From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D1CCDC5475B for ; Wed, 6 Mar 2024 21:55:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To:Subject: MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=SOa/sasanXskSBqsfL0srPYor16b5UN9ek1TEM79MRY=; b=4sSLFDX/YUqt5n BKyz9HF8DpwlBTA8IeCeQczbQMtOmJYh5LUBuJgEPwuNn/Waq8oIf8t3tPOYTigoBqx0lDLamGrmX xryGMNrsEZsTCWkNajJiZOYqkNMlCqvTKOchSUMyW/y2kwghef/wbfeuq7Zn+sT0XHW+oAAheyb5A d8hFCYar5mpL9yj+qFGuFCd8VbGvT/9WR5Y8pf04HVldVx+H+NHEUOY89ZvLuRaLy8kJpN8unEm9U INjwp1fK+zKgdcTv5oRKMLbzpnkPVYu40gGUDttvy/xa74T8a3GdwH0cHrVrkL94heyQY77QtuGiM 7vN5h7MfNzvGKrnxq4XA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rhzEF-00000001zuL-0ERR; Wed, 06 Mar 2024 21:55:11 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rhzEC-00000001ztm-318i for linux-arm-kernel@lists.infradead.org; Wed, 06 Mar 2024 21:55:10 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B09A01FB; Wed, 6 Mar 2024 13:55:40 -0800 (PST) Received: from [192.168.20.13] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 020883F73F; Wed, 6 Mar 2024 13:54:58 -0800 (PST) Message-ID: <38f9541b-dd88-4d49-af3b-bc7880a4e2f4@arm.com> Date: Wed, 6 Mar 2024 15:54:57 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 1/1] arm64: syscall: Direct PRNG kstack randomization Content-Language: en-US To: Arnd Bergmann , Kees Cook Cc: linux-arm-kernel@lists.infradead.org, Catalin Marinas , Will Deacon , "Jason A . Donenfeld" , "Gustavo A. R. Silva" , Mark Rutland , Steven Rostedt , Mark Brown , Guo Hui , Manoj.Iyer@arm.com, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, James Yang , Shiyou Huang References: <20240305221824.3300322-1-jeremy.linton@arm.com> <20240305221824.3300322-2-jeremy.linton@arm.com> <202403051526.0BE26F99E@keescook> <34351804-ad1d-498f-932a-c1844b78589f@app.fastmail.com> From: Jeremy Linton In-Reply-To: <34351804-ad1d-498f-932a-c1844b78589f@app.fastmail.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240306_135508_913549_97503D40 X-CRM114-Status: GOOD ( 27.89 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi, On 3/6/24 14:46, Arnd Bergmann wrote: > On Wed, Mar 6, 2024, at 00:33, Kees Cook wrote: >> On Tue, Mar 05, 2024 at 04:18:24PM -0600, Jeremy Linton wrote: >>> The existing arm64 stack randomization uses the kernel rng to acquire >>> 5 bits of address space randomization. This is problematic because it >>> creates non determinism in the syscall path when the rng needs to be >>> generated or reseeded. This shows up as large tail latencies in some >>> benchmarks and directly affects the minimum RT latencies as seen by >>> cyclictest. >>> >>> Other architectures are using timers/cycle counters for this function, >>> which is sketchy from a randomization perspective because it should be >>> possible to estimate this value from knowledge of the syscall return >>> time, and from reading the current value of the timer/counters. > > As I commented on the previous version, I don't want to see > a change that only addresses one architecture like this. If you > are convinced that using a cycle counter is a mistake, then we > should do the same thing on the other architectures as well > that currently use a cycle counter. I personally tend to agree as long as we aren't creating a similar set of problems for those architectures as we are seeing on arm. Currently the kstack rng on/off choice is basically zero overhead for them. > >>> +#ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET >>> +DEFINE_PER_CPU(struct rnd_state, kstackrng); >>> + >>> +static u16 kstack_rng(void) >>> +{ >>> + u32 rng = prandom_u32_state(this_cpu_ptr(&kstackrng)); >>> + >>> + return rng & 0x1ff; >>> +} >>> + >>> +/* Should we reseed? */ >>> +static int kstack_rng_setup(unsigned int cpu) >>> +{ >>> + u32 rng_seed; >>> + >>> + /* zero should be avoided as a seed */ >>> + do { >>> + rng_seed = get_random_u32(); >>> + } while (!rng_seed); >>> + prandom_seed_state(this_cpu_ptr(&kstackrng), rng_seed); >>> + return 0; >>> +} >>> + >>> +static int kstack_init(void) >>> +{ >>> + int ret; >>> + >>> + ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "arm64/cpuinfo:kstackrandomize", >>> + kstack_rng_setup, NULL); >> >> This will run initial seeding, but don't we need to reseed this with >> some kind of frequency? > > Won't that defeat the purpose of the patch that was intended > to make the syscall latency more predictable? At least the > simpler approaches of reseeding from the kstack_rng() > function itself would have this problem, deferring it to > another context comes with a separate set of problems. And that describes why I've not come up with an inline reseeding solution. Which of course isn't a problem on !arm if one just pushes a few bits of a cycle counter into the rnd_state every few dozen syscalls, or whatever. Mark R, mentioned offline the idea of just picking a few bits off CNTVCT as a seed, but its so slow it basically has to be used to fuzz a bit or two of rnd_state on some fairly long interval. Long enough that if someone has a solution for extracting rnd_state it might not add any additional security. Or that is my take, since i'm not a big fan of any independent counter/clock based RNG seeding (AFAIK, entropy from clocks requires multiple _independent_ sources). This is a bit out of my wheelhouse, so I defer to anyone with a better feel or some actual data. The best plan I have at the moment is just some deferred work to call kstack_rng_setup on some call or time based interval, which AFAIK isn't ideal for RT workloads which expect ~100% CPU isolation. Plus, that solution assumes we have some handle on how fast an attacker can extract kstackrng sufficiently to make predictions. Again, thanks to everyone for looking at this, Jeremy _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel