| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0dc45181-de7e-4d97-9178-573c6f683f55@redhat.com>
Date: Tue, 9 Jul 2024 23:09:29 +0200
From: David Hildenbrand <david@...hat.com>
To: Patrick Roy <roypat@...zon.co.uk>, seanjc@...gle.com,
pbonzini@...hat.com, akpm@...ux-foundation.org, dwmw@...zon.co.uk,
rppt@...nel.org
Cc: tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
willy@...radead.org, graf@...zon.com, derekmn@...zon.com,
kalyazin@...zon.com, kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, dmatlack@...gle.com, tabba@...gle.com,
chao.p.peng@...ux.intel.com, xmarcalx@...zon.co.uk
Subject: Re: [RFC PATCH 7/8] mm: secretmem: use AS_INACCESSIBLE to prohibit
GUP
On 09.07.24 15:20, Patrick Roy wrote:
> Inside of vma_is_secretmem and secretmem_mapping, instead of checking
> whether a vm_area_struct/address_space has the secretmem ops structure
> attached to it, check whether the address_space has the AS_INACCESSIBLE
> bit set. Then set the AS_INACCESSIBLE flag for secretmem's
> address_space.
>
> This means that get_user_pages and friends are disables for all
> adress_spaces that set AS_INACCESIBLE. The AS_INACCESSIBLE flag was
> introduced in commit c72ceafbd12c ("mm: Introduce AS_INACCESSIBLE for
> encrypted/confidential memory") specifically for guest_memfd to indicate
> that no reads and writes should ever be done to guest_memfd
> address_spaces. Disallowing gup seems like a reasonable semantic
> extension, and means that potential future mmaps of guest_memfd cannot
> be GUP'd.
>
> Signed-off-by: Patrick Roy <roypat@...zon.co.uk>
> ---
> include/linux/secretmem.h | 13 +++++++++++--
> mm/secretmem.c | 6 +-----
> 2 files changed, 12 insertions(+), 7 deletions(-)
>
> diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h
> index e918f96881f5..886c8f7eb63e 100644
> --- a/include/linux/secretmem.h
> +++ b/include/linux/secretmem.h
> @@ -8,10 +8,19 @@ extern const struct address_space_operations secretmem_aops;
>
> static inline bool secretmem_mapping(struct address_space *mapping)
> {
> - return mapping->a_ops == &secretmem_aops;
> + return mapping->flags & AS_INACCESSIBLE;
> +}
> +
> +static inline bool vma_is_secretmem(struct vm_area_struct *vma)
> +{
> + struct file *file = vma->vm_file;
> +
> + if (!file)
> + return false;
> +
> + return secretmem_mapping(file->f_inode->i_mapping);
> }
That sounds wrong. You should leave *secretmem alone and instead have
something like inaccessible_mapping that is used where appropriate.
vma_is_secretmem() should not suddenly succeed on something that is not
mm/secretmem.c
--
Cheers,
David / dhildenb
Powered by blists - more mailing lists