From: Ingo Molnar <mingo@kernel.org>
To: Thomas Garnier <thgarnie@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
Kees Cook <keescook@chromium.org>, Borislav Petkov <bp@alien8.de>,
Andy Lutomirski <luto@kernel.org>, Dave Hansen <dave@sr71.net>,
Chen Yucong <slaoub@gmail.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Paul Gortmaker <paul.gortmaker@windriver.com>,
Andrew Morton <akpm@linux-foundation.org>,
Masahiro Yamada <yamada.masahiro@socionext.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Anna-Maria Gleixner <anna-maria@linutronix.de>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Michael Ellerman <mpe@ellerman.id.au>,
Juergen Gross <jgross@suse.com>,
Richard Weinberger <richard@nod.at>,
x86@kernel.org, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: [kernel-hardening] Re: [RFC] x86/mm/KASLR: Remap GDTs at fixed location
Date: Thu, 5 Jan 2017 09:11:14 +0100 [thread overview]
Message-ID: <20170105081114.GD2098@gmail.com> (raw)
In-Reply-To: <20170104221630.831-1-thgarnie@google.com>
* Thomas Garnier <thgarnie@google.com> wrote:
> Each processor holds a GDT in its per-cpu structure. The sgdt
> instruction gives the base address of the current GDT. This address can
> be used to bypass KASLR memory randomization. With another bug, an
> attacker could target other per-cpu structures or deduce the base of the
> main memory section (PAGE_OFFSET).
>
> In this change, a space is reserved at the end of the memory range
> available for KASLR memory randomization. The space is big enough to hold
> the maximum number of CPUs (as defined by setup_max_cpus). Each GDT is
> mapped at specific offset based on the target CPU. Note that if there is
> not enough space available, the GDTs are not remapped.
>
> The document was changed to mention GDT remapping for KASLR. This patch
> also include dump page tables support.
>
> This patch was tested on multiple hardware configurations and for
> hibernation support.
> void kernel_randomize_memory(void);
> +void kernel_randomize_smp(void);
> +void* kaslr_get_gdt_remap(int cpu);
Yeah, no fundamental objections from me to the principle, but I get some bad vibes
from the naming here: seeing that kernel_randomize_smp() actually makes things
less random.
Also, don't we want to do this unconditionally and not allow remapping failures?
The GDT is fairly small, plus making the SGDT instruction expose fewer kernel
internals would be (marginally) useful on non-randomized kernels as well.
It also makes the code more common, more predictable, more debuggable and less
complex overall - which is pretty valuable in terms of long term security as well.
Thanks,
Ingo
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org>
To: Thomas Garnier <thgarnie@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
Kees Cook <keescook@chromium.org>, Borislav Petkov <bp@alien8.de>,
Andy Lutomirski <luto@kernel.org>, Dave Hansen <dave@sr71.net>,
Chen Yucong <slaoub@gmail.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Paul Gortmaker <paul.gortmaker@windriver.com>,
Andrew Morton <akpm@linux-foundation.org>,
Masahiro Yamada <yamada.masahiro@socionext.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Anna-Maria Gleixner <anna-maria@linutronix.de>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Michael Ellerman <mpe@ellerman.id.au>,
Juergen Gross <jgross@suse.com>,
Richard Weinberger <richard@nod.at>,
x86@kernel.org, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [RFC] x86/mm/KASLR: Remap GDTs at fixed location
Date: Thu, 5 Jan 2017 09:11:14 +0100 [thread overview]
Message-ID: <20170105081114.GD2098@gmail.com> (raw)
In-Reply-To: <20170104221630.831-1-thgarnie@google.com>
* Thomas Garnier <thgarnie@google.com> wrote:
> Each processor holds a GDT in its per-cpu structure. The sgdt
> instruction gives the base address of the current GDT. This address can
> be used to bypass KASLR memory randomization. With another bug, an
> attacker could target other per-cpu structures or deduce the base of the
> main memory section (PAGE_OFFSET).
>
> In this change, a space is reserved at the end of the memory range
> available for KASLR memory randomization. The space is big enough to hold
> the maximum number of CPUs (as defined by setup_max_cpus). Each GDT is
> mapped at specific offset based on the target CPU. Note that if there is
> not enough space available, the GDTs are not remapped.
>
> The document was changed to mention GDT remapping for KASLR. This patch
> also include dump page tables support.
>
> This patch was tested on multiple hardware configurations and for
> hibernation support.
> void kernel_randomize_memory(void);
> +void kernel_randomize_smp(void);
> +void* kaslr_get_gdt_remap(int cpu);
Yeah, no fundamental objections from me to the principle, but I get some bad vibes
from the naming here: seeing that kernel_randomize_smp() actually makes things
less random.
Also, don't we want to do this unconditionally and not allow remapping failures?
The GDT is fairly small, plus making the SGDT instruction expose fewer kernel
internals would be (marginally) useful on non-randomized kernels as well.
It also makes the code more common, more predictable, more debuggable and less
complex overall - which is pretty valuable in terms of long term security as well.
