From: Balbir Singh <bsingharora@gmail.com>
To: Mike Rapoport <rppt@linux.ibm.com>
Cc: lsf-pc@lists.linux-foundation.org, linux-mm@kvack.org,
James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: Re: [LSF/MM TOPIC] Address space isolation inside the kernel
Date: Sat, 16 Feb 2019 23:19:50 +1100 [thread overview]
Message-ID: <20190216121950.GB31125@350D> (raw)
In-Reply-To: <20190207072421.GA9120@rapoport-lnx>
On Thu, Feb 07, 2019 at 09:24:22AM +0200, Mike Rapoport wrote:
> (Joint proposal with James Bottomley)
>
> Address space isolation has been used to protect the kernel from the
> userspace and userspace programs from each other since the invention of
> the virtual memory.
>
> Assuming that kernel bugs and therefore vulnerabilities are inevitable
> it might be worth isolating parts of the kernel to minimize damage
> that these vulnerabilities can cause.
>
Is Address Space limited to user space and kernel space, where does the
hypervisor fit into the picture?
> There is already ongoing work in a similar direction, like XPFO [1] and
> temporary mappings proposed for the kernel text poking [2].
>
> We have several vague ideas how we can take this even further and make
> different parts of kernel run in different address spaces:
> * Remove most of the kernel mappings from the syscall entry and add a
> trampoline when the syscall processing needs to call the "core
> kernel".
> * Make the parts of the kernel that execute in a namespace use their
> own mappings for the namespace private data
Is the key reason for removing mappings -- to remove the processor
from speculating data/text from those mappings? SMAP/SMEP provides
a level of isolation from access and execution
For namespaces, does allocating the right memory protection key
work? At some point we'll need to recycle the keys
It'll be an interesting discussion and I'd love to attend if invited
Balbir Singh.
next prev parent reply other threads:[~2019-02-16 12:19 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-07 7:24 [LSF/MM TOPIC] Address space isolation inside the kernel Mike Rapoport
2019-02-14 19:21 ` Kees Cook
[not found] ` <CA+VK+GOpjXQ2-CLZt6zrW6m-=WpWpvcrXGSJ-723tRDMeAeHmg@mail.gmail.com>
2019-02-16 11:13 ` Paul Turner
2019-04-25 20:47 ` Jonathan Adams
2019-04-25 21:56 ` James Bottomley
2019-04-25 22:25 ` Paul Turner
2019-04-25 22:31 ` [Lsf-pc] " Alexei Starovoitov
2019-04-25 22:40 ` Paul Turner
2019-02-16 12:19 ` Balbir Singh [this message]
2019-02-16 16:30 ` James Bottomley
2019-02-17 8:01 ` Balbir Singh
2019-02-17 16:43 ` James Bottomley
2019-02-17 19:34 ` Matthew Wilcox
2019-02-17 20:09 ` James Bottomley
2019-02-17 21:54 ` Balbir Singh
2019-02-17 22:01 ` Balbir Singh
2019-02-17 22:20 ` [Lsf-pc] " James Bottomley
2019-02-18 11:15 ` Balbir Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190216121950.GB31125@350D \
--to=bsingharora@gmail.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=linux-mm@kvack.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=rppt@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).