From: Sohil Mehta <sohil.mehta@intel.com>
To: Yian Chen <yian.chen@intel.com>, <linux-kernel@vger.kernel.org>,
<x86@kernel.org>, Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Ravi Shankar <ravi.v.shankar@intel.com>,
"Tony Luck" <tony.luck@intel.com>,
Paul Lai <paul.c.lai@intel.com>
Subject: Re: [PATCH 4/7] x86/vsyscall: Setup vsyscall to compromise LASS protection
Date: Tue, 10 Jan 2023 16:34:18 -0800 [thread overview]
Message-ID: <c2012105-0af6-6720-5a24-719dec775fed@intel.com> (raw)
In-Reply-To: <20230110055204.3227669-5-yian.chen@intel.com>
On 1/9/2023 9:52 PM, Yian Chen wrote:
> The user can also opt-out LASS in config file to build kernel
> binary.
This line is unnecessary.
> Signed-off-by: Yian Chen <yian.chen@intel.com>
> Reviewed-by: Tony Luck <tony.luck@intel.com>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 12 ++++++++----
> arch/x86/entry/vsyscall/vsyscall_64.c | 14 ++++++++++++++
> 2 files changed, 22 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 6cfa6e3996cf..3988e0c8c175 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -6755,10 +6755,14 @@
> versions of glibc use these calls. Because these
> functions are at fixed addresses, they make nice
> targets for exploits that can control RIP.
> -
> - emulate [default] Vsyscalls turn into traps and are
> - emulated reasonably safely. The vsyscall
> - page is readable.
The existing documentation here is incorrect. The default vsyscall mode
is actually xonly. This has been so since:
commit 625b7b7f79c6 (x86/vsyscall: Change the default vsyscall mode to
xonly)
> + In newer versions of Intel platforms that come with
Words such as "newer" in the kernel start losing meaning very quickly.
Also, this comment looks out of place in between the vsyscall sub-options.
> + LASS(Linear Address Space separation) protection,
> + vsyscall is disabled by default. Enabling vsyscall
> + via the parameter overrides LASS protection.
> +
IIUC, you are making the default mode somewhat dynamic.
vsyscall = xonly (if LASS is not enabled)
vsyscall = none (if LASS is enabled)
The decision to disable vsyscall doesn't happen at compile time but it
is taken at runtime when the LASS feature is detected. This would make
the system behavior highly platform dependent.
Instead of doing this dance, can we provide a simplified behavior to the
user/admin and move the decision making to compile time?
Option 1: A bigger hammer
Set the default vsyscall option as CONFIG_LEGACY_VSYSCALL_NONE.
CONFIG_X86_LASS is set by default. Changing the compile time VSYSCALL
option would disable LASS.
Option 2: A smaller hammer
CONFIG_X86_LASS is off by default. Vsyscall default stays as
CONFIG_LEGACY_VSYSCALL_XONLY. Selecting LASS automatically chooses
CONFIG_LEGACY_VSYSCALL_NONE. In this case, even if the hardware doesn't
support LASS, vsyscall would still remain disabled.
In both of these cases, any command line input to override the vsyscall
behavior can disable LASS as well.
> + emulate [default if not LASS capable] Vsyscalls
> + turn into traps and are emulated reasonably
> + safely. The vsyscall page is readable.
>
> xonly Vsyscalls turn into traps and are
> emulated reasonably safely. The vsyscall
> diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
> index 4af81df133ee..2691f26835d1 100644
> --- a/arch/x86/entry/vsyscall/vsyscall_64.c
> +++ b/arch/x86/entry/vsyscall/vsyscall_64.c
> @@ -63,6 +63,12 @@ static int __init vsyscall_setup(char *str)
> else
> return -EINVAL;
>
> + if (cpu_feature_enabled(X86_FEATURE_LASS) &&
> + vsyscall_mode != NONE) {
> + setup_clear_cpu_cap(X86_FEATURE_LASS);
> + pr_warn("LASS disabled by command line enabling vsyscall\n");
A warning seems too drastic here. A pr_info() should probably suffice.
