From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2F79C48BD9 for ; Thu, 27 Jun 2019 13:57:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AAC05208CB for ; Thu, 27 Jun 2019 13:57:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561643862; bh=51DDG2DY3FLtkRp2J7Z4n5yca8QsFHCjA1IBw10ZSDc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=PJdex8bZeRO9zkJSURRmcsc7bT7TJmx2PpKfrggHIQkEmDtNGsMRRg9tF0OReYsh0 4k/Xkfl3kmrU6dkfZwhdtpEcVvCqrSIyRm/Ogn/OH0qy8tl0QX2uwcG6XU1MCo/Zxt h2Oe3pgd5aviGzy6AfSykc+7hRqcn1zXZEo/3b1Q= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726883AbfF0N5l (ORCPT ); Thu, 27 Jun 2019 09:57:41 -0400 Received: from mx2.suse.de ([195.135.220.15]:54522 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726480AbfF0N5l (ORCPT ); Thu, 27 Jun 2019 09:57:41 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id A2CDEABE7; Thu, 27 Jun 2019 13:57:38 +0000 (UTC) Date: Thu, 27 Jun 2019 15:57:36 +0200 From: Michal Hocko To: Alexander Potapenko Cc: Andrew Morton , Christoph Lameter , Kees Cook , Masahiro Yamada , James Morris , "Serge E. Hallyn" , Nick Desaulniers , Kostya Serebryany , Dmitry Vyukov , Sandeep Patil , Laura Abbott , Randy Dunlap , Jann Horn , Mark Rutland , Marco Elver , Qian Cai , linux-mm@kvack.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: Re: [PATCH v9 1/2] mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options Message-ID: <20190627135736.GA5303@dhcp22.suse.cz> References: <20190627130316.254309-1-glider@google.com> <20190627130316.254309-2-glider@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190627130316.254309-2-glider@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: On Thu 27-06-19 15:03:15, Alexander Potapenko wrote: > The new options are needed to prevent possible information leaks and > make control-flow bugs that depend on uninitialized values more > deterministic. > > This is expected to be on-by-default on Android and Chrome OS. And it > gives the opportunity for anyone else to use it under distros too via > the boot args. (The init_on_free feature is regularly requested by > folks where memory forensics is included in their threat models.) > > init_on_alloc=1 makes the kernel initialize newly allocated pages and heap > objects with zeroes. Initialization is done at allocation time at the > places where checks for __GFP_ZERO are performed. > > init_on_free=1 makes the kernel initialize freed pages and heap objects > with zeroes upon their deletion. This helps to ensure sensitive data > doesn't leak via use-after-free accesses. > > Both init_on_alloc=1 and init_on_free=1 guarantee that the allocator > returns zeroed memory. The two exceptions are slab caches with > constructors and SLAB_TYPESAFE_BY_RCU flag. Those are never > zero-initialized to preserve their semantics. > > Both init_on_alloc and init_on_free default to zero, but those defaults > can be overridden with CONFIG_INIT_ON_ALLOC_DEFAULT_ON and > CONFIG_INIT_ON_FREE_DEFAULT_ON. > > If either SLUB poisoning or page poisoning is enabled, those options > take precedence over init_on_alloc and init_on_free: initialization is > only applied to unpoisoned allocations. > > Slowdown for the new features compared to init_on_free=0, > init_on_alloc=0: > > hackbench, init_on_free=1: +7.62% sys time (st.err 0.74%) > hackbench, init_on_alloc=1: +7.75% sys time (st.err 2.14%) > > Linux build with -j12, init_on_free=1: +8.38% wall time (st.err 0.39%) > Linux build with -j12, init_on_free=1: +24.42% sys time (st.err 0.52%) > Linux build with -j12, init_on_alloc=1: -0.13% wall time (st.err 0.42%) > Linux build with -j12, init_on_alloc=1: +0.57% sys time (st.err 0.40%) > > The slowdown for init_on_free=0, init_on_alloc=0 compared to the > baseline is within the standard error. > > The new features are also going to pave the way for hardware memory > tagging (e.g. arm64's MTE), which will require both on_alloc and on_free > hooks to set the tags for heap objects. With MTE, tagging will have the > same cost as memory initialization. > > Although init_on_free is rather costly, there are paranoid use-cases where > in-memory data lifetime is desired to be minimized. There are various > arguments for/against the realism of the associated threat models, but > given that we'll need the infrastructure for MTE anyway, and there are > people who want wipe-on-free behavior no matter what the performance cost, > it seems reasonable to include it in this series. > > Signed-off-by: Alexander Potapenko > Acked-by: Kees Cook > To: Andrew Morton > To: Christoph Lameter > To: Kees Cook > Cc: Masahiro Yamada > Cc: Michal Hocko > Cc: James Morris > Cc: "Serge E. Hallyn" > Cc: Nick Desaulniers > Cc: Kostya Serebryany > Cc: Dmitry Vyukov > Cc: Sandeep Patil > Cc: Laura Abbott > Cc: Randy Dunlap > Cc: Jann Horn > Cc: Mark Rutland > Cc: Marco Elver > Cc: Qian Cai > Cc: linux-mm@kvack.org > Cc: linux-security-module@vger.kernel.org > Cc: kernel-hardening@lists.openwall.com > Signed-off-by: Andrew Morton Acked-by: Michal Hocko # page and dmapool parts -- Michal Hocko SUSE Labs