Re: [Ksummit-discuss] [TOPIC] kernel hardening / self-protection / whatever

ksummit.lists.linux.dev archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@linux.intel.com>,
	"ksummit-discuss@lists.linuxfoundation.org"
	<ksummit-discuss@lists.linuxfoundation.org>,
	Jann Horn <jann@thejh.net>
Subject: Re: [Ksummit-discuss] [TOPIC] kernel hardening / self-protection / whatever
Date: Wed, 3 Aug 2016 22:54:49 -0700	[thread overview]
Message-ID: <CAGXu5j+v7W+kySsmbpkn4NJL=oxvoa6ZFQEg0Txvz5EYOP8cUQ@mail.gmail.com> (raw)
In-Reply-To: <CALCETrVvXWN3q41RvR1-AN86HrNGXk3xv2uneXBO98TrB3JdaA@mail.gmail.com>

On Wed, Aug 3, 2016 at 10:45 PM, Andy Lutomirski <luto@amacapital.net> wrote:
> On Wed, Aug 3, 2016 at 10:32 PM, Kees Cook <keescook@chromium.org> wrote:
>> On Wed, Aug 3, 2016 at 3:53 PM, Catalin Marinas <catalin.marinas@arm.com> wrote:
>>> On 1 Aug 2016, at 00:05, Kees Cook <keescook@chromium.org> wrote:
>>>> On Sun, Jul 31, 2016 at 2:55 AM, Paul Burton <paul.burton@imgtec.com> wrote:
>>>>> It would be very interesting to discuss what's needed from arch code for
>>>>> various hardening features, both those currently in mainline & those in
>>>>> development.
>>>
>>> I'm interested in such topic as well, primarily from an arm/arm64 perspective.
>>>
>>>> - Handling userspace/kernelspace memory segregation. (This is the SMAP
>>>> of x86, PAN of ARM, and just native on s390.) For architectures (or
>>>> chipsets within an architecture) that don't support unprivileged
>>>> memory access restrictions in hardware, we must find a way to emulate
>>>> it. (e.g. 32-bit ARM uses Domains, and 64-bit x86 could use PCIDs,
>>>> etc.) Keeping these regions separate is extremely important in
>>>> stopping exploitation.
>>>
>>> For arm64 ARMv8.0 (without hardware PAN), I'm going to post a patch
>>> in a week or so which emulates PAN by switching the user page table (TTBR0)
>>> to the zero page. I guess a similar approach could work for other architectures,
>>> maybe using swapper_pg_dir as the PAN page table.
>>
>> At least on x86 I've heard grumblings that it can be prohibitively
>> expensive due to TLB-flushing, but I'd still like to see an
>> implementation doing it first. :)
>
> No TLB flush needed if we use PCID.  Linus will attack you with a
> pitchfork either way, though :)

Hmm, my asbestos suit won't help me there. I will need to invest in titanium. :)

The TLB flushing way I can understand being pitchfork-worthy, though
I'm curious why a PCID implementation would be upsetting?

> It shouldn't be *that* hard to build this thing on top of my PCID
> patchset.  I need to dust that off, which I'll do right after vmap
> stacks land and I finish fsgsbase.  Sigh, so many things.

What does your PCID series do?

-Kees

-- 
Kees Cook
Brillo & Chrome OS Security

next prev parent reply	other threads:[~2016-08-04  5:54 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-11  4:28 Andy Lutomirski
2016-07-11 13:05 ` Rafael J. Wysocki
2016-07-11 16:30 ` Eric W. Biederman
2016-07-11 17:57   ` Kees Cook
2016-07-12 16:40     ` Eric W. Biederman
2016-07-21 15:54   ` Mark Rutland
2016-07-11 17:33 ` Jann Horn
2016-07-19 15:40   ` Eric W. Biederman
2016-07-20  2:14     ` Andy Lutomirski
2016-07-20  2:14       ` Eric W. Biederman
2016-07-20  6:42         ` Herbert Xu
2016-07-21 17:03           ` Eric W. Biederman
2016-07-11 17:53 ` Kees Cook
2016-07-11 18:07   ` Josh Triplett
2016-07-11 18:59     ` Kees Cook
2016-07-31  9:55   ` Paul Burton
2016-07-31 22:04     ` Kees Cook
2016-08-01 10:47       ` Mark Rutland
2016-08-01 19:42         ` Kees Cook
2016-08-03 22:53       ` Catalin Marinas
2016-08-04  5:32         ` Kees Cook
2016-08-04  5:45           ` Andy Lutomirski
2016-08-04  5:54             ` Kees Cook [this message]
2016-08-05  0:12               ` Andy Lutomirski
2016-09-08 23:54                 ` Kees Cook
2016-09-09  0:42                   ` Andy Lutomirski
2016-08-04 14:17           ` Dave Hansen
2016-08-04 22:29             ` Catalin Marinas
2016-08-01  9:34     ` [Ksummit-discuss] [nominations] " Mark Rutland

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5j+v7W+kySsmbpkn4NJL=oxvoa6ZFQEg0Txvz5EYOP8cUQ@mail.gmail.com' \
    --to=keescook@chromium.org \
    --cc=dave.hansen@linux.intel.com \
    --cc=jann@thejh.net \
    --cc=ksummit-discuss@lists.linuxfoundation.org \
    --cc=luto@amacapital.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox