From: Mark Rutland <mark.rutland@arm.com>
To: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
Cc: David Gens <david.gens@cs.tu-darmstadt.de>,
Thomas Garnier <thgarnie@google.com>,
kernel list <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
clementine.maurice@iaik.tugraz.at, moritz.lipp@iaik.tugraz.at,
Michael Schwarz <michael.schwarz@iaik.tugraz.at>,
Richard Fellner <richard.fellner@student.tugraz.at>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Ingo Molnar <mingo@kernel.org>,
anders.fogh@gdata-adan.de
Subject: Re: [kernel-hardening] [RFC, PATCH] x86_64: KAISER - do not map kernel in user mode
Date: Mon, 8 May 2017 14:22:35 +0100 [thread overview]
Message-ID: <20170508132235.GC5480@leverpostej> (raw)
In-Reply-To: <db80ae9d-15bc-5d32-afce-ea98a6059fb8@iaik.tugraz.at>
On Mon, May 08, 2017 at 12:51:27PM +0200, Daniel Gruss wrote:
> >While it may be the case that in practice ARM systems do not have such a
> >side channel, I think that it is erroneous to believe that the
> >architectural TTBR{0,1} split ensures this.
> >
> >The use of TTBR0 for user and TTBR1 for kernel is entirely a SW policy,
> >and not an architectural requirement. It is possible to map data in
> >TTBR1 which is accessible to userspace, and data in TTBR0 which is only
> >accessible by the kernel. In either case, this is determined by the page
> >tables themselves.
>
> Absolutely right, but TTBR0 and TTBR1 are usually used in this way.
Sure; if we consider Linux, while userspace is executing, TTBR1 will
(only) contain kernel page tables and TTBR0 will (only) contain user
page tables.
However, as this is not an architectural requirement, the CPU cannot
know that a user access that gets translated via TTBR1 will fault, and
at some point must determine the permissions from the page tables as
required by the architecture.
> >Given this, I think that the statements in the KAISER paper regarding
> >the TTBRs (in section 2.1) are not quite right. Architecturally,
> >permission checks and lookups cannot be elided based on the TTBR used.
>
> As we say in section 2.1, they are "typically" used in this way, and
> this prevents the attacks. Not just the presence of a second
> register, but the way how the two registers are used to split the
> translation tables for user and kernel.
In practice, while userspace is executing, TTBR1 still points to kernel
page tables. If a user program attempts to access an address mapped via
TTBR1, the CPU has to attempt this translation via the TTBR1 page tables
and/or associated TLB entries.
Specifically, I think this does not align with the statement in 2.1
regarding the two TTBRs:
This simplifies privilege checks and does not require any address
translation for invalid memory accesses and thus no cache lookups.
... since the use of the TTBRs is orthogonal to privilege checks and/or
the design of the TLBs.
Thanks,
Mark.
next prev parent reply other threads:[~2017-05-08 13:23 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-04 10:02 [RFC, PATCH] x86_64: KAISER - do not map kernel in user mode Daniel Gruss
2017-05-04 12:26 ` Daniel Gruss
2017-05-04 15:28 ` [kernel-hardening] " Thomas Garnier
2017-05-05 8:23 ` Daniel Gruss
2017-05-05 15:47 ` Thomas Garnier
2017-05-06 4:02 ` David Gens
2017-05-06 8:38 ` Daniel Gruss
2017-05-08 10:21 ` Mark Rutland
2017-05-08 10:51 ` Daniel Gruss
2017-05-08 13:22 ` Mark Rutland [this message]
2017-05-08 13:43 ` Daniel Gruss
2017-05-08 13:53 ` Daniel Gruss
2017-05-08 14:09 ` Thomas Garnier
2017-05-08 14:19 ` Daniel Gruss
2017-05-08 13:23 ` Daniel Gruss
2017-05-04 15:47 ` Christoph Hellwig
2017-05-05 7:40 ` Daniel Gruss
2017-05-07 20:20 ` [kernel-hardening] " Richard Weinberger
2017-05-07 21:45 ` Daniel Gruss
2017-05-07 22:02 ` Richard Weinberger
2017-05-07 22:18 ` Daniel Gruss
2017-05-09 14:44 ` [kernel-hardening] Re: [RFC, PATCH] x86_64: KAISER - do not mapkernel " Fogh, Anders
2017-05-09 14:57 ` Richard Weinberger
2017-05-09 15:30 ` Rik van Riel
2017-10-31 23:28 ` Dave Hansen
2017-05-05 15:49 ` [kernel-hardening] [RFC, PATCH] x86_64: KAISER - do not map kernel " Jann Horn
2017-05-05 15:53 ` Jann Horn
2017-05-06 8:28 ` Daniel Gruss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170508132235.GC5480@leverpostej \
--to=mark.rutland@arm.com \
--cc=anders.fogh@gdata-adan.de \
--cc=clementine.maurice@iaik.tugraz.at \
--cc=daniel.gruss@iaik.tugraz.at \
--cc=david.gens@cs.tu-darmstadt.de \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=michael.schwarz@iaik.tugraz.at \
--cc=mingo@kernel.org \
--cc=moritz.lipp@iaik.tugraz.at \
--cc=richard.fellner@student.tugraz.at \
--cc=thgarnie@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox