From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D69DDC35FF3 for ; Thu, 13 Mar 2025 18:11:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 58145280001; Thu, 13 Mar 2025 14:11:44 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 55415280010; Thu, 13 Mar 2025 14:11:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 313EA280001; Thu, 13 Mar 2025 14:11:44 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 011B7280010 for ; Thu, 13 Mar 2025 14:11:43 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 7FA1D80460 for ; Thu, 13 Mar 2025 18:11:45 +0000 (UTC) X-FDA: 83217320970.14.09E0D4C Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) by imf28.hostedemail.com (Postfix) with ESMTP id 9262BC0021 for ; Thu, 13 Mar 2025 18:11:43 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=RlzmKrE9; spf=pass (imf28.hostedemail.com: domain of 33h_TZwgKCK8YPRZbPcQVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--jackmanb.bounces.google.com designates 209.85.128.74 as permitted sender) smtp.mailfrom=33h_TZwgKCK8YPRZbPcQVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--jackmanb.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1741889503; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=0fZcxWQbpwDGRa6fhxDYyz+3EEc+Y2ZKaTPRMrOqTnk=; b=XJ4ZCZeq/HfXjqCuti0CGM1jn55FAa1qqu7/w/LuWjuF/eZheemzBEh5+nEAsuFJQgT0vH kDzKpc+QJvy8STZDSrWGXs0p0e8+o7vM4dwfxSPfjSIoZJ1A0MrskOo6ZUkENtDH+oj209 bRrJsrgpgoow1LAhNLkuiCos+wXBgL4= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=RlzmKrE9; spf=pass (imf28.hostedemail.com: domain of 33h_TZwgKCK8YPRZbPcQVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--jackmanb.bounces.google.com designates 209.85.128.74 as permitted sender) smtp.mailfrom=33h_TZwgKCK8YPRZbPcQVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--jackmanb.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741889503; a=rsa-sha256; cv=none; b=XnAMxoPCoMoskalHxw1DV015m216FbHKU34dzvRtqXdVWUO2kUF5Ja7kij/eLQgnkAQMNV POvAmJ4YfGN4oFFtUBben8FUMgi6CnuV8nA0gazWtF05XSEQkimsdcXjzKLs+J/8E/kkxI GiMgyay9OUxQ5XnOW4pAxKD6JwhzVAA= Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-438e180821aso6816065e9.1 for ; Thu, 13 Mar 2025 11:11:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1741889502; x=1742494302; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=0fZcxWQbpwDGRa6fhxDYyz+3EEc+Y2ZKaTPRMrOqTnk=; b=RlzmKrE955CHVMcqVq+lOSdiUD8d61GmE5VyHQJVs3+4LLwVBPvLRoehb0GN+bb5AY 5p8VwTqOzv6qZCyng/rHGB0MFfAVaDP9VQKBFRdNY4jU46ZW+bOQfw3TtJ5izBOdrq+k fF/a9M2X6Cnbtk/t73+kTZR8LVTWo+vaRm+Fqk5Au9YMR28cnzsTF6OxQ+CTnkb3YuGn M0GjAWMu08W9AtIZbe7SpLp30fAIfzpgG4eYryXgZO3wpu6MTDtNk/XzoJZL/Nw4R/G7 /oBZgsoMdFY4VJlJ/pfhJhZ7PJdDYL3rMGOELLnzkZkk6wYQINv4R+PYw7ztp6WFP7al bvlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741889502; x=1742494302; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0fZcxWQbpwDGRa6fhxDYyz+3EEc+Y2ZKaTPRMrOqTnk=; b=XoepOILaJboXtgJJ+I7i0OMX2foltMEWQYazF1Fkgeb2qUPLYMfJdYnnhxSgwgGg72 JrVa0MAuisP+5haVWLTqPwP/LzOHQLKIQEKBVFagdfYqR8YoN8inV8jIkqJwHHik6uaP eJUKoCChwLHR8uzurXq07KBbQF/i0/bS0hAaPjGGhDnr0PtwbCk5tsB5iQz6YHjUz3zu /SiQQPtbOiMJpENWkYZyEwImQGrSlaQCX9gbQp4myn/AV4hn3eAIovkRUCU1cnKD6EYp 