[RFC PATCH 2/7] x86/sci: add core implementation for system call isolation
Mike Rapoport
rppt at linux.ibm.com
Sun Apr 28 05:45:05 UTC 2019
On Fri, Apr 26, 2019 at 09:49:56AM +0200, Peter Zijlstra wrote:
> On Fri, Apr 26, 2019 at 12:45:49AM +0300, Mike Rapoport wrote:
> > The initial SCI implementation allows access to any kernel data, but it
> > limits access to the code in the following way:
> > * calls and jumps to known code symbols without offset are allowed
> > * calls and jumps into a known symbol with offset are allowed only if that
> > symbol was already accessed and the offset is in the next page
> > * all other code access are blocked
>
> So if you have a large function and an in-function jump skips a page
> you're toast.
Right :(
> Why not employ the instruction decoder we have and unconditionally allow
> all direct JMP/CALL but verify indirect JMP/CALL and RET ?
Apparently I didn't dig deep enough to find the instruction decoder :)
Surely I can use it.
> Anyway, I'm fearing the overhead of this one, this cannot be fast.
Well, I think that the verification itself is not what will slow things
down the most. IMHO, the major overhead is coming from cr3 switch.
--
Sincerely yours,
Mike.
More information about the Linux-security-module-archive
mailing list