[PATCH 4.9] x86/pti: Make unpoison of pgd for trusted boot work for real

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Hugh Dickins <hughd@google.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Jon Masters <jcm@redhat.com>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	gnomes@lxorguk.ukuu.org.uk, peterz@infradead.org,
	ning.sun@intel.com, tboot-devel@lists.sourceforge.net,
	andi@firstfloor.org, luto@kernel.org, law@redhat.com,
	pbonzini@redhat.com, torvalds@linux-foundation.org,
	gregkh@linux-foundation.org, dwmw@amazon.co.uk, nickc@redhat.com,
	stable@vger.kernel.org, Jiri Kosina <jkosina@suse.cz>,
	Hugh Dickins <hughd@google.com>
Subject: [PATCH 4.9] x86/pti: Make unpoison of pgd for trusted boot work for real
Date: Mon, 29 Jan 2018 18:17:26 -0800	[thread overview]
Message-ID: <20180130021726.229367-1-hughd@google.com> (raw)

From: Dave Hansen <dave.hansen@linux.intel.com>

commit 445b69e3b75e42362a5bdc13c8b8f61599e2228a upstream

The inital fix for trusted boot and PTI potentially misses the pgd clearing
if pud_alloc() sets a PGD.  It probably works in *practice* because for two
adjacent calls to map_tboot_page() that share a PGD entry, the first will
clear NX, *then* allocate and set the PGD (without NX clear).  The second
call will *not* allocate but will clear the NX bit.

Defer the NX clearing to a point after it is known that all top-level
allocations have occurred.  Add a comment to clarify why.

[ tglx: Massaged changelog ]

Fixes: 262b6b30087 ("x86/tboot: Unbreak tboot with PTI enabled")
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: peterz@infradead.org
Cc: ning.sun@intel.com
Cc: tboot-devel@lists.sourceforge.net
Cc: andi@firstfloor.org
Cc: luto@kernel.org
Cc: law@redhat.com
Cc: pbonzini@redhat.com
Cc: torvalds@linux-foundation.org
Cc: gregkh@linux-foundation.org
Cc: dwmw@amazon.co.uk
Cc: nickc@redhat.com
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180110224939.2695CD47@viggo.jf.intel.com
Cc: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Hugh Dickins <hughd@google.com>

hughd notes: I have not tested tboot, but this looks to me as necessary
and as safe in old-Kaiser backports as it is upstream; I'm not submitting
the commit-to-be-fixed 262b6b30087, since it was undone by 445b69e3b75e,
and makes conflict trouble because of 5-level's p4d versus 4-level's pgd.
---
 arch/x86/kernel/tboot.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
index 8402907825b0..21454e254a4c 100644
--- a/arch/x86/kernel/tboot.c
+++ b/arch/x86/kernel/tboot.c
@@ -134,6 +134,16 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
 		return -1;
 	set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
 	pte_unmap(pte);
+
+	/*
+	 * PTI poisons low addresses in the kernel page tables in the
+	 * name of making them unusable for userspace.  To execute
+	 * code at such a low address, the poison must be cleared.
+	 *
+	 * Note: 'pgd' actually gets set in pud_alloc().
+	 */
+	pgd->pgd &= ~_PAGE_NX;
+
 	return 0;
 }
 
-- 
2.16.0.rc1.238.g530d649a79-goog

next             reply	other threads:[~2018-01-30  2:17 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-30  2:17 Hugh Dickins [this message]
2018-02-05 13:00 ` Patch "x86/pti: Make unpoison of pgd for trusted boot work for real" has been added to the 4.9-stable tree gregkh

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8402907825b dfblob:21454e254a4 )
 OR (
bs:"[PATCH 4.9] x86/pti: Make unpoison of pgd for trusted boot work for real" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180130021726.229367-1-hughd@google.com \
    --to=hughd@google.com \
    --cc=andi@firstfloor.org \
    --cc=dave.hansen@linux.intel.com \
    --cc=dwmw@amazon.co.uk \
    --cc=gnomes@lxorguk.ukuu.org.uk \
    --cc=gregkh@linux-foundation.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jcm@redhat.com \
    --cc=jkosina@suse.cz \
    --cc=law@redhat.com \
    --cc=luto@kernel.org \
    --cc=nickc@redhat.com \
    --cc=ning.sun@intel.com \
    --cc=pbonzini@redhat.com \
    --cc=peterz@infradead.org \
    --cc=stable@vger.kernel.org \
    --cc=tboot-devel@lists.sourceforge.net \
    --cc=tglx@linutronix.de \
    --cc=tim.c.chen@linux.intel.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.