1diGXN/ixPjLpUXejAOI+bUUu09UFIKX7wcw0mJwasA8Fx4vdHz29+bJvq2eZO77lRHx +zHA== X-Forwarded-Encrypted: i=1; AJvYcCXrpNrYs6A/T1w/6m0FjmYHHOvTsE6VzS6UntbnSPlP1jTLRPfr2lVhcMngkv2fg0gv0gE2FBgAGg==@kvack.org X-Gm-Message-State: AOJu0YxT2wO3b9JDlEvpNnmFmPE4OapYnEXVTbGcjq+p/W8II9E8tO+p obxfTKHr3eoGqFWJ5OhI1Vc76bO66Svl/YP+Z9m3hUz0iK6ij7d+WHgqTgjJ1WOFRCHpXz0mXud SWlH/F8VSHg== X-Google-Smtp-Source: AGHT+IHiDt1oL77dvdJgK/87oo1nyciMshPbOYF45qDzwy03t12Mx9YK7JD3EmFk7CS3zUEi1Qz1ZwU+UaX2dg== X-Received: from wmbbd19.prod.google.com ([2002:a05:600c:1f13:b0:43c:eb09:3784]) (user=jackmanb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:4593:b0:43c:fe15:41dd with SMTP id 5b1f17b1804b1-43d1d87fd9bmr6539185e9.6.1741889502176; Thu, 13 Mar 2025 11:11:42 -0700 (PDT) Date: Thu, 13 Mar 2025 18:11:20 +0000 In-Reply-To: <20250313-asi-page-alloc-v1-0-04972e046cea@google.com> Mime-Version: 1.0 References: <20250313-asi-page-alloc-v1-0-04972e046cea@google.com> X-Mailer: b4 0.14.2 Message-ID: <20250313-asi-page-alloc-v1-1-04972e046cea@google.com> Subject: [PATCH RFC 01/11] x86/mm: Bare minimum ASI API for page_alloc integration From: Brendan Jackman To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, Andrew Morton , David Rientjes , Vlastimil Babka , David Hildenbrand Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, Mike Rapoport , Junaid Shahid , Reiji Watanabe , Patrick Bellasi , Brendan Jackman , Yosry Ahmed Content-Type: text/plain; charset="utf-8" X-Rspam-User: X-Rspamd-Queue-Id: 9262BC0021 X-Rspamd-Server: rspam03 X-Stat-Signature: 7ms6yy7r34mtzr8mnb14qjd7qpr1fz71 X-HE-Tag: 1741889503-37498 X-HE-Meta: U2FsdGVkX19Ruk2o9QIZTup5gUpyrQG29K6RAoSdhAzHqNo4lGxKPHCARj4IBNwZneekrpc/iavRPUwVhYylBymPBK+TYTHCPzkfN7wRtrBKOITkfBZlVgnLGuFhFbiO1+qMkGPui47G4jGPWpFdoYT7k4NPt4R6a81eXwX7d4hDaGz8JhPnw82MhjxKj6q9NW8jAGlr0i9vDV+DxgwzV00UBSK5WNuU+eG/7Tysh08XtaVlb4irsSkRNa25njYCOm7gZvnqjGdu7m+VWOrNQJWjB9XXg7xaCxFjdk7LpcMVYFUc/D/eHilkfkK1QaXauqs85FQ3dKFZfhtggH9NNsX3u/4KJGgOATm5NkFZ/G/tUwKzsByhFk5fhI0p5xrxrSP4Sen/T+wk7tqsq/FYIEQylbbanoGGxEUs3te5GGdBKv60LUJYjVzShRLHp7y89+uTIQ9U179tMJPZJQWb4JGueux6p4oM8j0zeqdddrBRWN28onrIh5bpDnEddQqU8swRJhjxtKw11Uw2JexEHxNCayyLH+DnGBtjyJDGelQtLd/piC5sRuvdkEO7SxvcVuRy9hO9rT4yQktLqBiASllDLMj6Vfn/r2jMpKGHtRzoDFftGlPqJjiSP33KksDRN44JQvqP4vSAeofRU6f2FWVyoKueO4x0IdSGBmXjgU/uhjeKyoH3ulHKYIrNai0GR5YjmYC7sao/KsbFykKXgFV552LFVWYB/jefSAbhBmmqtWeq84DVXdF2xs/Yhg2Xq/yQ/iO3Ad/WvpDFI1C2q1J0Vzl6NMdf9UsT8lJwpxsj78WIjKM7wErchMmaDZ0dlJbw9VkGQ8w0bl1BNoIrywmabn+BR3GNtqO/Qy//yH5H0Ws4410elC+8M91LhOo29aVqnIaRE18ITEy0Cspg7rfPAhqrpxiejlbsxTi3GsSJIS9QUyoNPuDtFtM4WD50VhjS8VdP4puwagZOaHS jNM6O5wt hC9ZQ7LwFfGFy8+EJmZMIs5tnTkH4cLr5cKtb75BRz3gcZK9NStFhp7VHBPdODG7nGgFChbLll6AhKV7NR9vuhd0Qw9WSAtWpKuWb6mxOz0WLF1JMDjfx4gwKaqgrmMuSIvIbLkJzq0PyCFj8FhO4WooSZjoXWRWnKKOoPgGD8CJZQgqEsoz5XBWmmVRTijHYWJn9BAS+LdWKe4F9yPzz1fDN/uCilEq5NZG6xv0r09v2RnW2uPWTdPWjYqDRvj/BK2Nrq/aYooqvNGuqIcJlW+O5hRpkWrZ73eLjiJizRaPhwuovxsscP3Oe51sFEhjugBeTIm7uDLELkduEOAXPMVs/Zn4Yvg8ubtl9TO/2aqcVp0UO9uYxlvZ4aySwrZ7L68z+Pkm35Wp7gFMUf60Eu+yDl8w5tQ9fm8vSEV0wrstlvFx/ibMiy/6lqwaC1Mwh7nqJtPJFTS5K7Ep2DBGRFzL1BthYS5xgHMzb01hD+m0Qsfxuh9Q2BNkQd2gXdePAU/acBTs3rud/d7yhktxeRcNieWcfp518t5xj3G513de4aK2IYHj0WcypgXzOo5Q6CbklOAfncXyo26HHHT2ClSRO//tBuSHwDvA/t2z+fXti7kMSjBDT92OshN8mWll25tQv