Re: [PATCH] RTIC: selinux: ARM64: Move selinux_state to a separate page

All of lore.kernel.org
 help / color / mirror / Atom feed

From: pnagar@codeaurora.org
To: Ard Biesheuvel <ardb@kernel.org>, Will Deacon <will@kernel.org>
Cc: Will Deacon <will@kernel.org>, Marc Zyngier <maz@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>, James Morris <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	paul@paul-moore.com, stephen.smalley.work@gmail.com,
	eparis@parisplace.org, linux-security-module@vger.kernel.org,
	selinux@vger.kernel.org, linux-arch <linux-arch@vger.kernel.org>,
	casey@schaufler-ca.com,
	Nick Desaulniers <ndesaulniers@google.com>,
	David Howells <dhowells@redhat.com>,
	ojeda@kernel.org, Prasad Sodagudi <psodagud@codeaurora.org>,
	nmardana@codeaurora.org, johan@kernel.org,
	Joe Perches <joe@perches.com>, Jessica Yu <jeyu@kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] RTIC: selinux: ARM64: Move selinux_state to a separate page
Date: Mon, 22 Feb 2021 12:44:29 +0530	[thread overview]
Message-ID: <db7be4b7c31828d559ad4b1f4a93b76e@codeaurora.org> (raw)
In-Reply-To: <CAMj1kXG_qj0A5r+rRnGdcwjomqJUSQPw6aNYyPbSVA8Fr=RjyA@mail.gmail.com>

On 2021-02-17 15:23, Ard Biesheuvel wrote:
> On Wed, 17 Feb 2021 at 10:42, Will Deacon <will@kernel.org> wrote:
>> 
>> [Please include arm64 and kvm folks for threads involving the stage-2 
>> MMU]
>> 
>> On Tue, Feb 16, 2021 at 03:47:52PM +0530, Preeti Nagar wrote:
>> > The changes introduce a new security feature, RunTime Integrity Check
>> > (RTIC), designed to protect Linux Kernel at runtime. The motivation
>> > behind these changes is:
>> > 1. The system protection offered by Security Enhancements(SE) for
>> > Android relies on the assumption of kernel integrity. If the kernel
>> > itself is compromised (by a perhaps as yet unknown future vulnerability),
>> > SE for Android security mechanisms could potentially be disabled and
>> > rendered ineffective.
>> > 2. Qualcomm Snapdragon devices use Secure Boot, which adds cryptographic
>> > checks to each stage of the boot-up process, to assert the authenticity
>> > of all secure software images that the device executes.  However, due to
>> > various vulnerabilities in SW modules, the integrity of the system can be
>> > compromised at any time after device boot-up, leading to un-authorized
>> > SW executing.
>> >
>> > The feature's idea is to move some sensitive kernel structures to a
>> > separate page and monitor further any unauthorized changes to these,
>> > from higher Exception Levels using stage 2 MMU. Moving these to a
>> > different page will help avoid getting page faults from un-related data.
>> > The mechanism we have been working on removes the write permissions for
>> > HLOS in the stage 2 page tables for the regions to be monitored, such
>> > that any modification attempts to these will lead to faults being
>> > generated and handled by handlers. If the protected assets are moved to
>> > a separate page, faults will be generated corresponding to change attempts
>> > to these assets only. If not moved to a separate page, write attempts to
>> > un-related data present on the monitored pages will also be generated.
>> >
>> > Using this feature, some sensitive variables of the kernel which are
>> > initialized after init or are updated rarely can also be protected from
>> > simple overwrites and attacks trying to modify these.
>> 
>> Although I really like the idea of using stage-2 to protect the 
>> kernel, I
>> think the approach you outline here is deeply flawed. Identifying 
>> "sensitive
>> variables" of the kernel to protect is subjective and doesn't scale.
>> Furthermore, the triaging of what constitues a valid access is notably
>> absent from your description and is assumedly implemented in an opaque 
>> blob
>> at EL2.
>> 
>> I think a better approach would be along the lines of:
>> 
>>   1. Introduce the protection at stage-1 (like we already have for 
>> mapping
>>      e.g. the kernel text R/O)
>> 
>>   2. Implement the handlers in the kernel, so the heuristics are 
>> clear.
>> 
>>   3. Extend this to involve KVM, so that the host can manage its own
>>      stage-2 to firm-up the stage-1 protections.
>> 
> 
> Agree here. Making an arbitrary set of data structures r/o behind the
> OS's back doesn't seem like an easy thing to maintain or reason about,
> especially if this r/o-ness is only enforced on a tiny subset of
> devices. If something needs to be writable only at boot, we have
> __ro_after_init, and having hypervisor assisted enforcement of /that/
> might be a worthwhile thing to consider, including perhaps ways to do
> controlled patching of this region at runtime.
> 

Thank you for the suggestions. We will look into the possibility of 
protection
of __ro_after_init and controlled updates to these. I understand, if 
this can be
made generic as Will also suggested, it might be more useful and easy to 
scale
and maintain.

>> I also think we should avoid tying this to specific data structures.
>> Rather, we should introduce a mechanism to make arbitrary data 
>> read-only.
>> 
>> I've CC'd Ard and Marc, as I think they've both been thinking about 
>> this
>> sort of thing recently as well.
>> 
>> Will

next prev parent reply	other threads:[~2021-02-22  7:16 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-16 10:17 [PATCH] RTIC: selinux: ARM64: Move selinux_state to a separate page Preeti Nagar
2021-02-16 18:09 ` Nick Desaulniers
2021-02-22  6:54   ` pnagar
2021-02-16 20:32 ` Miguel Ojeda
2021-02-22  5:06   ` pnagar
2021-02-17  9:42 ` Will Deacon
2021-02-17  9:53   ` Ard Biesheuvel
2021-02-22  7:14     ` pnagar [this message]
2021-02-17 10:15   ` Marc Zyngier
2021-02-22  4:58     ` pnagar
2021-02-22 10:56       ` Marc Zyngier
2021-02-22  9:50   ` peter enderborg
2021-03-05  2:21 ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=db7be4b7c31828d559ad4b1f4a93b76e@codeaurora.org \
    --to=pnagar@codeaurora.org \
    --cc=ardb@kernel.org \
    --cc=arnd@arndb.de \
    --cc=casey@schaufler-ca.com \
    --cc=dhowells@redhat.com \
    --cc=eparis@parisplace.org \
    --cc=jeyu@kernel.org \
    --cc=jmorris@namei.org \
    --cc=joe@perches.com \
    --cc=johan@kernel.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=maz@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=nmardana@codeaurora.org \
    --cc=ojeda@kernel.org \
    --cc=paul@paul-moore.com \
    --cc=psodagud@codeaurora.org \
    --cc=selinux@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=stephen.smalley.work@gmail.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.