and not going to be wreckaged by anything which fiddles
> with xstates. We all know by now that xstates is a trainwreck and not
> having stuff like that in there is making the fixes I'm doing way
> simpler.
As for the general sentiment that PKRU is not suitable for management
with XSAVE, I'm with you.
I have a few concerns about moving away from XSAVE management, though.
I'm not nixing the whole idea, but there are some things we need to resolve.
First is that there _may_ be ABI concerns. The pkey selftest, for
instance, manipulates the PKRU state on the signal stack and expects
PKRU to be set in XCR0 so that it can do this. I wouldn't be shocked if
some other pkey user depended on the XSAVE signal stack ABI this way.
There are also the usual concerns that folks doing user-level context
switching or other insanity get PKRU context switching for "free" when
it's XSAVE-managed. Moving away from that could break them.
I'll ask around. We could also pretty trivially put some surveillance
in the sigreturn code to look for PKRU changes.
Second, the XSAVE/FPU abomination is actually really handy for pkeys:
1. It establishes a *different* state upon signal delivery. Like
sigaltstack, this means that the signal handler can recover from
what would normally be a fatal condition like WRPKRU(0x3). I *think*
this is OK today even if the signal entry XRSTOR did not touch PKRU
since there's another write_pkru() in this path.
2. It allows the signal handler to inspect the interrupted context's
PKRU value. (used in the selftest)
3. It allows the signal handler to *override* the PKRU value of the
interrupted context. This is used in the selftest as an easy way
to let a memory access instruction execute that initially causes
a pkey-induced page fault as opposed to messing with RIP.
None of this is insurmountable. For the selftest, I need to go looking
at how important that functionality is and look for some alternatives.
Powered by blists - more mailing lists