From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.1 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BE44C7618F for ; Mon, 15 Jul 2019 10:34:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 10A4420665 for ; Mon, 15 Jul 2019 10:34:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="V5CMHU9S" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729736AbfGOKe1 (ORCPT ); Mon, 15 Jul 2019 06:34:27 -0400 Received: from merlin.infradead.org ([205.233.59.134]:45504 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729530AbfGOKe1 (ORCPT ); Mon, 15 Jul 2019 06:34:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=/tb2YFKotIun+RrxUFkUJ3SPYjEiIEB8yDIasy299tI=; b=V5CMHU9SdBHFe0JHCPJ/DfQ9M whb9p82Se2ZevWYbvvkDuh9u+U8Uiaonxw43GBYwgQDNYEP3CSLvWClmBZIh3Lm+Ag21BXBcQk1Mb tgDnaHbBDgvqR/pGJQkjgPMBi8ydXL5TMB2U0D5aL+V/dJu7peXHwVcCgDtxjqnZvWk5TdtQ3tgPx IGTM4iWolBrZicJtBD0iROZpa0kB57IsFZqVCacCQtfX+9jji7DKttASvz4iWs+PWk4iVM7PXf/6Y Had9FeMPHZ0ajhZ94uJ2xDAy1FsLZzeKnZY3WncpD74MtSscMFXyqrGpbZ1cwCRW0KIHhvnq6mOlo gLv5bHwWA==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by merlin.infradead.org with esmtpsa (Exim 4.92 #3 (Red Hat Linux)) id 1hmyIt-0001jj-LI; Mon, 15 Jul 2019 10:33:55 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 01F3E20B29100; Mon, 15 Jul 2019 12:33:53 +0200 (CEST) Date: Mon, 15 Jul 2019 12:33:53 +0200 From: Peter Zijlstra To: Andy Lutomirski Cc: Alexandre Chartre , Thomas Gleixner , Dave Hansen , Paolo Bonzini , Radim Krcmar , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Dave Hansen , kvm list , X86 ML , Linux-MM , LKML , Konrad Rzeszutek Wilk , jan.setjeeilers@oracle.com, Liran Alon , Jonathan Adams , Alexander Graf , Mike Rapoport , Paul Turner Subject: Re: [RFC v2 00/27] Kernel Address Space Isolation Message-ID: <20190715103353.GC3419@hirez.programming.kicks-ass.net> References: <1562855138-19507-1-git-send-email-alexandre.chartre@oracle.com> <5cab2a0e-1034-8748-fcbe-a17cf4fa2cd4@intel.com> <61d5851e-a8bf-e25c-e673-b71c8b83042c@oracle.com> <20190712125059.GP3419@hirez.programming.kicks-ass.net> <3ca70237-bf8e-57d9-bed5-bc2329d17177@oracle.com> <20190712190620.GX3419@hirez.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 14, 2019 at 08:06:12AM -0700, Andy Lutomirski wrote: > On Fri, Jul 12, 2019 at 12:06 PM Peter Zijlstra wrote: > > > > On Fri, Jul 12, 2019 at 06:37:47PM +0200, Alexandre Chartre wrote: > > > On 7/12/19 5:16 PM, Thomas Gleixner wrote: > > > > > > Right. If we decide to expose more parts of the kernel mappings then that's > > > > just adding more stuff to the existing user (PTI) map mechanics. > > > > > > If we expose more parts of the kernel mapping by adding them to the existing > > > user (PTI) map, then we only control the mapping of kernel sensitive data but > > > we don't control user mapping (with ASI, we exclude all user mappings). > > > > > > How would you control the mapping of userland sensitive data and exclude them > > > from the user map? Would you have the application explicitly identify sensitive > > > data (like Andy suggested with a /dev/xpfo device)? > > > > To what purpose do you want to exclude userspace from the kernel > > mapping; that is, what are you mitigating against with that? > > Mutually distrusting user/guest tenants. Imagine an attack against a > VM hosting provider (GCE, for example). If the overall system is > well-designed, the host kernel won't possess secrets that are > important to the overall hosting network. The interesting secrets are > in the memory of other tenants running under the same host. So, if we > can mostly or completely avoid mapping one tenant's memory in the > host, we reduce the amount of valuable information that could leak via > a speculation (or wild read) attack to another tenant. > > The practicality of such a scheme is obviously an open question. Ah, ok. So it's some virt specific nonsense. I'll go on ignoring it then ;-)