From: Ingo Molnar <mingo@kernel.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@google.com>, Dave Hansen <dave@sr71.net>,
"x86@kernel.org" <x86@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de>
Subject: Re: [PATCH 26/26] x86, pkeys: Documentation
Date: Fri, 2 Oct 2015 08:23:40 +0200 [thread overview]
Message-ID: <20151002062340.GB30051@gmail.com> (raw)
In-Reply-To: <CALCETrWaar55uTv5q3Ym1KEdQjfgjDfwMM=PPnjb9eV+ASS_ig@mail.gmail.com>
* Andy Lutomirski <luto@amacapital.net> wrote:
> >> Assuming it boots up fine on a typical distro, i.e. assuming that there are no
> >> surprises where PROT_READ && PROT_EXEC sections are accessed as data.
> >
> > I can't wait to find out what implicitly expects PROT_READ from
> > PROT_EXEC mappings. :)
So what seems to happen is that there are no pure PROT_EXEC mappings in practice -
they are only omnibus PROT_READ|PROT_EXEC mappings, an unknown proportion of which
truly relies on PROT_READ:
$ for C in firefox ls perf libreoffice google-chrome Xorg xterm \
konsole; do echo; echo "# $C:"; strace -e trace=mmap -f $C -h 2>&1 | cut -d, -f3 | \
grep PROT | sort | uniq -c; done
# firefox:
13 PROT_READ
82 PROT_READ|PROT_EXEC
184 PROT_READ|PROT_WRITE
2 PROT_READ|PROT_WRITE|PROT_EXEC
# ls:
2 PROT_READ
7 PROT_READ|PROT_EXEC
17 PROT_READ|PROT_WRITE
# perf:
1 PROT_READ
20 PROT_READ|PROT_EXEC
44 PROT_READ|PROT_WRITE
# libreoffice:
2 PROT_NONE
87 PROT_READ
148 PROT_READ|PROT_EXEC
339 PROT_READ|PROT_WRITE
# google-chrome:
39 PROT_READ
121 PROT_READ|PROT_EXEC
345 PROT_READ|PROT_WRITE
# Xorg:
1 PROT_READ
22 PROT_READ|PROT_EXEC
39 PROT_READ|PROT_WRITE
# xterm:
1 PROT_READ
25 PROT_READ|PROT_EXEC
46 PROT_READ|PROT_WRITE
# konsole:
1 PROT_READ
101 PROT_READ|PROT_EXEC
175 PROT_READ|PROT_WRITE
So whatever kernel side method we come up with, it's not something that I expect
to become production quality. "Proper" conversion to pkeys has to be driven from
the user-space side.
That does not mean we can not try! :-)
> There's one annoying issue at least:
>
> mprotect_pkey(..., PROT_READ | PROT_EXEC, 0) sets protection key 0.
> mprotect_pkey(..., PROT_EXEC, 0) maybe sets protection key 15 or
> whatever we use for this. What does mprotect_pkey(..., PROT_EXEC, 0)
> do? What if the caller actually wants key 0? What if some CPU vendor
> some day implements --x for real?
That comes from the hardcoded "user-space has 4 bits to itself, not managed by the
kernel" assumption in the whole design. So no layering between different
user-space libraries using pkeys in a different fashion, no transparent kernel use
of pkeys (such as it may be), etc.
I'm not sure it's _worth_ managing these 4 bits, but '16 separate keys' does seem
to be to me above a certain resource threshold that should be more explicitly
managed than telling user-space: "it's all yours!".
> Also, how do we do mprotect_pkey and say "don't change the key"?
So if we start managing keys as a resource (i.e. alloc/free up to 16 of them), and
provide APIs for user-space to do all that, then user-space is not supposed to
touch keys it has not allocated for itself - just like it's not supposed to write
to fds it has not opened.
Such an allocation method can still 'mess up', and if the kernel allocates a key
for its purposes it should not assume that user-space cannot change it, but at
least for non-buggy code there's no interaction and it would work out fine.
Thanks,
Ingo
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@google.com>, Dave Hansen <dave@sr71.net>,
"x86@kernel.org" <x86@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de>
Subject: Re: [PATCH 26/26] x86, pkeys: Documentation
Date: Fri, 2 Oct 2015 08:23:40 +0200 [thread overview]
Message-ID: <20151002062340.GB30051@gmail.com> (raw)
In-Reply-To: <CALCETrWaar55uTv5q3Ym1KEdQjfgjDfwMM=PPnjb9eV+ASS_ig@mail.gmail.com>
* Andy Lutomirski <luto@amacapital.net> wrote:
> >> Assuming it boots up fine on a typical distro, i.e. assuming that there are no
> >> surprises where PROT_READ && PROT_EXEC sections are accessed as data.
> >
> > I can't wait to find out what implicitly expects PROT_READ from
> > PROT_EXEC mappings. :)
So what seems to happen is that there are no pure PROT_EXEC mappings in practice -
they are only omnibus PROT_READ|PROT_EXEC mappings, an unknown proportion of which
truly relies on PROT_READ:
$ for C in firefox ls perf libreoffice google-chrome Xorg xterm \
konsole; do echo; echo "# $C:"; strace -e trace=mmap -f $C -h 2>&1 | cut -d, -f3 | \
grep PROT | sort | uniq -c; done
# firefox:
13 PROT_READ
82 PROT_READ|PROT_EXEC
184 PROT_READ|PROT_WRITE
2 PROT_READ|PROT_WRITE|PROT_EXEC
# ls:
2 PROT_READ
7 PROT_READ|PROT_EXEC
17 PROT_READ|PROT_WRITE
# perf:
1 PROT_READ
20 PROT_READ|PROT_EXEC
44 PROT_READ|PROT_WRITE
# libreoffice:
2 PROT_NONE
87 PROT_READ
148 PROT_READ|PROT_EXEC
339 PROT_READ|PROT_WRITE
# google-chrome:
39 PROT_READ
121 PROT_READ|PROT_EXEC
345 PROT_READ|PROT_WRITE
# Xorg:
1 PROT_READ
22 PROT_READ|PROT_EXEC
39 PROT_READ|PROT_WRITE
# xterm:
1 PROT_READ
25 PROT_READ|PROT_EXEC
46 PROT_READ|PROT_WRITE
# konsole:
1 PROT_READ
101 PROT_READ|PROT_EXEC
175 PROT_READ|PROT_WRITE
So whatever kernel side method we come up with, it's not something that I expect
to become production quality. "Proper" conversion to pkeys has to be driven from
the user-space side.
That does not mean we can not try! :-)
> There's one annoying issue at least:
>
> mprotect_pkey(..., PROT_READ | PROT_EXEC, 0) sets protection key 0.
> mprotect_pkey(..., PROT_EXEC, 0) maybe sets protection key 15 or
> whatever we use for this. What does mprotect_pkey(..., PROT_EXEC, 0)
> do? What if the caller actually wants key 0? What if some CPU vendor
> some day implements --x for real?
That comes from the hardcoded "user-space has 4 bits to itself, not managed by the
kernel" assumption in the whole design. So no layering between different
user-space libraries using pkeys in a different fashion, no transparent kernel use
of pkeys (such as it may be), etc.
I'm not sure it's _worth_ managing these 4 bits, but '16 separate keys' does seem
to be to me above a certain resource threshold that should be more explicitly
managed than telling user-space: "it's all yours!".
> Also, how do we do mprotect_pkey and say "don't change the key"?
So if we start managing keys as a resource (i.e. alloc/free up to 16 of them), and
provide APIs for user-space to do all that, then user-space is not supposed to
touch keys it has not allocated for itself - just like it's not supposed to write
to fds it has not opened.
Such an allocation method can still 'mess up', and if the kernel allocates a key
for its purposes it should not assume that user-space cannot change it, but at
least for non-buggy code there's no interaction and it would work out fine.
