[PATCH v2 03/20] x86/mm: temporary mm struct

Thu Jan 31 22:19:54 UTC 2019

> On Jan 31, 2019, at 3:29 AM, Borislav Petkov <bp at alien8.de> wrote:
> 
>> Subject: Re: [PATCH v2 03/20] x86/mm: temporary mm struct
> 
> Subject needs a verb: "Add a temporary... "
> 
> On Mon, Jan 28, 2019 at 04:34:05PM -0800, Rick Edgecombe wrote:
>> From: Andy Lutomirski <luto at kernel.org>
>> 
>> Sometimes we want to set a temporary page-table entries (PTEs) in one of
> 
> s/a //
> 
> Also, drop the "we" and make it impartial and passive:
> 
> "Describe your changes in imperative mood, e.g. "make xyzzy do frotz"
>  instead of "[This patch] makes xyzzy do frotz" or "[I] changed xyzzy
>  to do frotz", as if you are giving orders to the codebase to change
>  its behaviour."
> 
>> the cores, without allowing other cores to use - even speculatively -
>> these mappings. There are two benefits for doing so:
>> 
>> (1) Security: if sensitive PTEs are set, temporary mm prevents their use
>> in other cores. This hardens the security as it prevents exploding a
> 
> exploding or exploiting? Or exposing? :)
> 
>> dangling pointer to overwrite sensitive data using the sensitive PTE.
>> 
>> (2) Avoiding TLB shootdowns: the PTEs do not need to be flushed in
>> remote page-tables.
> 
> Those belong in the code comments below, explaining what it is going to
> be used for.

I will add it to the code as well.

> 
>> To do so a temporary mm_struct can be used. Mappings which are private
>> for this mm can be set in the userspace part of the address-space.
>> During the whole time in which the temporary mm is loaded, interrupts
>> must be disabled.
>> 
>> The first use-case for temporary PTEs, which will follow, is for poking
>> the kernel text.
>> 
>> [ Commit message was written by Nadav ]
>> 
>> Cc: Kees Cook <keescook at chromium.org>
>> Cc: Dave Hansen <dave.hansen at intel.com>
>> Acked-by: Peter Zijlstra (Intel) <peterz at infradead.org>
>> Reviewed-by: Masami Hiramatsu <mhiramat at kernel.org>
>> Tested-by: Masami Hiramatsu <mhiramat at kernel.org>
>> Signed-off-by: Andy Lutomirski <luto at kernel.org>
>> Signed-off-by: Nadav Amit <namit at vmware.com>
>> Signed-off-by: Rick Edgecombe <rick.p.edgecombe at intel.com>
>> ---
>> arch/x86/include/asm/mmu_context.h | 32 ++++++++++++++++++++++++++++++
>> 1 file changed, 32 insertions(+)
>> 
>> diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
>> index 19d18fae6ec6..cd0c29e494a6 100644
>> --- a/arch/x86/include/asm/mmu_context.h
>> +++ b/arch/x86/include/asm/mmu_context.h
>> @@ -356,4 +356,36 @@ static inline unsigned long __get_current_cr3_fast(void)
>> 	return cr3;
>> }
>> 
>> +typedef struct {
> 
> Why does it have to be a typedef?

Having a different struct can prevent the misuse of using mm_structs in
unuse_temporary_mm() that were not “used” using use_temporary_mm. The
typedef, I presume, can deter users from starting to play with the internal
“private” fields.

> That prev.prev below looks unnecessary, instead of just using prev.
> 
>> +	struct mm_struct *prev;
> 
> Why "prev”?

This is obviously the previous active mm. Feel free to suggest an
alternative name.

>> +} temporary_mm_state_t;
> 
> That's kinda long - it is longer than the function name below.
> temp_mm_state_t not enough?

I will change it.

> 
>> +
>> +/*
>> + * Using a temporary mm allows to set temporary mappings that are not accessible
>> + * by other cores. Such mappings are needed to perform sensitive memory writes
>> + * that override the kernel memory protections (e.g., W^X), without exposing the
>> + * temporary page-table mappings that are required for these write operations to
>> + * other cores.
>> + *
>> + * Context: The temporary mm needs to be used exclusively by a single core. To
>> + *          harden security IRQs must be disabled while the temporary mm is
> 			      ^
> 			      ,
> 
>> + *          loaded, thereby preventing interrupt handler bugs from override the
> 
> s/override/overriding/

I will fix all of these typos, comment. Thank you.

Meta-question: could you please review the entire patch-set? This is
actually v9 of this particular patch - it was part of a separate patch-set
before. I don’t think that the patch has changed since (the real) v1.

These sporadic comments after each version really makes it hard to get this
work completed.