lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <DC169C8C-BF10-4125-AA91-29E48BB1AD6A@kernel.org>
Date: Tue, 25 Feb 2025 07:06:13 -0800
From: Kees Cook <kees@...nel.org>
To: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
 "Berg, Benjamin" <benjamin.berg@...el.com>
CC: "jeffxu@...omium.org" <jeffxu@...omium.org>,
 "Jason@...c4.com" <Jason@...c4.com>,
 "adobriyan@...il.com" <adobriyan@...il.com>, "deller@....de" <deller@....de>,
 "gerg@...nel.org" <gerg@...nel.org>,
 "anna-maria@...utronix.de" <anna-maria@...utronix.de>,
 "davem@...emloft.net" <davem@...emloft.net>,
 "avagin@...il.com" <avagin@...il.com>, "mhocko@...e.com" <mhocko@...e.com>,
 "enh@...gle.com" <enh@...gle.com>,
 "thomas.weissschuh@...utronix.de" <thomas.weissschuh@...utronix.de>,
 "hch@....de" <hch@....de>, "hca@...ux.ibm.com" <hca@...ux.ibm.com>,
 "peterz@...radead.org" <peterz@...radead.org>,
 "adhemerval.zanella@...aro.org" <adhemerval.zanella@...aro.org>,
 "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
 "ojeda@...nel.org" <ojeda@...nel.org>, "jannh@...gle.com" <jannh@...gle.com>,
 "f.fainelli@...il.com" <f.fainelli@...il.com>,
 "sroettger@...gle.com" <sroettger@...gle.com>,
 "ardb@...gle.com" <ardb@...gle.com>,
 "jorgelo@...omium.org" <jorgelo@...omium.org>,
 "rdunlap@...radead.org" <rdunlap@...radead.org>,
 "mark.rutland@....com" <mark.rutland@....com>,
 "Liam.Howlett@...cle.com" <Liam.Howlett@...cle.com>,
 "vbabka@...e.cz" <vbabka@...e.cz>, "mpe@...erman.id.au" <mpe@...erman.id.au>,
 "oleg@...hat.com" <oleg@...hat.com>,
 "willy@...radead.org" <willy@...radead.org>,
 "keescook@...omium.org" <keescook@...omium.org>,
 "peterx@...hat.com" <peterx@...hat.com>,
 "mike.rapoport@...il.com" <mike.rapoport@...il.com>,
 "mingo@...nel.org" <mingo@...nel.org>,
 "rientjes@...gle.com" <rientjes@...gle.com>,
 "groeck@...omium.org" <groeck@...omium.org>,
 "linus.walleij@...aro.org" <linus.walleij@...aro.org>,
 "pedro.falcato@...il.com" <pedro.falcato@...il.com>,
 "ardb@...nel.org" <ardb@...nel.org>,
 "42.hyeyoo@...il.com" <42.hyeyoo@...il.com>,
 "linux-mm@...ck.org" <linux-mm@...ck.org>,
 "johannes@...solutions.net" <johannes@...solutions.net>,
 "linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>,
 "torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
 "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
 "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
 "aleksandr.mikhalitsyn@...onical.com" <aleksandr.mikhalitsyn@...onical.com>
Subject: Re: [PATCH v7 5/7] mseal, system mappings: enable uml architecture



On February 25, 2025 2:37:11 AM PST, Lorenzo Stoakes <lorenzo.stoakes@...cle.com> wrote:
>On Tue, Feb 25, 2025 at 08:45:21AM +0000, Berg, Benjamin wrote:
>> Hi,
>>
>> On Tue, 2025-02-25 at 06:22 +0000, Lorenzo Stoakes wrote:
>> > On Mon, Feb 24, 2025 at 10:52:44PM +0000, jeffxu@...omium.org wrote:
>> > > From: Jeff Xu <jeffxu@...omium.org>
>> > >
>> > > Provide support for CONFIG_MSEAL_SYSTEM_MAPPINGS on UML, covering
>> > > the vdso.
>> > >
>> > > Testing passes on UML.
>> >
>> > Maybe expand on this by stating that it has been confirmed by Benjamin (I
>> > _believe_) that UML has no need for problematic relocation so this is known to
>> > be good.
>>
>> I may well be misreading this message, but this sounds to me that this
>> is a misinterpretation. So, just to clarify in case that is needed.
>>
>> CONFIG_MSEAL_SYSTEM_MAPPINGS does work fine for the UML kernel.
>> However, the UML kernel is a normal userspace application itself and
>> for this application to run, the host kernel must have the feature
>> disabled.
>>
>> So, UML supports the feature. But it still *cannot* run on a host
>> machine that has the feature enabled.
>
>Sigh ok. Apologies if I misunderstood.
>
>Is there any point having this for the 'guest' system? I mean security wise are
>we concerned about sealing of system mappings?

UML guests are used for testing. For example, it's the default target for KUnit's scripts. Having sealing working in the guest seems generally useful to me.

>
>I feel like having this here might just add confusion and churn if it's not
>useful.
>
>If this is useless for UML guest, let's just drop this patch.

But on the flip side, it's certainly not critical to have UML supported. I guess I just don't see a down side to keeping the patch.

-Kees


-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