> + }
> +
> return 0;
> }
>
> @@ -379,6 +385,14 @@ void __init map_vsyscall(void)
> extern char __vsyscall_page;
> unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
>
> + /*
> + * When LASS is on, vsyscall triggers a #GP fault,
> + * so that force vsyscall_mode to NONE.
> + */
This comment doesn't make much sense nor does it provide the full
picture. Some of the reasoning from the cover letter/commit log can be
duplicated here.
> + if (cpu_feature_enabled(X86_FEATURE_LASS)) {
> + vsyscall_mode = NONE;
> + return;
> + }
> /*
> * For full emulation, the page needs to exist for real. In
> * execute-only mode, there is no PTE at all backing the vsyscall
next prev parent reply other threads:[~2023-01-11 0:34 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-10 5:51 [PATCH 0/7] Enable LASS (Linear Address space Separation) Yian Chen
2023-01-10 5:51 ` [PATCH 1/7] x86/cpu: Enumerate LASS CPUID and CR4 bits Yian Chen
2023-01-10 20:14 ` Sohil Mehta
2023-01-11 0:13 ` Dave Hansen
2023-01-11 23:23 ` Chen, Yian
2023-01-12 0:06 ` Luck, Tony
2023-01-12 0:15 ` Chen, Yian
2023-01-11 19:21 ` Chen, Yian
2023-01-10 5:51 ` [PATCH 2/7] x86: Add CONFIG option X86_LASS Yian Chen
2023-01-10 21:05 ` Sohil Mehta
2023-01-12 0:13 ` Chen, Yian
2023-01-10 5:52 ` [PATCH 3/7] x86/cpu: Disable kernel LASS when patching kernel alternatives Yian Chen
2023-01-10 21:04 ` Peter Zijlstra
2023-01-11 1:01 ` Chen, Yian
2023-01-11 9:10 ` Peter Zijlstra
2023-01-10 22:41 ` Sohil Mehta
2023-01-12 0:27 ` Chen, Yian
2023-01-12 0:37 ` Dave Hansen
2023-01-12 18:36 ` Chen, Yian
2023-01-12 18:48 ` Dave Hansen
2023-02-01 2:25 ` Sohil Mehta
2023-02-01 18:20 ` Dave Hansen
2023-02-01 2:10 ` Sohil Mehta
2023-01-10 5:52 ` [PATCH 4/7] x86/vsyscall: Setup vsyscall to compromise LASS protection Yian Chen
2023-01-11 0:34 ` Sohil Mehta [this message]
2023-01-12 1:43 ` Chen, Yian
2023-01-12 2:49 ` Sohil Mehta
2023-01-21 4:09 ` Andy Lutomirski
2023-01-10 5:52 ` [PATCH 5/7] x86/cpu: Enable LASS (Linear Address Space Separation) Yian Chen
2023-01-11 22:22 ` Sohil Mehta
2023-01-12 17:56 ` Chen, Yian
2023-01-12 18:17 ` Dave Hansen
2023-01-13 1:17 ` Sohil Mehta
2023-01-13 19:39 ` Sohil Mehta
2023-01-10 5:52 ` [PATCH 6/7] x86/cpu: Set LASS as pinning sensitive CR4 bit Yian Chen
2023-01-10 5:52 ` [PATCH 7/7] x86/kvm: Expose LASS feature to VM guest Yian Chen
2023-02-07 3:21 ` Wang, Lei
2023-02-09 17:18 ` Sean Christopherson
2023-01-10 19:48 ` [PATCH 0/7] Enable LASS (Linear Address space Separation) Sohil Mehta
2023-01-10 22:57 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c2012105-0af6-6720-5a24-719dec775fed@intel.com \
--to=sohil.mehta@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=paul.c.lai@intel.com \
--cc=ravi.v.shankar@intel.com \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
--cc=yian.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox