From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751822AbdKVQTR (ORCPT ); Wed, 22 Nov 2017 11:19:17 -0500 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:41187 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751705AbdKVQTQ (ORCPT ); Wed, 22 Nov 2017 11:19:16 -0500 Date: Wed, 22 Nov 2017 17:19:14 +0100 From: Pavel Machek To: Will Deacon Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, catalin.marinas@arm.com, mark.rutland@arm.com, ard.biesheuvel@linaro.org, sboyd@codeaurora.org, dave.hansen@linux.intel.com, keescook@chromium.org Subject: Re: [PATCH 00/18] arm64: Unmap the kernel whilst running in userspace (KAISER) Message-ID: <20171122161913.GB12684@amd> References: <1510942921-12564-1-git-send-email-will.deacon@arm.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EuxKj2iCbKjpUGkD" Content-Disposition: inline In-Reply-To: <1510942921-12564-1-git-send-email-will.deacon@arm.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > This patch series implements something along the lines of KAISER for arm6= 4: >=20 > https://gruss.cc/files/kaiser.pdf >=20 > although I wrote this from scratch because the paper has some funny > assumptions about how the architecture works. There is a patch series > in review for x86, which follows a similar approach: >=20 > http://lkml.kernel.org/r/<20171110193058.BECA7D88@viggo.jf.intel.com> >=20 > and the topic was recently covered by LWN (currently subscriber-only): >=20 > https://lwn.net/Articles/738975/ >=20 > The basic idea is that transitions to and from userspace are proxied > through a trampoline page which is mapped into a separate page table and > can switch the full kernel mapping in and out on exception entry and > exit respectively. This is a valuable defence against various KASLR and > timing attacks, particularly as the trampoline page is at a fixed virtual > address and therefore the kernel text can be randomized > independently. If I'm willing to do timing attacks to defeat KASLR... what prevents me from using CPU caches to do that? There was blackhat talk about exactly that IIRC... Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --EuxKj2iCbKjpUGkD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAloVo4EACgkQMOfwapXb+vKJGwCfbuEQv+fECfY+aBVM0yCS7U0x Aa4AoKI5OPlgoB+cOkdut9TMqLAUTPed =rPaa -----END PGP SIGNATURE----- --EuxKj2iCbKjpUGkD--