From: Balbir Singh <bsingharora@gmail.com>
To: christophe leroy <christophe.leroy@c-s.fr>,
linuxppc-dev@lists.ozlabs.org, mpe@ellerman.id.au
Cc: naveen.n.rao@linux.vnet.ibm.com, ananth@linux.vnet.ibm.com,
paulus@samba.org, rashmica.g@gmail.com
Subject: Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching
Date: Mon, 29 May 2017 08:50:46 +1000 [thread overview]
Message-ID: <1496011846.21894.7.camel@gmail.com> (raw)
In-Reply-To: <72ff9a8a-dad8-55f3-01b0-29b24298bed0@c-s.fr>
On Sun, 2017-05-28 at 17:59 +0200, christophe leroy wrote:
>
> Le 25/05/2017 à 05:36, Balbir Singh a écrit :
> > Today our patching happens via direct copy and
> > patch_instruction. The patching code is well
> > contained in the sense that copying bits are limited.
> >
> > While considering implementation of CONFIG_STRICT_RWX,
> > the first requirement is to a create another mapping
> > that will allow for patching. We create the window using
> > text_poke_area, allocated via get_vm_area(), which might
> > be an overkill. We can do per-cpu stuff as well. The
> > downside of these patches that patch_instruction is
> > now synchornized using a lock. Other arches do similar
> > things, but use fixmaps. The reason for not using
> > fixmaps is to make use of any randomization in the
> > future. The code also relies on set_pte_at and pte_clear
> > to do the appropriate tlb flushing.
>
> Isn't it overkill to remap the text in another area ?
>
> Among the 6 arches implementing CONFIG_STRICT_KERNEL_RWX (arm, arm64,
> parisc, s390, x86/32, x86/64):
> - arm, x86/32 and x86/64 set text RW during the modification
x86 uses set_fixmap() in text_poke(), am I missing something?
> - s390 seems to uses a special instruction which bypassed write protection
> - parisc doesn't seem to implement any function which modifies kernel text.
>
> Therefore it seems only arm64 does it via another mapping.
> Wouldn't it be lighter to just unprotect memory during the modification
> as done on arm and x86 ?
>
I am not sure if the trade-off is quite that simple, for security I thought
1. It would be better to randomize text_poke_area(), which is why I dynamically
allocated it. If we start randomizing get_vm_area(), we get the benefit
2. text_poke_aread() is RW and the normal text is RX, for any attack
to succeed, it would need to find text_poke_area() at the time of patching,
patch the kernel in that small window and use the normal mapping for
execution
Generally patch_instruction() is not fast path except for ftrace, tracing.
In my tests I did not find the slow down noticable
> Or another alternative could be to disable DMMU and do the write at
> physical address ?
>
This would be worse off, I think, but we were discussing doing something
like that xmon. But for other cases, I think it opens up a bigger window.
> Christophe
Balbir Singh
next prev parent reply other threads:[~2017-05-28 22:51 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-25 3:36 [PATCH v1 0/8] Enable STRICT_KERNEL_RWX Balbir Singh
2017-05-25 3:36 ` [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching Balbir Singh
2017-05-25 9:11 ` kbuild test robot
2017-05-28 14:29 ` christophe leroy
2017-05-28 22:58 ` Balbir Singh
2017-05-29 6:55 ` Christophe LEROY
2017-05-28 15:59 ` christophe leroy
2017-05-28 22:50 ` Balbir Singh [this message]
2017-05-29 5:50 ` Christophe LEROY
2017-05-28 18:00 ` christophe leroy
2017-05-28 22:15 ` Balbir Singh
2017-05-25 3:36 ` [PATCH v1 2/8] powerpc/kprobes: Move kprobes over to patch_instruction Balbir Singh
2017-05-29 8:50 ` Christophe LEROY
2017-05-29 22:11 ` Balbir Singh
2017-05-25 3:36 ` [PATCH v1 3/8] powerpc/xmon: Add patch_instruction supporf for xmon Balbir Singh
2017-05-25 3:36 ` [PATCH v1 4/8] powerpc/vmlinux.lds: Align __init_begin to 16M Balbir Singh
2017-05-25 3:36 ` [PATCH v1 5/8] powerpc/platform/pseries/lpar: Fix updatepp and updateboltedpp Balbir Singh
2017-05-25 3:36 ` [PATCH v1 6/8] powerpc/mm/hash: Implement mark_rodata_ro() for hash Balbir Singh
2017-05-25 3:36 ` [PATCH v1 7/8] powerpc/Kconfig: Enable STRICT_KERNEL_RWX Balbir Singh
2017-05-25 16:45 ` kbuild test robot
2017-05-29 8:00 ` Christophe LEROY
2017-06-03 5:42 ` Balbir Singh
2017-06-05 5:46 ` Michael Ellerman
2017-05-25 3:36 ` [PATCH v1 8/8] powerpc/mm/ptdump: Dump the first entry of the linear mapping as well Balbir Singh
2017-06-05 10:21 ` [v1, " Michael Ellerman
2017-05-25 6:57 ` [PATCH v1 0/8] Enable STRICT_KERNEL_RWX Balbir Singh
2017-05-30 14:32 ` Naveen N. Rao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1496011846.21894.7.camel@gmail.com \
--to=bsingharora@gmail.com \
--cc=ananth@linux.vnet.ibm.com \
--cc=christophe.leroy@c-s.fr \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=naveen.n.rao@linux.vnet.ibm.com \
--cc=paulus@samba.org \
--cc=rashmica.g@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).