From: Balbir Singh <bsingharora@gmail.com>
To: christophe leroy <christophe.leroy@c-s.fr>,
linuxppc-dev@lists.ozlabs.org, mpe@ellerman.id.au
Cc: naveen.n.rao@linux.vnet.ibm.com, ananth@linux.vnet.ibm.com,
paulus@samba.org, rashmica.g@gmail.com
Subject: Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching
Date: Mon, 29 May 2017 08:50:46 +1000 [thread overview]
Message-ID: <1496011846.21894.7.camel@gmail.com> (raw)
In-Reply-To: <72ff9a8a-dad8-55f3-01b0-29b24298bed0@c-s.fr>
On Sun, 2017-05-28 at 17:59 +0200, christophe leroy wrote:
>
> Le 25/05/2017 à 05:36, Balbir Singh a écrit :
> > Today our patching happens via direct copy and
> > patch_instruction. The patching code is well
> > contained in the sense that copying bits are limited.
> >
> > While considering implementation of CONFIG_STRICT_RWX,
> > the first requirement is to a create another mapping
> > that will allow for patching. We create the window using
> > text_poke_area, allocated via get_vm_area(), which might
> > be an overkill. We can do per-cpu stuff as well. The
> > downside of these patches that patch_instruction is
> > now synchornized using a lock. Other arches do similar
> > things, but use fixmaps. The reason for not using
> > fixmaps is to make use of any randomization in the
> > future. The code also relies on set_pte_at and pte_clear
> > to do the appropriate tlb flushing.
>
> Isn't it overkill to remap the text in another area ?
>
> Among the 6 arches implementing CONFIG_STRICT_KERNEL_RWX (arm, arm64,
> parisc, s390, x86/32, x86/64):
> - arm, x86/32 and x86/64 set text RW during the modification
x86 uses set_fixmap() in text_poke(), am I missing something?
> - s390 seems to uses a special instruction which bypassed write protection
> - parisc doesn't seem to implement any function which modifies kernel text.
>
> Therefore it seems only arm64 does it via another mapping.
> Wouldn't it be lighter to just unprotect memory during the modification
> as done on arm and x86 ?
>
I am not sure if the trade-off is quite that simple, for security I thought
1. It would be better to randomize text_poke_area(), which is why I dynamically
allocated it. If we start randomizing get_vm_area(), we get the benefit
2. text_poke_aread() is RW and the normal text is RX, for any attack
to succeed, it would need to find text_poke_area() at the time of patching,
patch the kernel in that small window and use the normal mapping for
execution
Generally patch_instruction() is not fast path except for ftrace, tracing.
In my tests I did not find the slow down noticable
> Or another alternative could be to disable DMMU and do the write at
> physical address ?
>
This would be worse off, I think, but we were discussing doing something
like that xmon. But for other cases, I think it opens up a bigger window.
> Christophe
Balbir Singh
next prev parent reply other threads:[~2017-05-28 22:51 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-25 3:36 [PATCH v1 0/8] Enable STRICT_KERNEL_RWX Balbir Singh
2017-05-25 3:36 ` [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching Balbir Singh
2017-05-25 9:11 ` kbuild test robot
2017-05-28 14:29 ` christophe leroy
2017-05-28 22:58 ` Balbir Singh
2017-05-29 6:55 ` Christophe LEROY
2017-05-28 15:59 ` christophe leroy
2017-05-28 22:50 ` Balbir Singh [this message]
2017-05-29 5:50 ` Christophe LEROY
2017-05-28 18:00 ` christophe leroy
2017-05-28 22:15 ` Balbir Singh
2017-05-25 3:36 ` [PATCH v1 2/8] powerpc/kprobes: Move kprobes over to patch_instruction Balbir Singh
2017-05-29 8:50 ` Christophe LEROY
2017-05-29 22:11 ` Balbir Singh
2017-05-25 3:36 ` [PATCH v1 3/8] powerpc/xmon: Add patch_instruction supporf for xmon Balbir Singh
2017-05-25 3:36 ` [PATCH v1 4/8] powerpc/vmlinux.lds: Align __init_begin to 16M Balbir Singh
2017-05-25 3:36 ` [PATCH v1 5/8] powerpc/platform/pseries/lpar: Fix updatepp and updateboltedpp Balbir Singh
2017-05-25 3:36 ` [PATCH v1 6/8] powerpc/mm/hash: Implement mark_rodata_ro() for hash Balbir Singh
2017-05-25 3:36 ` [PATCH v1 7/8] powerpc/Kconfig: Enable STRICT_KERNEL_RWX Balbir Singh
2017-05-25 16:45 ` kbuild test robot
2017-05-29 8:00 ` Christophe LEROY
2017-06-03 5:42 ` Balbir Singh
2017-06-03 5:42 ` Balbir Singh
2017-06-05 5:46 ` Michael Ellerman
2017-06-05 5:46 ` Michael Ellerman
2017-06-05 5:46 ` Michael Ellerman
2017-05-25 3:36 ` [PATCH v1 8/8] powerpc/mm/ptdump: Dump the first entry of the linear mapping as well Balbir Singh
2017-06-05 10:21 ` [v1, " Michael Ellerman
2017-05-25 6:57 ` [PATCH v1 0/8] Enable STRICT_KERNEL_RWX Balbir Singh
2017-05-30 14:32 ` Naveen N. Rao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1496011846.21894.7.camel@gmail.com \
--to=bsingharora@gmail.com \
--cc=ananth@linux.vnet.ibm.com \
--cc=christophe.leroy@c-s.fr \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=naveen.n.rao@linux.vnet.ibm.com \
--cc=paulus@samba.org \
--cc=rashmica.g@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.