From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AFE2EC282CD for ; Mon, 3 Mar 2025 19:29:37 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3F7EC280006; Mon, 3 Mar 2025 14:29:37 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3841F280002; Mon, 3 Mar 2025 14:29:37 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1D3BA280006; Mon, 3 Mar 2025 14:29:37 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id F12E4280002 for ; Mon, 3 Mar 2025 14:29:36 -0500 (EST) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 770FDA4EFE for ; Mon, 3 Mar 2025 19:29:36 +0000 (UTC) X-FDA: 83181229152.07.8BF5B7E Received: from mail-oa1-f44.google.com (mail-oa1-f44.google.com [209.85.160.44]) by imf03.hostedemail.com (Postfix) with ESMTP id 8C35D2000A for ; Mon, 3 Mar 2025 19:29:34 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="Mj8/IV48"; spf=pass (imf03.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.160.44 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1741030174; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=wm1bw6PogSWQ/oeY0cZaU0D8DinTMlzqO3h/YyHdka4=; b=3XYGdaFuAKXBOKw49eUe9NgJl3vI4b2c5vDJlS2iOLFM0QCyHZc764auCFBFgCu6PDBO1C x4RQMgytvNcWNOQQWVt0Fk7Gy3hndcI3zJBkpJvXTDUNa7IBt0ROkZCSmOELu9S98jLs4E jBEInloYDgj4M2WyFghTu2oStNwMBsg= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="Mj8/IV48"; spf=pass (imf03.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.160.44 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741030174; a=rsa-sha256; cv=none; b=0Zd64XVh22VDBzRdeBwpSZpNg5fus/g7E23WYTRtqS1ooWGSDacnVkjf7ynEJZSHK8qvnx DzE/ReIvMLPlRwcl4OmNuuSu3BXwCTIdskH5K84VpCbcndxWqjp+1Efgf0sMk+dcHIKS7F ok1YHliRevsJFLG4QtfOnLjasG3sWAw= Received: by mail-oa1-f44.google.com with SMTP id 586e51a60fabf-2b1aedfa604so238657fac.0 for ; Mon, 03 Mar 2025 11:29:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1741030173; x=1741634973; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=wm1bw6PogSWQ/oeY0cZaU0D8DinTMlzqO3h/YyHdka4=; b=Mj8/IV48Y0Hj0KRwPiNEoDXKtZTKdu2kdKRVpVvBntO934BzazMRbiIVQyn+Z1cqda +ZRa0GBq/ygfwupJJZKluFPw4U/TyznMlvXPuBtVal0fEqM9PD/INtXNHRqDLQPNvyet pXXK9At9PUEFVVtZ7aKp3sdECe9ieflIzJezw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741030173; x=1741634973; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wm1bw6PogSWQ/oeY0cZaU0D8DinTMlzqO3h/YyHdka4=; b=hgvrl0qVPHi8qYhX1BPbQsjASxFFK20viVAZ78rvx2WUbNU57OFJeHqv74Wj+X4yx1 hXTKbvaxy7C1TitrMETxjPWEsXlTu84xx+SRT11pWD9a2xi+uB8dCKDEgvvbICxwHnOD bV7GcMx7hKRH59AvDlYstYQT10NXdhFtGQ3AUkPG/fhSOKaM9pabbV8B7FD5uYEVb1fY ZYagQFkBzs01qx6fHoBNzWG8bL6KXPBhznC5v5QehTY7VZHlqehaQzZZ6efgW6r6vvxO M1qIbHQ4bYfYXDRnVK9G0bZg8Cg/PPP9UilbT4+i+jLRthSD5yjR6zgx15Uoy0x0zBbt k7vA== X-Forwarded-Encrypted: i=1; AJvYcCVxQxaupfyl7dYBc2yMd02niuN4ISP98AKaHsW/dKggtoUfeRIEhMEUVHhQm1bYenppxMMj98lM9w==@kvack.org X-Gm-Message-State: AOJu0YxikCVAXiHhhQT+UcF91kgSVzxZssDPiWZkG2fGk9kyGDsoYYGp I5Tn65E8ZfLfgVttYtnrcPcZe24ZMDWPuzr9pp2eAvMz3VLMqbXSjDOEqOUvv0LU+7EQL2b7hx/ dA12Gka9FKbye7eiAsWwTuBIqPzX4DZLlCC1L X-Gm-Gg: ASbGncuLmBw+nx2xs4peL8HcwNk4UvWktYsGDP7jZweUUzXzy4sWsn55HFWKoHvvdN2 7Rbrm7ovcfXoZlojOa0pw5YGkzziGLAlQkEv3wOaZWrOKI/rTKbqaU8BDNEWStkz6fbdQlaN8dq WnEg3NhY+Hf3NOmOQFlbGgIviixPe+QaKH3omcRxRcYlJFHBIUA0KJVHc= X-Google-Smtp-Source: AGHT+IF6t86k4HXZQOpYrZhTArHYnjZ+cSsTfbGMol0i8lJDnf/V6fvf43xFaF25VFFNhp6135KGfflzyp8sId/j2Ao= X-Received: by 2002:a05:6808:1a27:b0:3f4:756:52e6 with SMTP id 5614622812f47-3f5584f51b0mr3566805b6e.1.1741030173329; Mon, 03 Mar 2025 11:29:33 -0800 (PST) MIME-Version: 1.0 References: <20250303050921.3033083-1-jeffxu@google.com> <20250303050921.3033083-2-jeffxu@google.com> <202503030834.C4ED5911A@keescook> In-Reply-To: <202503030834.C4ED5911A@keescook> From: Jeff Xu Date: Mon, 3 Mar 2025 11:29:21 -0800 X-Gm-Features: AQ5f1JpNJhlC4d3_-OlZv4_ZKEKPcTm851BECZGkcYWdJqb17n518uve8jCwfqo Message-ID: Subject: Re: [PATCH v8 1/7] mseal sysmap: kernel config and header change To: Kees Cook Cc: akpm@linux-foundation.org, jannh@google.com, torvalds@linux-foundation.org, vbabka@suse.cz, lorenzo.stoakes@oracle.com, Liam.Howlett@oracle.com, adhemerval.zanella@linaro.org, oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, jorgelo@chromium.org, sroettger@google.com, hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de, adobriyan@gmail.com, johannes@sipsolutions.net, pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Stat-Signature: yugryrf6yz7thm3dnbifgnw1whand4oa X-Rspamd-Queue-Id: 8C35D2000A X-Rspamd-Server: rspam07 X-HE-Tag: 1741030174-386684 X-HE-Meta: U2FsdGVkX18DavxHSEQ6sPlYIF7VxtroQ+sECX1TsZkAJM1euwOIhFTfMzLRCP5iXD0WEvHKA6x71Vxy8ZWF8ljJnfqtGOZEJ82t/zbBxCnVYYi/3L4hw24rSEBxjNdhUw6T6PrOCAg+qVrwVaPDM9lzsgvrvLUiQ+p6kkEXTfDaiTLzutl3nQXPV4ugdZeZDy8RzeU2GLaqsnA3ou0z7OkigZb8Lbv4b+e/HRkGNGQYtCbTZre9e2pCLxbImH71byAGNQIB5Hk/ngV0Gjf/RDjlPXIQkwbp2hj++n2x+FbJad6zPnEo15Z4zENv0T5QSptShdPrq8vKRAY9AEtMIQraZfq2n4O+GwdAsyppUEYLHJr74/Ry3F+xAi5VhCvKq5a53ytVGQJs/B59ov3bs8P78EeJiO9GoVH8vplhqKVR6GZBYhtsIe0dU/g3Scx4D5a2UUagYSEdxehsT6Bhz31Pz5NtSERn9wDvTI75n+wnfBDjt4ObLTRx1mS2ZexAuqJCBjciIlvx4Esgat9nYq9EGonHUKVh93AXr/UzIWAb8TsTwyjNZRU7bnnbncodtfD44yUJzDg8cWhOZaWYUsnQ2xPxJFHfrd/8/DESAyy65HDYVkFbm8BcPrP+abz4BS85pACtAu40evBuH96jHKEBedrDic8tfG/P44NUA9vwfR4g3WkgED2xzeGe+JC8BsCDivwNhjrsnfVL8zUuDdjR32hQl9Zz3tNvXxU2Phg4BJERZjBXatHr+zBYShpFVfagn77T0WwCrLNO70rb4p/YXHAz+vm9R4z6u3WwDLcnzA9MJq8v1f0aYYSlvu3W092j9DYwfJwi9xELbJAnES69t+7IgFyJhwwUVPcp/xG4voZoaLnIQ7MHOeCdJCyC74vJLMPCYxW4ZdoMAmAzWOH8rjcqWxQfPxu/1swdlLAetkJoS9UWcpLFUqr1cO52xSsbEzUaJ1/mWMQMEGS XXR1ks9O zfXzVL4C5og4p9sey+/K4GS7oymgD7knEWcsp1O1eA0ISJniFYWN1w3imTEQZ9IrmzUsjhD5kDb+no5V9C8UH2CVI5iwJVtM1IlDzwH3PT/M4+1Jnwr5l6OW1QllX7AJ5Adv3FpKPcvOBbkpK+cTIxv3UVIh1oFrRPSUoWsz0J6THRTLxLh5/ImKjQy0vDIdjPuRrHmpjux+ELBEdahjfbpM5YBIKW3KuyHiSyovNnpu5swCL42M0DVIvLw0xRt0t311zkp4blYMWITxuKRVTKSw+lA7e5Hgmiz1hHKAmEf1HY2jfy08cSJsCq08UXwG8cZAR8m5AePFgIjWLVwfs9+DpQQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Mar 3, 2025 at 8:37=E2=80=AFAM Kees Cook wrote: > > On Mon, Mar 03, 2025 at 05:09:15AM +0000, jeffxu@chromium.org wrote: > > From: Jeff Xu > > > > Provide infrastructure to mseal system mappings. Establish > > two kernel configs (CONFIG_MSEAL_SYSTEM_MAPPINGS, > > ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS) and VM_SEALED_SYSMAP > > macro for future patches. > > > > Signed-off-by: Jeff Xu > > --- > > include/linux/mm.h | 10 ++++++++++ > > init/Kconfig | 22 ++++++++++++++++++++++ > > security/Kconfig | 21 +++++++++++++++++++++ > > 3 files changed, 53 insertions(+) > > > > diff --git a/include/linux/mm.h b/include/linux/mm.h > > index 7b1068ddcbb7..8b800941678d 100644 > > --- a/include/linux/mm.h > > +++ b/include/linux/mm.h > > @@ -4155,4 +4155,14 @@ int arch_get_shadow_stack_status(struct task_str= uct *t, unsigned long __user *st > > int arch_set_shadow_stack_status(struct task_struct *t, unsigned long = status); > > int arch_lock_shadow_stack_status(struct task_struct *t, unsigned long= status); > > > > + > > +/* > > + * mseal of userspace process's system mappings. > > + */ > > +#ifdef CONFIG_MSEAL_SYSTEM_MAPPINGS > > +#define VM_SEALED_SYSMAP VM_SEALED > > +#else > > +#define VM_SEALED_SYSMAP VM_NONE > > +#endif > > + > > #endif /* _LINUX_MM_H */ > > diff --git a/init/Kconfig b/init/Kconfig > > index d0d021b3fa3b..c90dd8778993 100644 > > --- a/init/Kconfig > > +++ b/init/Kconfig > > @@ -1882,6 +1882,28 @@ config ARCH_HAS_MEMBARRIER_CALLBACKS > > config ARCH_HAS_MEMBARRIER_SYNC_CORE > > bool > > > > +config ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS > > + bool > > + help > > + Control MSEAL_SYSTEM_MAPPINGS access based on architecture. > > + > > + A 64-bit kernel is required for the memory sealing feature. > > + No specific hardware features from the CPU are needed. > > + > > + To enable this feature, the architecture needs to update their > > + special mappings calls to include the sealing flag and confirm > > + that it doesn't unmap/remap system mappings during the life > > + time of the process. The existence of this flag for an architec= ture > > + implies that it does not require the remapping of thest system > > typo nit: "the" instead of "thest" > > > + mappings during process lifetime, so sealing these mappings is = safe > > + from a kernel perspective. > > + > > + After the architecture enables this, a distribution can set > > + CONFIG_MSEAL_SYSTEM_MAPPING to manage access to the feature. > > + > > + For complete descriptions of memory sealing, please see > > + Documentation/userspace-api/mseal.rst > > + > > config HAVE_PERF_EVENTS > > bool > > help > > diff --git a/security/Kconfig b/security/Kconfig > > index f10dbf15c294..5311f4a6786c 100644 > > --- a/security/Kconfig > > +++ b/security/Kconfig > > @@ -51,6 +51,27 @@ config PROC_MEM_NO_FORCE > > > > endchoice > > > > +config MSEAL_SYSTEM_MAPPINGS > > + bool "mseal system mappings" > > + depends on 64BIT > > + depends on ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS > > + depends on !CHECKPOINT_RESTORE > > + help > > + Apply mseal on system mappings. > > + The system mappings includes vdso, vvar, vvar_vclock, > > + vectors (arm compact-mode), sigpage (arm compact-mode), uprobes= . > > typo nits: "compat" instead of "compact". > Got it, I will change everywhere for this (mseal.rst, coverletter) > > + > > + A 64-bit kernel is required for the memory sealing feature. > > + No specific hardware features from the CPU are needed. > > + > > + WARNING: This feature breaks programs which rely on relocating > > + or unmapping system mappings. Known broken software at the time > > + of writing includes CHECKPOINT_RESTORE, UML, gVisor, rr. Theref= ore > > + this config can't be enabled universally. > > + > > + For complete descriptions of memory sealing, please see > > + Documentation/userspace-api/mseal.rst > > + > > config SECURITY > > bool "Enable different security models" > > depends on SYSFS > > -- > > 2.48.1.711.g2feabab25a-goog > > > > Perhaps akpm can fix these up directly instead of a v9 spin? > V9 is relatively easy for me. I probably need a good version for backporting to chromeOS/Android. If all goes well, I'll follow up with a V10 based on Thomas Wei=C3=9Fschuh's vdso refactor branch [1] [2]. [1] https://lore.kernel.org/all/CABi2SkXwaJ=3Ds3XqHKu1aFVfcacgxpQ5Ji1_BqaN+= ch2i_RnA9Q@mail.gmail.com/ [2] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/log/?h=3Dti= mers/vdso > But otherwise, yes, reads well to me: > > Reviewed-by: Kees Cook > > -- > Kees Cook