lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YeqTP6WDbZzEJUbJ@osiris>
Date:   Fri, 21 Jan 2022 12:04:31 +0100
From:   Heiko Carstens <hca@...ux.ibm.com>
To:     Christian Borntraeger <borntraeger@...ux.ibm.com>
Cc:     Janis Schoetterl-Glausch <scgl@...ux.ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>,
        Sven Schnelle <svens@...ux.ibm.com>,
        Nico Boehr <nrb@...ux.ibm.com>,
        Alexander Gordeev <agordeev@...ux.ibm.com>,
        linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1 01/10] s390/uaccess: Add storage key checked
 access to user memory

On Fri, Jan 21, 2022 at 08:32:25AM +0100, Christian Borntraeger wrote:
> So in essence adding something like this and then providing raw_copy_from/to_user_key?
> (whitespace damaged, just pasted in)
> 
> diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
> index ac0394087f7d..3b6e78ee211c 100644
> --- a/include/linux/uaccess.h
> +++ b/include/linux/uaccess.h
> @@ -201,6 +201,59 @@ copy_to_user(void __user *to, const void *from, unsigned long n)
>         return n;
>  }
> +
> +#if defined(__s390x__) && defined(CONFIG_KVM)
> +/*
> + * Variants that pass along an access key. Uses by KVM on s390x to implement
> + * key checks for guests that use storage keys Must be kept in sync with the
> + * non-key variants from above. The only difference is the _key suffix when
> + * calling raw_copy_from/to_user_key.
> + */

This is too architecture specific, I wouldn't like to see __s390__ or
KVM dependencies. This should be a bit more generic, so other
architectures _might_ also make use of this interface that is:

> +static inline __must_check unsigned long
> +_copy_from_user_key(void *to, const void __user *from, unsigned long n, u8 key)

Make key unsigned long, add support for INLINE_COPY_TO_USER, and maybe
add a wrapper, so this works on all architectures, e.g. if
raw_copy_to_user_key() is not defined, then fall back to
raw_copy_to_user() and ignore the key parameter.

Just some ideas. The _only_ concern about the previous implementation
I have, is that we could run out-of-sync with common code wrt
instrumentation and other options. Given how sensitive uaccess ops
are, I think we should try to avoid that by all cost, if possible.

Does that make sense?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