From: Rik van Riel <riel@redhat.com>
To: Dave Hansen <dave.hansen@linux.intel.com>, linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org, bp@suse.de, tglx@linutronix.de,
moritz.lipp@iaik.tugraz.at, daniel.gruss@iaik.tugraz.at,
michael.schwarz@iaik.tugraz.at,
richard.fellner@student.tugraz.at, luto@kernel.org,
torvalds@linux-foundation.org, keescook@google.com,
hughd@google.com, x86@kernel.org
Subject: Re: [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER
Date: Tue, 14 Nov 2017 14:38:45 -0500 [thread overview]
Message-ID: <1510688325.1080.1.camel@redhat.com> (raw)
In-Reply-To: <20171110193105.02A90543@viggo.jf.intel.com>
[-- Attachment #1: Type: text/plain, Size: 1819 bytes --]
On Fri, 2017-11-10 at 11:31 -0800, Dave Hansen wrote:
> From: Dave Hansen <dave.hansen@linux.intel.com>
>
> Global pages stay in the TLB across context switches. Since all
> contexts
> share the same kernel mapping, these mappings are marked as global
> pages
> so kernel entries in the TLB are not flushed out on a context switch.
>
> But, even having these entries in the TLB opens up something that an
> attacker can use [1].
>
> That means that even when KAISER switches page tables on return to
> user
> space the global pages would stay in the TLB cache.
>
> Disable global pages so that kernel TLB entries can be flushed before
> returning to user space. This way, all accesses to kernel addresses
> from
> userspace result in a TLB miss independent of the existence of a
> kernel
> mapping.
>
> Replace _PAGE_GLOBAL by __PAGE_KERNEL_GLOBAL and keep _PAGE_GLOBAL
> available so that it can still be used for a few selected kernel
> mappings
> which must be visible to userspace, when KAISER is enabled, like the
> entry/exit code and data.
Nice changelog.
Why am I pointing this out?
> +++ b/arch/x86/include/asm/pgtable_types.h 2017-11-10
> 11:22:06.626244956 -0800
> @@ -179,8 +179,20 @@ enum page_cache_mode {
> #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT |
> _PAGE_USER | \
> _PAGE_ACCESSED)
>
> +/*
> + * Disable global pages for anything using the default
> + * __PAGE_KERNEL* macros. PGE will still be enabled
> + * and _PAGE_GLOBAL may still be used carefully.
> + */
> +#ifdef CONFIG_KAISER
> +#define __PAGE_KERNEL_GLOBAL 0
> +#else
> +#define __PAGE_KERNEL_GLOBAL _PAGE_GLOBAL
> +#endif
> +
The comment above could use a little more info
on why things are done that way, though :)
--
All rights reversed
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
next prev parent reply other threads:[~2017-11-14 19:38 UTC|newest]
Thread overview: 155+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-10 19:30 [PATCH 00/30] [v3] KAISER: unmap most of the kernel from userspace page tables Dave Hansen
2017-11-10 19:30 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 01/30] x86, mm: do not set _PAGE_USER for init_mm " Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 02/30] x86, tlb: Make CR4-based TLB flushes more robust Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 03/30] x86/mm: Document X86_CR4_PGE toggling behavior Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-14 19:38 ` Rik van Riel [this message]
2017-11-26 14:48 ` Ingo Molnar
2017-11-26 14:48 ` Ingo Molnar
2017-11-27 11:37 ` Thomas Gleixner
2017-11-27 11:37 ` Thomas Gleixner
2017-11-27 13:20 ` [PATCH v2] x86/mm/kaiser: Disable " Ingo Molnar
2017-11-27 13:20 ` Ingo Molnar
2017-11-27 13:23 ` Thomas Gleixner
2017-11-27 13:23 ` Thomas Gleixner
2017-11-27 13:27 ` Ingo Molnar
2017-11-27 13:27 ` Ingo Molnar
2017-11-10 19:31 ` [PATCH 05/30] x86, kaiser: prepare assembly for entry/exit CR3 switching Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-20 12:17 ` Thomas Gleixner
2017-11-20 12:17 ` Thomas Gleixner
2017-11-10 19:31 ` [PATCH 06/30] x86, kaiser: introduce user-mapped per-cpu areas Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 07/30] x86, kaiser: mark per-cpu data structures required for entry/exit Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch) Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-20 17:21 ` Thomas Gleixner
2017-11-20 17:21 ` Thomas Gleixner
2017-11-22 22:45 ` Dave Hansen
2017-11-22 22:45 ` Dave Hansen
2017-11-22 22:50 ` Dave Hansen
2017-11-22 22:50 ` Dave Hansen
2017-11-22 22:54 ` Dave Hansen
2017-11-22 22:54 ` Dave Hansen
2017-11-22 23:11 ` Dave Hansen
2017-11-22 23:11 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 09/30] x86, kaiser: only populate shadow page tables for userspace Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-20 20:12 ` Thomas Gleixner
2017-11-20 20:12 ` Thomas Gleixner
2017-11-21 7:05 ` Ingo Molnar
2017-11-21 7:05 ` Ingo Molnar
2017-11-21 22:09 ` Dave Hansen
2017-11-21 22:09 ` Dave Hansen
2017-11-22 3:44 ` Andy Lutomirski
2017-11-22 3:44 ` Andy Lutomirski
2017-11-22 23:30 ` Dave Hansen
2017-11-22 23:30 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 10/30] x86, kaiser: allow NX poison to be set in p4d/pgd Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 11/30] x86, kaiser: make sure static PGDs are 8k in size Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 12/30] x86, kaiser: map GDT into user page tables Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-20 20:22 ` Thomas Gleixner