Thanks,
Ingo
next prev parent reply other threads:[~2017-01-05 8:11 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-04 22:16 [kernel-hardening] [RFC] x86/mm/KASLR: Remap GDTs at fixed location Thomas Garnier
2017-01-04 22:16 ` Thomas Garnier
2017-01-05 8:11 ` Ingo Molnar [this message]
2017-01-05 8:11 ` Ingo Molnar
2017-01-05 15:08 ` [kernel-hardening] " Arjan van de Ven
2017-01-05 15:08 ` Arjan van de Ven
2017-01-05 16:40 ` [kernel-hardening] " Thomas Garnier
2017-01-05 16:40 ` Thomas Garnier
2017-01-05 18:56 ` [kernel-hardening] " Arjan van de Ven
2017-01-05 18:56 ` Arjan van de Ven
2017-01-05 19:00 ` [kernel-hardening] " Thomas Garnier
2017-01-05 19:00 ` Thomas Garnier
2017-01-06 17:44 ` [kernel-hardening] " Borislav Petkov
2017-01-06 17:44 ` Borislav Petkov
2017-01-06 18:04 ` [kernel-hardening] " Thomas Garnier
2017-01-06 18:04 ` Thomas Garnier
2017-01-05 16:39 ` [kernel-hardening] " Thomas Garnier
2017-01-05 16:39 ` Thomas Garnier
2017-01-06 6:34 ` [kernel-hardening] " Ingo Molnar
2017-01-06 6:34 ` Ingo Molnar
2017-01-05 17:51 ` [kernel-hardening] " Andy Lutomirski
2017-01-05 17:51 ` Andy Lutomirski
2017-01-05 17:54 ` [kernel-hardening] " Thomas Garnier
2017-01-05 17:54 ` Thomas Garnier
2017-01-05 18:01 ` [kernel-hardening] " Andy Lutomirski
2017-01-05 18:01 ` Andy Lutomirski
2017-01-05 18:35 ` [kernel-hardening] " Thomas Garnier
2017-01-05 18:35 ` Thomas Garnier
2017-01-05 18:58 ` [kernel-hardening] " Arjan van de Ven
2017-01-05 18:58 ` Arjan van de Ven
2017-01-05 19:03 ` [kernel-hardening] " Thomas Garnier
2017-01-05 19:03 ` Thomas Garnier
2017-01-05 20:18 ` [kernel-hardening] " Andy Lutomirski
2017-01-05 20:18 ` Andy Lutomirski
2017-01-05 21:08 ` [kernel-hardening] " Thomas Garnier
2017-01-05 21:08 ` Thomas Garnier
2017-01-05 21:19 ` [kernel-hardening] " Andy Lutomirski
2017-01-05 21:19 ` Andy Lutomirski
2017-01-05 21:58 ` [kernel-hardening] " Thomas Garnier
2017-01-05 21:58 ` Thomas Garnier
2017-01-06 6:49 ` [kernel-hardening] " Ingo Molnar
2017-01-06 6:49 ` Ingo Molnar
2017-01-06 18:03 ` [kernel-hardening] " Thomas Garnier
2017-01-06 18:03 ` Thomas Garnier
2017-01-06 21:59 ` [kernel-hardening] " Andy Lutomirski
2017-01-06 21:59 ` Andy Lutomirski
2017-01-06 22:54 ` [kernel-hardening] " Thomas Garnier
2017-01-06 22:54 ` Thomas Garnier
2017-01-06 23:39 ` [kernel-hardening] " Andy Lutomirski
2017-01-06 23:39 ` Andy Lutomirski
2017-01-07 7:45 ` [kernel-hardening] " Ingo Molnar
2017-01-07 7:45 ` Ingo Molnar
2017-01-07 15:58 ` [kernel-hardening] " Andy Lutomirski
2017-01-07 15:58 ` Andy Lutomirski
2017-01-07 7:35 ` [kernel-hardening] " Ingo Molnar
2017-01-07 7:35 ` Ingo Molnar
2017-01-07 16:02 ` [kernel-hardening] " Andy Lutomirski
2017-01-07 16:02 ` Andy Lutomirski
2017-01-09 22:32 ` [kernel-hardening] " Thomas Garnier
2017-01-09 22:32 ` Thomas Garnier
2017-01-10 10:27 ` [kernel-hardening] " Ingo Molnar
2017-01-10 10:27 ` Ingo Molnar
2017-01-10 17:13 ` [kernel-hardening] " Thomas Garnier
2017-01-10 17:13 ` Thomas Garnier
2017-01-05 23:05 ` [kernel-hardening] " Linus Torvalds
2017-01-05 23:05 ` Linus Torvalds
2017-01-05 23:16 ` [kernel-hardening] " Thomas Garnier
2017-01-05 23:16 ` Thomas Garnier
2017-01-06 2:34 ` [kernel-hardening] " Andy Lutomirski
2017-01-06 2:34 ` Andy Lutomirski
2017-01-06 18:02 ` [kernel-hardening] " Thomas Garnier
2017-01-06 18:02 ` Thomas Garnier
2017-01-06 21:53 ` [kernel-hardening] " Andy Lutomirski
2017-01-06 21:53 ` Andy Lutomirski
2017-01-07 7:46 ` [kernel-hardening] " Ingo Molnar
2017-01-07 7:46 ` Ingo Molnar
2017-01-06 6:45 ` [kernel-hardening] " Ingo Molnar
2017-01-06 6:45 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170105081114.GD2098@gmail.com \
--to=mingo@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=anna-maria@linutronix.de \
--cc=arjan@linux.intel.com \
--cc=bigeasy@linutronix.de \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=dave@sr71.net \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=paul.gortmaker@windriver.com \
--cc=richard@nod.at \
--cc=slaoub@gmail.com \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
--cc=yamada.masahiro@socionext.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.