[PATCH v2 03/20] x86/mm: temporary mm struct
Nadav Amit
namit at vmware.com
Thu Jan 31 22:19:54 UTC 2019
> On Jan 31, 2019, at 3:29 AM, Borislav Petkov <bp at alien8.de> wrote:
>
>> Subject: Re: [PATCH v2 03/20] x86/mm: temporary mm struct
>
> Subject needs a verb: "Add a temporary... "
>
> On Mon, Jan 28, 2019 at 04:34:05PM -0800, Rick Edgecombe wrote:
>> From: Andy Lutomirski <luto at kernel.org>
>>
>> Sometimes we want to set a temporary page-table entries (PTEs) in one of
>
> s/a //
>
> Also, drop the "we" and make it impartial and passive:
>
> "Describe your changes in imperative mood, e.g. "make xyzzy do frotz"
> instead of "[This patch] makes xyzzy do frotz" or "[I] changed xyzzy
> to do frotz", as if you are giving orders to the codebase to change
> its behaviour."
>
>> the cores, without allowing other cores to use - even speculatively -
>> these mappings. There are two benefits for doing so:
>>
>> (1) Security: if sensitive PTEs are set, temporary mm prevents their use
>> in other cores. This hardens the security as it prevents exploding a
>
> exploding or exploiting? Or exposing? :)
>
>> dangling pointer to overwrite sensitive data using the sensitive PTE.
>>
>> (2) Avoiding TLB shootdowns: the PTEs do not need to be flushed in
>> remote page-tables.
>
> Those belong in the code comments below, explaining what it is going to
> be used for.
I will add it to the code as well.
>
>> To do so a temporary mm_struct can be used. Mappings which are private
>> for this mm can be set in the userspace part of the address-space.
>> During the whole time in which the temporary mm is loaded, interrupts
>> must be disabled.
>>
>> The first use-case for temporary PTEs, which will follow, is for poking
>> the kernel text.
>>
>> [ Commit message was written by Nadav ]
>>
>> Cc: Kees Cook <keescook at chromium.org>
>> Cc: Dave Hansen <dave.hansen at intel.com>
>> Acked-by: Peter Zijlstra (Intel) <peterz at infradead.org>
>> Reviewed-by: Masami Hiramatsu <mhiramat at kernel.org>
>> Tested-by: Masami Hiramatsu <mhiramat at kernel.org>
>> Signed-off-by: Andy Lutomirski <luto at kernel.org>
>> Signed-off-by: Nadav Amit <namit at vmware.com>
>> Signed-off-by: Rick Edgecombe <rick.p.edgecombe at intel.com>
>> ---
>> arch/x86/include/asm/mmu_context.h | 32 ++++++++++++++++++++++++++++++
>> 1 file changed, 32 insertions(+)
>>
>> diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
>> index 19d18fae6ec6..cd0c29e494a6 100644
>> --- a/arch/x86/include/asm/mmu_context.h
>> +++ b/arch/x86/include/asm/mmu_context.h
>> @@ -356,4 +356,36 @@ static inline unsigned long __get_current_cr3_fast(void)
>> return cr3;
>> }
>>
>> +typedef struct {
>
> Why does it have to be a typedef?
Having a different struct can prevent the misuse of using mm_structs in
unuse_temporary_mm() that were not “used” using use_temporary_mm. The
typedef, I presume, can deter users from starting to play with the internal
“private” fields.
> That prev.prev below looks unnecessary, instead of just using prev.
>
>> + struct mm_struct *prev;
>
> Why "prev”?
This is obviously the previous active mm. Feel free to suggest an
alternative name.
>> +} temporary_mm_state_t;
>
> That's kinda long - it is longer than the function name below.
> temp_mm_state_t not enough?
I will change it.
>
>> +
>> +/*
>> + * Using a temporary mm allows to set temporary mappings that are not accessible
>> + * by other cores. Such mappings are needed to perform sensitive memory writes
>> + * that override the kernel memory protections (e.g., W^X), without exposing the
>> + * temporary page-table mappings that are required for these write operations to
>> + * other cores.
>> + *
>> + * Context: The temporary mm needs to be used exclusively by a single core. To
>> + * harden security IRQs must be disabled while the temporary mm is
> ^
> ,
>
>> + * loaded, thereby preventing interrupt handler bugs from override the
>
> s/override/overriding/
I will fix all of these typos, comment. Thank you.
Meta-question: could you please review the entire patch-set? This is
actually v9 of this particular patch - it was part of a separate patch-set
before. I don’t think that the patch has changed since (the real) v1.
These sporadic comments after each version really makes it hard to get this
work completed.
More information about the Linux-security-module-archive
mailing list