lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3faedf73-208b-4d16-9c4e-44eadafb9958@suse.com>
Date: Tue, 10 Jun 2025 08:00:37 +0200
From: Jürgen Groß <jgross@...e.com>
To: Mike Rapoport <rppt@...nel.org>, Peter Zijlstra <peterz@...radead.org>
Cc: Borislav Petkov <bp@...en8.de>, Dave Hansen
 <dave.hansen@...ux.intel.com>, Ingo Molnar <mingo@...hat.com>,
 "H. Peter Anvin" <hpa@...or.com>, Thomas Gleixner <tglx@...utronix.de>,
 Xin Li <xin@...or.com>, linux-kernel@...r.kernel.org,
 stable@...r.kernel.org, x86@...nel.org
Subject: Re: [PATCH 0/5] Fixes for ITS mitigation and execmem

On 03.06.25 13:14, Mike Rapoport wrote:
> From: "Mike Rapoport (Microsoft)" <rppt@...nel.org>
> 
> Hi,
> 
> Jürgen Groß reported some bugs in interaction of ITS mitigation with
> execmem [1] when running on a Xen PV guest.
> 
> These patches fix the issue by moving all the permissions management of
> ITS memory allocated from execmem into ITS code.
> 
> I didn't test on a real Xen PV guest, but I emulated !PSE variant by
> force-disabling the ROX cache in x86::execmem_arch_setup().
> 
> Peter, I took liberty to put your SoB in the patch that actually
> implements the execmem permissions management in ITS, please let me know
> if I need to update something about the authorship.
> 
> The patches are against v6.15.
> They are also available in git:
> https://web.git.kernel.org/pub/scm/linux/kernel/git/rppt/linux.git/log/?h=its-execmem/v1
> 
> [1] https://lore.kernel.org/all/20250528123557.12847-2-jgross@suse.com/
> 
> Juergen Gross (1):
>    x86/mm/pat: don't collapse pages without PSE set
> 
> Mike Rapoport (Microsoft) (3):
>    x86/Kconfig: only enable ROX cache in execmem when STRICT_MODULE_RWX is set
>    x86/its: move its_pages array to struct mod_arch_specific
>    Revert "mm/execmem: Unify early execmem_cache behaviour"
> 
> Peter Zijlstra (Intel) (1):
>    x86/its: explicitly manage permissions for ITS pages
> 
>   arch/x86/Kconfig              |  2 +-
>   arch/x86/include/asm/module.h |  8 ++++
>   arch/x86/kernel/alternative.c | 89 ++++++++++++++++++++++++++---------
>   arch/x86/mm/init_32.c         |  3 --
>   arch/x86/mm/init_64.c         |  3 --
>   arch/x86/mm/pat/set_memory.c  |  3 ++
>   include/linux/execmem.h       |  8 +---
>   include/linux/module.h        |  5 --
>   mm/execmem.c                  | 40 ++--------------
>   9 files changed, 82 insertions(+), 79 deletions(-)
> 
> 
> base-commit: 0ff41df1cb268fc69e703a08a57ee14ae967d0ca

I have tested this series to work in a Xen PV dom0 with ITS mitigation
being active. I didn't apply any of Peter's suggested add-ons.

Tested-by: Juergen Gross <jgross@...e.com>


Juergen

Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3684 bytes)

Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