2017-11-20 20:22 ` Thomas Gleixner
2017-11-20 20:46 ` Andy Lutomirski
2017-11-20 20:46 ` Andy Lutomirski
2017-11-20 20:55 ` Thomas Gleixner
2017-11-20 20:55 ` Thomas Gleixner
2017-11-21 21:19 ` Dave Hansen
2017-11-21 21:19 ` Dave Hansen
2017-11-21 22:46 ` Andy Lutomirski
2017-11-21 22:46 ` Andy Lutomirski
2017-11-21 23:17 ` Dave Hansen
2017-11-21 23:17 ` Dave Hansen
2017-11-21 23:32 ` Andy Lutomirski
2017-11-21 23:32 ` Andy Lutomirski
2017-11-21 23:42 ` Dave Hansen
2017-11-21 23:42 ` Dave Hansen
2017-11-22 0:17 ` Andy Lutomirski
2017-11-22 0:17 ` Andy Lutomirski
2017-11-22 0:37 ` Dave Hansen
2017-11-22 0:37 ` Dave Hansen
2017-11-21 22:12 ` Dave Hansen
2017-11-21 22:12 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 13/30] x86, kaiser: map dynamically-allocated LDTs Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 14/30] x86, kaiser: map espfix structures Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 15/30] x86, kaiser: map entry stack variables Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 16/30] x86, kaiser: map trace interrupt entry Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 17/30] x86, kaiser: map debug IDT tables Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-20 20:40 ` Thomas Gleixner
2017-11-20 20:40 ` Thomas Gleixner
2017-11-21 22:16 ` Dave Hansen
2017-11-21 22:16 ` Dave Hansen
2017-11-20 20:44 ` Andy Lutomirski
2017-11-20 20:44 ` Andy Lutomirski
2017-11-20 20:54 ` Thomas Gleixner
2017-11-20 20:54 ` Thomas Gleixner
2017-11-10 19:31 ` [PATCH 18/30] x86, kaiser: map virtually-addressed performance monitoring buffers Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-14 18:20 ` Peter Zijlstra
2017-11-14 18:20 ` Peter Zijlstra
2017-11-14 18:28 ` Dave Hansen
2017-11-14 18:28 ` Dave Hansen
2017-11-14 19:10 ` Hugh Dickins
2017-11-14 19:10 ` Hugh Dickins
2017-11-14 19:24 ` Andy Lutomirski
2017-11-14 19:24 ` Andy Lutomirski
2017-11-15 9:41 ` Peter Zijlstra
2017-11-15 9:41 ` Peter Zijlstra
2017-11-10 19:31 ` [PATCH 19/30] x86, mm: Move CR3 construction functions Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 20/30] x86, mm: remove hard-coded ASID limit checks Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-20 20:47 ` Thomas Gleixner
2017-11-20 20:47 ` Thomas Gleixner
2017-11-10 19:31 ` [PATCH 21/30] x86, mm: put mmu-to-h/w ASID translation in one place Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 22:03 ` Andy Lutomirski
2017-11-10 22:03 ` Andy Lutomirski
2017-11-10 22:09 ` Dave Hansen
2017-11-10 22:09 ` Dave Hansen
2017-11-10 22:10 ` Andy Lutomirski
2017-11-10 22:10 ` Andy Lutomirski
2017-11-10 19:31 ` [PATCH 22/30] x86, pcid, kaiser: allow flushing for future ASID switches Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 23/30] x86, kaiser: use PCID feature to make user and kernel switches faster Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-16 19:19 ` Andrea Arcangeli
2017-11-16 19:19 ` Andrea Arcangeli
2017-11-16 19:25 ` Dave Hansen
2017-11-16 19:25 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 24/30] x86, kaiser: disable native VSYSCALL Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 25/30] x86, kaiser: add debugfs file to turn KAISER on/off at runtime Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 26/30] x86, kaiser: add a function to check for KAISER being enabled Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 27/30] x86, kaiser: un-poison PGDs at runtime Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:31 ` [PATCH 28/30] x86, kaiser: allow KAISER to be enabled/disabled " Dave Hansen
2017-11-10 19:31 ` Dave Hansen
2017-11-10 19:32 ` [PATCH 29/30] x86, kaiser: add Kconfig Dave Hansen
2017-11-10 19:32 ` Dave Hansen
2017-11-10 19:32 ` [PATCH 30/30] x86, kaiser, xen: Dynamically disable KAISER when running under Xen PV Dave Hansen
2017-11-10 19:32 ` Dave Hansen
2017-11-20 16:02 ` [PATCH 00/30] [v3] KAISER: unmap most of the kernel from userspace page tables Juerg Haefliger
2017-11-20 16:02 ` Juerg Haefliger
-- strict thread matches above, loose matches on Subject: below --
2017-11-08 19:46 [PATCH 00/30] [v2] " Dave Hansen
2017-11-08 19:46 ` [PATCH 04/30] x86, kaiser: disable global pages by default with KAISER Dave Hansen
2017-11-08 19:46 ` Dave Hansen
2017-11-09 12:51 ` Borislav Petkov
2017-11-09 12:51 ` Borislav Petkov
2017-11-09 22:19 ` Thomas Gleixner
2017-11-09 22:19 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1510688325.1080.1.camel@redhat.com \
--to=riel@redhat.com \
--cc=bp@suse.de \
--cc=daniel.gruss@iaik.tugraz.at \
--cc=dave.hansen@linux.intel.com \
--cc=hughd@google.com \
--cc=keescook@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=michael.schwarz@iaik.tugraz.at \
--cc=moritz.lipp@iaik.tugraz.at \
--cc=richard.fellner@student.tugraz.at \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.