X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: This commit serves to provide a minimal framework to present an ASI integration into the page allocator, without getting distracted by irrelevant details. There's no need to review this actively, just refer back to it as-needed when reading the later patches. In a real [PATCH] series this should be several separate commits. Aside from missing the actual core address-space switching and security logic, this is missing runtime-disablement of ASI. If you enable it in Kconfig, ASI's mm logic gets run unconditionally. That isn't what we want in the real implementation (certainly not in the initial version, anyway). - Add CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION. Attempt to follow the proposal by Mike Rapoport here: https://lore.kernel.org/linux-mm/Z8K2B3WJoICVbDj3@kernel.org/ In this RFC, there's only a small amount of x86-specific logic, perhaps it's possible to implement this logic without any arch/ dependency. But, this is absolutely not true of the full ASI implementation. So that's already reflected in the Kconfig stuff here. - Introduce struct asi, which is an "ASI domain", i.e. an address space. For now this is nothing but a wrapper for a PGD. - Introduce the "global nonsensitive" ASI domain. This contains all the mappings that do not need to be protected from any attacker. Maintaining these mappings is the subject of this RFC. Signed-off-by: Brendan Jackman --- arch/Kconfig | 14 ++++++++++++++ arch/x86/Kconfig | 1 + arch/x86/include/asm/asi.h | 28 ++++++++++++++++++++++++++++ arch/x86/mm/Makefile | 1 + arch/x86/mm/asi.c | 8 ++++++++ arch/x86/mm/init.c | 3 ++- include/linux/asi.h | 18 ++++++++++++++++++ 7 files changed, 72 insertions(+), 1 deletion(-) diff --git a/arch/Kconfig b/arch/Kconfig index b8a4ff36558228240080a5677f702d37f4f8d547..871ad0987c8740205ceec675a6b7304c644f28e1 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -17,6 +17,20 @@ config CPU_MITIGATIONS def_bool y endif +config ARCH_HAS_MITIGATION_ADDRESS_SPACE_ISOLATION + bool + +config MITIGATION_ADDRESS_SPACE_ISOLATION + bool "Allow code to run with a reduced kernel address space" + default n + depends on ARCH_HAS_MITIGATION_ADDRESS_SPACE_ISOLATION && !PARAVIRT + help + This feature provides the ability to run some kernel code + with a reduced kernel address space. This can be used to + mitigate some speculative execution attacks. + + !PARAVIRT dependency is a temporary hack while ASI has custom + pagetable manipulation code. # # Selected by architectures that need custom DMA operations for e.g. legacy # IOMMUs not handled by dma-iommu. Drivers must never select this symbol. diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 0e27ebd7e36a9e3d69ad3e77c8db5dcf11ae3016..19ceecf5978bbe62e0742072c192c8ee952082dc 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -36,6 +36,7 @@ config X86_64 select ARCH_HAS_ELFCORE_COMPAT select ZONE_DMA32 select EXECMEM if DYNAMIC_FTRACE + select ARCH_HAS_MITIGATION_ADDRESS_SPACE_ISOLATION config FORCE_DYNAMIC_FTRACE def_bool y diff --git a/arch/x86/include/asm/asi.h b/arch/x86/include/asm/asi.h new file mode 100644 index 0000000000000000000000000000000000000000..b8f604df6a36508acbc10710f821d5f95e8cdceb --- /dev/null +++ b/arch/x86/include/asm/asi.h @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _ASM_X86_ASI_H +#define _ASM_X86_ASI_H + +#include + +#ifdef CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION + +extern struct asi __asi_global_nonsensitive; +#define ASI_GLOBAL_NONSENSITIVE (&__asi_global_nonsensitive) + +/* + * An ASI domain (struct asi) represents a restricted address space. The + * unrestricted address space (and user address space under PTI) are not + * represented as a domain. + */ +struct asi { + pgd_t *pgd; +}; + +static __always_inline pgd_t *asi_pgd(struct asi *asi) +{ + return asi ? asi->pgd : NULL; +} + +#endif /* CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION */ + +#endif /* _ASM_X86_ASI_H */ diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile index 690fbf48e8538b62a176ce838820e363575b7897..89ade7363798cc20d5e5643526eba7378174baa0 100644 --- a/arch/x86/mm/Makefile +++ b/arch/x86/mm/Makefile @@ -61,6 +61,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS) += pkeys.o obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o obj-$(CONFIG_MITIGATION_PAGE_TABLE_ISOLATION) += pti.o +obj-$(CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION) += asi.o obj-$(CONFIG_X86_MEM_ENCRYPT) += mem_encrypt.o obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_amd.o diff --git a/arch/x86/mm/asi.c b/arch/x86/mm/asi.c new file mode 100644 index 0000000000000000000000000000000000000000..e5a981a7b3192655cd981633514fbf945b92c9b6 --- /dev/null +++ b/arch/x86/mm/asi.c @@ -0,0 +1,8 @@ +// SPDX-License-Identifier: GPL-2.0 +#include + +static __aligned(PAGE_SIZE) pgd_t asi_global_nonsensitive_pgd[PTRS_PER_PGD]; + +struct asi __asi_global_nonsensitive = { + .pgd = asi_global_nonsensitive_pgd, +}; diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c index 62aa4d66a032d59191e79d34fc0cdaa4f32f88db..44d3dc574881dd23bb48f9af3f6191be309405ef 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -250,7 +250,8 @@ static void __init probe_page_size_mask(void) /* By the default is everything supported: */ __default_kernel_pte_mask = __supported_pte_mask; /* Except when with PTI where the kernel is mostly non-Global: */ - if (cpu_feature_enabled(X86_FEATURE_PTI)) + if (cpu_feature_enabled(X86_FEATURE_PTI) || + IS_ENABLED(CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION)) __default_kernel_pte_mask &= ~_PAGE_GLOBAL; /* Enable 1 GB linear kernel mappings if available: */ diff --git a/include/linux/asi.h b/include/linux/asi.h new file mode 100644 index 0000000000000000000000000000000000000000..2d3049d5fe423e139dcce8f3d68cdffcc0ec0bfe --- /dev/null +++ b/include/linux/asi.h @@ -0,0 +1,18 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _INCLUDE_ASI_H +#define _INCLUDE_ASI_H + +#include + +#ifdef CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION +#include +#else + +#define ASI_GLOBAL_NONSENSITIVE NULL + +struct asi {}; + +static inline pgd_t *asi_pgd(struct asi *asi) { return NULL; } + +#endif /* CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION */ +#endif /* _INCLUDE_ASI_H */ -- 2.49.0.rc1.451.g8f38331e32-goog