Thanks,
Ingo
next prev parent reply other threads:[~2015-10-02 6:23 UTC|newest]
Thread overview: 172+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-16 17:49 [PATCH 00/26] [RFCv2] x86: Memory Protection Keys Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 02/26] x86, pkeys: Add Kconfig option Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 03/26] x86, pkeys: cpuid bit definition Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 01/26] x86, fpu: add placeholder for Processor Trace XSAVE state Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 04/26] x86, pku: define new CR4 bit Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 05/26] x86, pkey: add PKRU xsave fields and data structure(s) Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-22 19:53 ` Thomas Gleixner
2015-09-22 19:53 ` Thomas Gleixner
2015-09-22 19:58 ` Dave Hansen
2015-09-22 19:58 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 06/26] x86, pkeys: PTE bits for storing protection key Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 07/26] x86, pkeys: new page fault error code bit: PF_PK Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 08/26] x86, pkeys: store protection in high VMA flags Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 10/26] x86, pkeys: notify userspace about protection key faults Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-22 20:03 ` Thomas Gleixner
2015-09-22 20:03 ` Thomas Gleixner
2015-09-22 20:21 ` Dave Hansen
2015-09-22 20:21 ` Dave Hansen
2015-09-22 20:27 ` Thomas Gleixner
2015-09-22 20:27 ` Thomas Gleixner
2015-09-22 20:29 ` Dave Hansen
2015-09-22 20:29 ` Dave Hansen
2015-09-23 8:05 ` Ingo Molnar
2015-09-23 8:05 ` Ingo Molnar
2015-09-24 9:23 ` Ingo Molnar
2015-09-24 9:23 ` Ingo Molnar
2015-09-24 9:30 ` Ingo Molnar
2015-09-24 9:30 ` Ingo Molnar
2015-09-24 17:41 ` Dave Hansen
2015-09-24 17:41 ` Dave Hansen
2015-09-25 7:11 ` Ingo Molnar
2015-09-25 7:11 ` Ingo Molnar
2015-09-25 23:18 ` Dave Hansen
2015-09-25 23:18 ` Dave Hansen
2015-09-26 6:20 ` Ingo Molnar
2015-09-26 6:20 ` Ingo Molnar
2015-09-27 22:39 ` Dave Hansen
2015-09-27 22:39 ` Dave Hansen
2015-09-28 5:59 ` Ingo Molnar
2015-09-28 5:59 ` Ingo Molnar
2015-09-24 17:15 ` Dave Hansen
2015-09-24 17:15 ` Dave Hansen
2015-09-28 19:25 ` Christian Borntraeger
2015-09-28 19:25 ` Christian Borntraeger
2015-09-28 19:32 ` Dave Hansen
2015-09-28 19:32 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 11/26] x86, pkeys: add functions for set/fetch PKRU Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-22 20:05 ` Thomas Gleixner
2015-09-22 20:05 ` Thomas Gleixner
2015-09-22 20:22 ` Dave Hansen
2015-09-22 20:22 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 09/26] x86, pkeys: arch-specific protection bits Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 13/26] mm: simplify get_user_pages() PTE bit handling Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 12/26] mm: factor out VMA fault permission checking Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 14/26] x86, pkeys: check VMAs and PTEs for protection keys Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 15/26] x86, pkeys: optimize fault handling in access_error() Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 17/26] x86, pkeys: dump PTE pkey in /proc/pid/smaps Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 16/26] x86, pkeys: dump PKRU with other kernel registers Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 18/26] x86, pkeys: add Kconfig prompt to existing config option Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 19/26] [NEWSYSCALL] mm, multi-arch: pass a protection key in to calc_vm_flag_bits() Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 20/26] [NEWSYSCALL] mm: implement new mprotect_pkey() system call Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 21/26] [NEWSYSCALL] x86: wire up mprotect_key() " Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 22/26] [HIJACKPROT] mm: Pass the 4-bit protection key in via PROT_ bits to syscalls Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 24/26] [HIJACKPROT] x86, pkeys: mask off pkeys bits in mprotect() Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 23/26] [HIJACKPROT] x86, pkeys: add x86 version of arch_validate_prot() Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 25/26] x86, pkeys: actually enable Memory Protection Keys in CPU Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-16 17:49 ` [PATCH 26/26] x86, pkeys: Documentation Dave Hansen
2015-09-16 17:49 ` Dave Hansen
2015-09-20 8:55 ` Ingo Molnar
2015-09-20 8:55 ` Ingo Molnar
2015-09-21 4:34 ` Dave Hansen
2015-09-21 4:34 ` Dave Hansen
2015-09-24 9:49 ` Ingo Molnar
2015-09-24 9:49 ` Ingo Molnar
2015-09-24 19:10 ` Dave Hansen
2015-09-24 19:10 ` Dave Hansen
2015-09-24 19:17 ` Andy Lutomirski
2015-09-24 19:17 ` Andy Lutomirski
2015-09-25 7:16 ` Ingo Molnar
2015-09-25 7:16 ` Ingo Molnar
2015-09-25 6:15 ` Ingo Molnar
2015-09-25 6:15 ` Ingo Molnar
2015-10-01 11:17 ` Ingo Molnar
2015-10-01 11:17 ` Ingo Molnar
2015-10-01 20:39 ` Kees Cook
2015-10-01 20:39 ` Kees Cook
2015-10-01 20:45 ` Andy Lutomirski
2015-10-01 20:45 ` Andy Lutomirski
2015-10-02 6:23 ` Ingo Molnar [this message]
2015-10-02 6:23 ` Ingo Molnar
2015-10-02 17:50 ` Dave Hansen
2015-10-02 17:50 ` Dave Hansen
2015-10-03 7:27 ` Ingo Molnar
2015-10-03 7:27 ` Ingo Molnar
2015-10-06 23:28 ` Dave Hansen
2015-10-06 23:28 ` Dave Hansen
2015-10-07 7:11 ` Ingo Molnar
2015-10-07 7:11 ` Ingo Molnar
2015-10-16 15:12 ` Dave Hansen
2015-10-16 15:12 ` Dave Hansen
2015-10-21 18:55 ` Andy Lutomirski
2015-10-21 18:55 ` Andy Lutomirski
2015-10-21 19:11 ` Dave Hansen
2015-10-21 19:11 ` Dave Hansen
2015-10-21 23:22 ` Andy Lutomirski
2015-10-21 23:22 ` Andy Lutomirski
2015-10-01 20:58 ` Dave Hansen
2015-10-01 20:58 ` Dave Hansen
2015-10-01 22:33 ` Dave Hansen
2015-10-01 22:35 ` Kees Cook
2015-10-01 22:35 ` Kees Cook
2015-10-01 22:39 ` Dave Hansen
2015-10-01 22:39 ` Dave Hansen
2015-10-01 22:48 ` Linus Torvalds
2015-10-01 22:48 ` Linus Torvalds
2015-10-01 22:56 ` Dave Hansen
2015-10-01 22:56 ` Dave Hansen
2015-10-02 1:38 ` Linus Torvalds
2015-10-02 1:38 ` Linus Torvalds
2015-10-02 18:08 ` Dave Hansen
2015-10-02 18:08 ` Dave Hansen
2015-10-02 7:09 ` Ingo Molnar
2015-10-02 7:09 ` Ingo Molnar
2015-10-03 6:59 ` Ingo Molnar
2015-10-03 6:59 ` Ingo Molnar
2015-10-02 11:49 ` Paolo Bonzini
2015-10-02 11:49 ` Paolo Bonzini
2015-10-02 11:58 ` Linus Torvalds
2015-10-02 11:58 ` Linus Torvalds
2015-10-02 12:14 ` Paolo Bonzini
2015-10-02 12:14 ` Paolo Bonzini
2015-10-03 6:46 ` Ingo Molnar
2015-10-03 6:46 ` Ingo Molnar
2015-10-01 22:57 ` Andy Lutomirski
2015-10-01 22:57 ` Andy Lutomirski
2015-10-02 6:09 ` Ingo Molnar
2015-10-02 6:09 ` Ingo Molnar
2015-10-03 8:17 ` Ingo Molnar
2015-10-03 8:17 ` Ingo Molnar
2015-10-07 20:24 ` Dave Hansen
2015-10-07 20:24 ` Dave Hansen
2015-10-07 20:39 ` Andy Lutomirski
2015-10-07 20:39 ` Andy Lutomirski
2015-10-07 20:47 ` Dave Hansen
2015-10-07 20:47 ` Dave Hansen
2015-09-16 17:51 ` Fwd: [PATCH 00/26] [RFCv2] x86: Memory Protection Keys Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151002062340.GB30051@gmail.com \
--to=mingo@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=dave@sr71.net \
--cc=keescook@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.