From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 139B8C35242 for ; Tue, 11 Feb 2020 21:53:20 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 962A420714 for ; Tue, 11 Feb 2020 21:53:19 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=shutemov-name.20150623.gappssmtp.com header.i=@shutemov-name.20150623.gappssmtp.com header.b="D73GQdlz" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 962A420714 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=shutemov.name Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 1479F6B033E; Tue, 11 Feb 2020 16:53:19 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0F90E6B033F; Tue, 11 Feb 2020 16:53:19 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 00E1E6B0340; Tue, 11 Feb 2020 16:53:18 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0211.hostedemail.com [216.40.44.211]) by kanga.kvack.org (Postfix) with ESMTP id DD9136B033E for ; Tue, 11 Feb 2020 16:53:18 -0500 (EST) Received: from smtpin11.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 9056D181AC9CC for ; Tue, 11 Feb 2020 21:53:18 +0000 (UTC) X-FDA: 76479197676.11.rain75_91342379b9931 X-HE-Tag: rain75_91342379b9931 X-Filterd-Recvd-Size: 8659 Received: from mail-lf1-f68.google.com (mail-lf1-f68.google.com [209.85.167.68]) by imf16.hostedemail.com (Postfix) with ESMTP for ; Tue, 11 Feb 2020 21:53:17 +0000 (UTC) Received: by mail-lf1-f68.google.com with SMTP id v201so3062lfa.11 for ; Tue, 11 Feb 2020 13:53:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov-name.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=uPr6nmdf4g27E94FKJrrlll3J6S/ws+cZmMbDPoAUdw=; b=D73GQdlzWVvkjmdhDUSNLJ1QcY5UwBHM/PSy42gnOPzACj4mzwxb+Vl5ED3/lmoYgT otEnSGqCMa2whlHapg9zdRrcqQqCuWmE+HeUDkjw8eJnkB2yPbzauOYRavpkpaJbPnqc pmbdV/GVbKRfBA7cRe6eq18FHX37nXrFX/ysPnz6/F/J0/K60vmLauWDCBJWIUwMLD5n hSkus2GBlcWjvzhNxFZ+kzYPN2D7xjArN7Np4dvZ/U61GxN6HDcJlVETk8VI2N3PWaJK DaPJfsw01FZflg79/AN21M8m/sC/feJs6MymZzeZV1z9x3Zk7M7+MzVGmK66Mtm0m4s8 K/Wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=uPr6nmdf4g27E94FKJrrlll3J6S/ws+cZmMbDPoAUdw=; b=DHwT8c/7aMfUJbR64WRB7qXk/KxmIjnhP5MgyIqYUSRsvCGp4P5eHeSN2iU8+POQ03 JUmLegJNVrac+yThpa1snV1yJNgT876eaM07sD4QGMgfTmRAUh6EcUcQ9bifXcltsmfX /rK9hVhyGRz4H20A1vMNwOvnet/IMbh9kBgHgvy0PiXMpTLf9p6AF+f6kofn4ME/XN7S b0DpaNRrbcy8l3SlRIjMGKudI9uBT/Qk9LdSswNZZbfA0wXjXwaAIKJxjBdovyeKEWur eEgnY9DSaPesH3IPgAlP/s6996y/g6bNhX2tuzkTWurjIq78zTrhXz78EZefQ2IXgtKl 5uzw== X-Gm-Message-State: APjAAAUkWwhDVv22E266FxfNDLU0fUpJAR4p18fT6BTVi0xiPEquJ0d3 MbcJ5OOAari5Qx8AufC87ONrig== X-Google-Smtp-Source: APXvYqxYl8D2nBhoZ8kK5fODPMi0XJ6E5tlQMSG+teDx3ZuBrNbhXNDy2p64DUZ+1phXaV/x6UGAhw== X-Received: by 2002:ac2:5ec3:: with SMTP id d3mr4855087lfq.176.1581457996089; Tue, 11 Feb 2020 13:53:16 -0800 (PST) Received: from box.localdomain ([86.57.175.117]) by smtp.gmail.com with ESMTPSA id t9sm2440272lfl.51.2020.02.11.13.53.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Feb 2020 13:53:15 -0800 (PST) Received: by box.localdomain (Postfix, from userid 1000) id 66A5E100E99; Wed, 12 Feb 2020 00:53:34 +0300 (+03) Date: Wed, 12 Feb 2020 00:53:34 +0300 From: "Kirill A. Shutemov" To: Mike Rapoport Cc: Mike Rapoport , lsf-pc@lists.linux-foundation.org, linux-mm@kvack.org Subject: Re: [LSF/MM/BPF TOPIC] Restricted kernel address spaces Message-ID: <20200211215334.bftqnru57mv5bcza@box> References: <20200206165900.GD17499@linux.ibm.com> <20200207173909.e5gtjys7q4ieh2fv@box> <20200211172047.GA24237@hump> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200211172047.GA24237@hump> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Feb 11, 2020 at 07:20:47PM +0200, Mike Rapoport wrote: > On Fri, Feb 07, 2020 at 08:39:09PM +0300, Kirill A. Shutemov wrote: > > On Thu, Feb 06, 2020 at 06:59:00PM +0200, Mike Rapoport wrote: > > > > > > Restricted mappings in the kernel mode may improve mitigation of hardware > > > speculation vulnerabilities and minimize the damage exploitable kernel bugs > > > can cause. > > > > > > There are several ongoing efforts to use restricted address spaces in > > > Linux kernel for various use cases: > > > * speculation vulnerabilities mitigation in KVM [1] > > > * support for memory areas visible only in a single owning context, or more > > > generically, a memory areas with more restrictive protection that the > > > defaults ("secret" memory) [2], [3], [4] > > > * hardening of the Linux containers [ no reference yet :) ] > > > > > > Last year we had vague ideas and possible directions, this year we have > > > several real challenges and design decisions we'd like to discuss: > > > > > > * "Secret" memory userspace APIs > > > > > > Should such API follow "native" MM interfaces like mmap(), mprotect(), > > > madvise() or it would be better to use a file descriptor , e.g. like > > > memfd-create does? > > > > I don't really see a point in such file-descriptor. It suppose to be very > > private secret data. What functionality that provide a file descriptor do > > you see valuable in this scenario? > > > > File descriptor makes it easier to spill the secrets to other process: over > > fork(), UNIX socket or via /proc/PID/fd/. > > On the other hand it is may be desired to share a secret between several > processes. Then UNIX socket or fork() actually become handy. If more than one knows, it is secret no longer :P > > > MM "native" APIs would require VM_something flag and probably a page flag > > > or page_ext. With file-descriptor VM_SPECIAL and custom implementation of > > > .mmap() and .fault() would suffice. On the other hand, mmap() and > > > mprotect() seem better fit semantically and they could be more easily > > > adopted by the userspace. > > > > You mix up implementation and interface. You can provide an interface which > > doesn't require a file descriptor, but still use a magic file internally to > > the VMA distinct. > > If I understand correctly, if we go with mmap(MAP_SECRET) example, the > mmap() would implicitly create a magic file with its .mmap() and .fault() > implementing the protection? That's a possibility. But then, if we already > have a file, why not let user get a handle for it and allow fine grained > control over its sharing between processes? A proper file descriptor would have wider exposer with security implications. It has to be at least scoped properly. > > > * Direct/linear map fragmentation > > > > > > Whenever we want to drop some mappings from the direct map or even change > > > the protection bits for some memory area, the gigantic and huge pages > > > that comprise the direct map need to be broken and there's no THP for the > > > kernel page tables to collapse them back. Moreover, the existing API > > > defined in by several architectures do not really > > > presume it would be widely used. > > > > > > For the "secret" memory use-case the fragmentation can be minimized by > > > caching large pages, use them to satisfy smaller "secret" allocations and > > > than collapse them back once the "secret" memory is freed. Another > > > possibility is to pre-allocate physical memory at boot time. > > > > I would rather go with pre-allocation path. At least at first. We always > > can come up with more dynamic and complicated solution later if the > > interface would be wildly adopted. > > We still must manage the "secret" allocations, so I don't think that the > dynamic solution will be much more complicated. Okay. BTW, with clarified scope of the AMD Erratum, I believe we can implement "collapse" for direct mapping. Willing to try? > > > Yet another idea is to make page allocator aware of the direct map layout. > > > > > > * Kernel page table management > > > > > > Currently we presume that only one kernel page table exists (well, > > > mostly) and the page table abstraction is required only for the user page > > > tables. As such, we presume that 'page table == struct mm_struct' and the > > > mm_struct is used all over by the operations that manage the page tables. > > > > > > The management of the restricted address space in the kernel requires > > > ability to create, update and remove kernel contexts the same way we do > > > for the userspace. > > > > > > One way is to overload the mm_struct, like EFI and text poking did. But > > > it is quite an overkill, because most of the mm_struct contains > > > information required to manage user mappings. > > > > In what way is it overkill? Just memory overhead? How many of such > > contexts do you expect to see in the system? > > Well, memory overhead is not that big, but it'd not negligible. For the KVM > ASI usescase, for instance, there will be at least as much contexts as > running VMs. We also have thoughts about how to make namespaces use restricted > address spaces, for this usecase there will be quite a lot of such > contexts. > > Besides, it does not feel right to have the mm_struct to represent a page > table. Fair enough. It might be interesting. -- Kirill A. Shutemov