From: Alexander Graf <graf@amazon.com>
To: Fares Mehanna <faresx@amazon.de>
Cc: nh-open-source@amazon.com, "Marc Zyngier" <maz@kernel.org>,
"Oliver Upton" <oliver.upton@linux.dev>,
"James Morse" <james.morse@arm.com>,
"Suzuki K Poulose" <suzuki.poulose@arm.com>,
"Zenghui Yu" <yuzenghui@huawei.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Will Deacon" <will@kernel.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Kemeng Shi" <shikemeng@huaweicloud.com>,
"Pierre-Clément Tosi" <ptosi@google.com>,
"Ard Biesheuvel" <ardb@kernel.org>,
"Mark Rutland" <mark.rutland@arm.com>,
"Javier Martinez Canillas" <javierm@redhat.com>,
"Arnd Bergmann" <arnd@arndb.de>, "Fuad Tabba" <tabba@google.com>,
"Mark Brown" <broonie@kernel.org>,
"Joey Gouly" <joey.gouly@arm.com>,
"Kristina Martsenko" <kristina.martsenko@arm.com>,
"Randy Dunlap" <rdunlap@infradead.org>,
"Bjorn Helgaas" <bhelgaas@google.com>,
"Jean-Philippe Brucker" <jean-philippe@linaro.org>,
"Mike Rapoport (IBM)" <rppt@kernel.org>,
"David Hildenbrand" <david@redhat.com>,
"Roman Kagan" <rkagan@amazon.de>,
"moderated list:KERNEL VIRTUAL MACHINE FOR ARM64 (KVM/arm64)"
<linux-arm-kernel@lists.infradead.org>,
"open list:KERNEL VIRTUAL MACHINE FOR ARM64 (KVM/arm64)"
<kvmarm@lists.linux.dev>,
"open list" <linux-kernel@vger.kernel.org>,
"open list:MEMORY MANAGEMENT" <linux-mm@kvack.org>,
mark.rutland@arm.com,
"Mike Rapoport" <mikerapoport@microsoft.com>
Subject: Re: [RFC PATCH 0/7] support for mm-local memory allocations and use it
Date: Fri, 20 Sep 2024 15:19:32 +0200 [thread overview]
Message-ID: <23d90b50-f087-4daa-b4bc-4da406160c9d@amazon.com> (raw)
In-Reply-To: <20240911143421.85612-1-faresx@amazon.de>
On 11.09.24 16:33, Fares Mehanna wrote:
> In a series posted a few years ago [1], a proposal was put forward to allow the
> kernel to allocate memory local to a mm and thus push it out of reach for
> current and future speculation-based cross-process attacks. We still believe
> this is a nice thing to have.
>
> However, in the time passed since that post Linux mm has grown quite a few new
> goodies, so we'd like to explore possibilities to implement this functionality
> with less effort and churn leveraging the now available facilities.
>
> An RFC was posted few months back [2] to show the proof of concept and a simple
> test driver.
>
> In this RFC, we're using the same approach of implementing mm-local allocations
> piggy-backing on memfd_secret(), using regular user addresses but pinning the
> pages and flipping the user/supervisor flag on the respective PTEs to make them
> directly accessible from kernel.
> In addition to that we are submitting 5 patches to use the secret memory to hide
> the vCPU gp-regs and fp-regs on arm64 VHE systems.
>
> The generic drawbacks of using user virtual addresses mentioned in the previous
> RFC [2] still hold, in addition to a more specific one:
>
> - While the user virtual addresses allocated for kernel secret memory are not
> directly accessible by userspace as the PTEs restrict that, copy_from_user()
> and copy_to_user() can operate on those ranges, so that e.g. the usermode can
> guess the address and pass it as the target buffer for read(), making the
> kernel overwrite it with the user-controlled content. Effectively making the
> secret memory in the current implementation missing confidentiality and
> integrity guarantees.
>
> In the specific case of vCPU registers, this is fine because the owner process
> can read and write to them using KVM IOCTLs anyway. But in the general case this
> represents a security concern and needs to be addressed.
>
> A possible way forward for the arch-agnostic implementation is to limit the user
> virtual addresses used for kernel to specific range that can be checked against
> in copy_from_user() and copy_to_user().
>
> For arch specific implementation, using separate PGD is the way to go.
>
> [1] https://lore.kernel.org/lkml/20190612170834.14855-1-mhillenb@amazon.de/
> [2] https://lore.kernel.org/lkml/20240621201501.1059948-1-rkagan@amazon.de/
Hey Mark and Mike,
We talked at LPC about mm-local memory and you had some inputs. It would
be amazing to write them down here so I don't end up playing game of
telephone :)
Thanks!
Amazon Web Services Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
next prev parent reply other threads:[~2024-09-20 13:19 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-11 14:33 Fares Mehanna
2024-09-11 14:34 ` [RFC PATCH 1/7] mseal: expose interface to seal / unseal user memory ranges Fares Mehanna
2024-09-12 16:40 ` Liam R. Howlett
2024-09-25 15:25 ` Fares Mehanna
2024-09-11 14:34 ` [RFC PATCH 2/7] mm/secretmem: implement mm-local kernel allocations Fares Mehanna
2024-09-11 14:34 ` [RFC PATCH 3/7] arm64: KVM: Refactor C-code to access vCPU gp-registers through macros Fares Mehanna
2024-09-11 14:34 ` [RFC PATCH 4/7] KVM: Refactor Assembly-code to access vCPU gp-registers through a macro Fares Mehanna
2024-09-11 14:34 ` [RFC PATCH 5/7] arm64: KVM: Allocate vCPU gp-regs dynamically on VHE and KERNEL_SECRETMEM enabled systems Fares Mehanna
2024-09-11 14:34 ` [RFC PATCH 6/7] arm64: KVM: Refactor C-code to access vCPU fp-registers through macros Fares Mehanna
2024-09-11 14:34 ` [RFC PATCH 7/7] arm64: KVM: Allocate vCPU fp-regs dynamically on VHE and KERNEL_SECRETMEM enabled systems Fares Mehanna
2024-09-20 12:34 ` [RFC PATCH 0/7] support for mm-local memory allocations and use it Mike Rapoport
2024-09-25 15:33 ` Fares Mehanna
2024-09-27 7:08 ` Mike Rapoport
2024-10-08 20:06 ` Fares Mehanna
2024-09-20 13:19 ` Alexander Graf [this message]
2024-09-27 12:59 ` David Hildenbrand
2024-10-10 15:52 ` Fares Mehanna
2024-10-11 12:04 ` David Hildenbrand
2024-10-11 12:36 ` Mediouni, Mohamed
2024-10-11 12:56 ` Mediouni, Mohamed
2024-10-11 12:58 ` David Hildenbrand
2024-10-11 14:25 ` Fares Mehanna
2024-10-18 18:52 ` David Hildenbrand
2024-10-18 19:02 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23d90b50-f087-4daa-b4bc-4da406160c9d@amazon.com \
--to=graf@amazon.com \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=bhelgaas@google.com \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=david@redhat.com \
--cc=faresx@amazon.de \
--cc=james.morse@arm.com \
--cc=javierm@redhat.com \
--cc=jean-philippe@linaro.org \
--cc=joey.gouly@arm.com \
--cc=kristina.martsenko@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=mikerapoport@microsoft.com \
--cc=nh-open-source@amazon.com \
--cc=oliver.upton@linux.dev \
--cc=ptosi@google.com \
--cc=rdunlap@infradead.org \
--cc=rkagan@amazon.de \
--cc=rppt@kernel.org \
--cc=shikemeng@huaweicloud.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox