From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC963C02180 for ; Wed, 15 Jan 2025 20:21:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 545C0280003; Wed, 15 Jan 2025 15:21:17 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4CD4F280001; Wed, 15 Jan 2025 15:21:17 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 395E0280003; Wed, 15 Jan 2025 15:21:17 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 168B3280001 for ; Wed, 15 Jan 2025 15:21:17 -0500 (EST) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 9B4A6C0233 for ; Wed, 15 Jan 2025 20:21:16 +0000 (UTC) X-FDA: 83010805752.23.2769614 Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182]) by imf30.hostedemail.com (Postfix) with ESMTP id E51AB8001F for ; Wed, 15 Jan 2025 20:21:12 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=TOXfTFq2; spf=pass (imf30.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.167.182 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1736972473; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=FuU0tELkRwTCqKfTqMT/vH/3knljEQASIfj0rHpGyCo=; b=wHDFTwMoS+Xu1/20bG7rbCR+DYR12yOKl1/vh6jXNe9ERAK7roR8mhfZrWtOYlQ7DVZFSe gO+JqVl1NXBCs9526vbCElZeDyCL+X5RJ74R7DDmK7Ijdj6DgqvQbRzMOFsekd3zQUfbPK /MiZQ2bognEsKhPLFwn81cjltXG9iak= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=TOXfTFq2; spf=pass (imf30.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.167.182 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736972473; a=rsa-sha256; cv=none; b=EMsrIG0mrvR30TkLd/nxOD4rBGBTw1EN/SExb9NLQh0nM5kN/lAHSMCDH3J5ZDdguuK6R/ 8JTCXNhNI8zDzNDXN7DkMvP+ZjNGb2/ScD+ox+QhYbnpqr/CFRWWIEqOLvErUEVzFG9FLz nI2NBMIUZW1aTMwqBsWOHWJn/LP7vlM= Received: by mail-oi1-f182.google.com with SMTP id 5614622812f47-3ebbde05f6bso6070b6e.2 for ; Wed, 15 Jan 2025 12:21:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1736972471; x=1737577271; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=FuU0tELkRwTCqKfTqMT/vH/3knljEQASIfj0rHpGyCo=; b=TOXfTFq2I3PpRuLjZv5MladwYg4eENUbFSxEI3NbLbkFWlVY2vTvaoAPdb0+u+/mdf pN7CuMteIjWn7NfNO+RFJgde0xcwyzsgWxI0Ov3DUBKr9pLipLfxoRyPS4X7yE9xZ6qB LE50AO9X8xzEZ56KYZZILemd8nlByyWyqUkWE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736972471; x=1737577271; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FuU0tELkRwTCqKfTqMT/vH/3knljEQASIfj0rHpGyCo=; b=H9CZQ+4DnplXQ8O0jg2KEWLYJB04yIu/RGye70H01SgaHshXU8PVnWmbE/EFs+dbJY Be2LgFikXeyZV0lj9cdBcaYj68uk9Z5ZhD1cZrxXJ8x7zBCq7uPJ0R8xXYmrgl2VFwik MyuorLR1ECgGOO7xyzLq5bF3HIld0YZJuAOSAdvLJCVYbCcW2GQ4f9xV6ZNQYH1wunBg pYfjJKn8KGFN1RMERCnZMkvyYPRi0ScD4w8caA9H1IBmzqeDpoBrGP6Ifq47y99UHoGL FeRdNrerFzYoj+IJX6jt6IJogoB0ScCesvzr5HvjC9NHVcgC0XvZEIS+R1Rza2mnVcfV aYCw== X-Forwarded-Encrypted: i=1; AJvYcCXD8n3PkEqjprsUGtf6MPdaqTSzKceoR/k8SlOJGxWQ/ZZsrtLZeSjwjxz4DMPK+A/1qhWMSILDDw==@kvack.org X-Gm-Message-State: AOJu0Yz1X1gaxeEyxnnEKoeHOg2cLXuS1ZQK7FX9Q2wQdpODOdgrhA0m Lg/q/0LpwsMN3ruOxW77wSOM6qPNgMNFJl/mmzoAFAYAK/OThMOUkzsrcbj0xgU/5wmCgqAQ3OU JVCuhEXinuB/cadU8CxFYk8FIYu8BUIq0qpmj X-Gm-Gg: ASbGncv1vvrI+ZsxtRxOhNILvpsnixPTDvR9jU9ln/3Xz9WaI+boxJekat0OIcwDu3I rCZmFdkjxwZCJhdeKCBIVt9vmUDbKsVTTGfkFSg== X-Google-Smtp-Source: AGHT+IFYULscnO8OLRjLdoopsIT/Yu+SMskS3aNdsTv/4h6I409ZfgE82m1VfX+kNSnpeufO7k6qiXUiPKJBvZ3Z3Yc= X-Received: by 2002:a05:6808:ecf:b0:3eb:5372:980a with SMTP id 5614622812f47-3ef2eea220bmr7100355b6e.9.1736972471635; Wed, 15 Jan 2025 12:21:11 -0800 (PST) MIME-Version: 1.0 References: <20241125202021.3684919-1-jeffxu@google.com> <20241125202021.3684919-2-jeffxu@google.com> <202412171248.409B10D@keescook> <202501061647.6C8F34CB1A@keescook> <5cf1601b-70c3-45bb-81ef-416d89c415c2@lucifer.local> In-Reply-To: <5cf1601b-70c3-45bb-81ef-416d89c415c2@lucifer.local> From: Jeff Xu Date: Wed, 15 Jan 2025 12:20:59 -0800 X-Gm-Features: AbW1kvZgfXrbZ7PMETMTCkb5NK5ifYJXMGG7xqGRJlONYfsN-fJqyVIdlu6IzMU Message-ID: Subject: Re: [PATCH v4 1/1] exec: seal system mappings To: Lorenzo Stoakes Cc: Kees Cook , akpm@linux-foundation.org, jannh@google.com, torvalds@linux-foundation.org, adhemerval.zanella@linaro.org, oleg@redhat.com, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, ojeda@kernel.org, adobriyan@gmail.com, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, hch@lst.de, peterx@redhat.com, hca@linux.ibm.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, Liam.Howlett@oracle.com, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, Vlastimil Babka , Andrei Vagin , Dmitry Safonov <0x7f454c46@gmail.com>, Mike Rapoport , Alexander Mikhalitsyn , Benjamin Berg Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: E51AB8001F X-Stat-Signature: tr8ar49i7pcf9sh55psugfe59p3onx1f X-Rspam-User: X-HE-Tag: 1736972472-793129 X-HE-Meta: U2FsdGVkX19u5mv+gAo8ZHdHeAmCkWkjFqpQ6QC6LLe7m7bCOB3FOrleO3LtJKJi+HUl8j96+4t8chJAVBNE2sEj/RCl97Sph9pjNH1QjeXec69VVRNvJ1qTDS/I2M/b7n9qxv5MeGtC5X7oe5GQWUIf6AOLn5qqUTS7Uqt5/2iguXiM2smpvKX3jCporNNLIDpRxGoGjVxQzK6FiVk6P+wpYPxOVSeBZIF83KTX8vBWU+sXuwMj7mVrBwVjZkm4A+W4PFX20h/d1f8KUfm592BkwjJqa0F4zldMP4dC6iYN8oOVrh4dVrhIEhAnuibawNVk9zDa0O03rnUES/Iq4tib+CuQpFPhOtHaeyaUJ91KJedygWJ0WRJQmAiF12ENvsjxncJar0cq8davbmwf+iwPPBG3lAaNi6CQxE1g3oiqxB9/OGAct0e4CqvXKKD1CWvQgTT1ZAcIHHA4qZmdkkWZYkgHR8HLIJqBjTvvlnYoekVeDTVpAZFlYFwtm2gnQx5nPfdJ8QdWha20RVf3nMpqNXKfFIrL4fgP2Re9XldmF5Uy2kVFslIymiDq8824ZlFwhJstLnLXrYnZvOG2F1YdidwtUDifai068aNceSmS2GSIscAO3UU8v3UkFZprB0IjpmPUDlxFmNJGhOdGfyTkqrqgNwSvFU2AgaN9miPV58DjoNnVC4Jd6bhAwAX/tIkHlnZRAUIn7kNSS4SLzwGzPe17AP39ZewgZMzp2Hnfht623PELb0lHaKOqitLNaeowdKxvFXecVY7kG+iUXiHvFFDsW65v7RkyxYGXTNC0zwawyt6NcKD0Ty/ZAEA9OzAqVNpeN5y8ezOQTkb/n2pCknEADPHldmhfb/WYRZt66Ae3UgehwjgAzdRJaYukBCLU1+190b3MmZzDJJ6FeC1Zwj8rWgmVEVebIRt842pQFACxwmB5i/9pAOpyGMw9uu1Q1/IBmwZFz3EDLZK P3MBOp9p FBXH0qxHrK9U4HCiZmDrQEqAQPIDK8mD54p6fq6QXFAa/XLAWLwQrF7LY9aSsGl+S40sSAi7mcqVJpefa+OtZHj8XO6jY56EBGJqrR6GlnlRgAf3lbP7nNJwq8/BwvJOItq+TKr4TvjXGceNKb8TkK6gQooAjVtkJECXn8zNm4SaC+SUyyNTV6zrUIgbjqEvATNGuKjZepiV0RLGLAVQhGwTzrnv0R2RuTTNrR4ki2QPDYHPdzDtzRXDElxohT701K+PtH/Cz/LR24Ts4/hqm/4XMZAoWlmELtBdJVYXIXOMNMMQG9Si6AY0lO/Vc4Cwdw/N1aSTYcMoHYkg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.332654, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi Lorenzo On Wed, Jan 15, 2025 at 11:46=E2=80=AFAM Lorenzo Stoakes wrote: > > Jeff, > > My name is Lorenzo, not Lorenze. > I apologize. > I've made it abundantly clear that this (NACKed) series cannot allow the > kernel to be in a broken state even if a user sets flags to do so. > > This is because users might lack context to make this decision and > incorrectly do so, and now we ship a known-broken kernel. > > You are now suggesting disabling the !CRIU requirement. Which violates my > _requirements_ (not optional features). > Sure, I can add CRIU back. Are you fine with UML and gViso not working under this CONFIG ? UML/gViso doesn't use any KCONFIG like CRIU does. > You seem to be saying you're pushing an internal feature on upstream and > only care about internal use cases, this is not how upstream works, as > Matthew alludes to. > > I have told you that my requirements are: > > 1. You cannot allow a user to set config or boot options to have a > broken kernel configuration. > Can you clarify on the definition of "broken kernel configuration": Do you consider "setting mseal kernel cmd line under 32 bit build" as broke= n ? If so, this problem is not solvable and I might just not try to solve it for the next version. If you just refer to a need to detect CRIU, in KCONFIG or/and kernel cmd line, this is solvable. > 2. You must provide evidence that the arches you claim work with this, > actually do. > Sure > You seem to have eliminated that from your summary as if the very thing > that makes this series NACKed were not pertinent. > In my last email, I tried to cover all code-logic related comments, which is blocking me. I also mentioned I will address non-code related comments (threat-model/test etc), later. > if you do not address these correctly, I will simply have to reject your = v5 > too and it'll waste everybody's time. I _genuinely_ don't want to have to > do this. > > Any solution MUST fulfil these requirements. I also want to see v5 as an > RFC honestly at this stage, since it seems we are VERY MUCH in a discussi= on > phase rather than a patch phase at this time. > Sure. > I really want to help you improve mseal and get things upstream, but I > can't ignore my duty to ensure that the kernel remains stable and we don'= t > hand kernel users (overly huge) footguns. I hate to be negative, but this > is why I am pushing back so much here. > Thanks. You can help me by answering my questions, and clarify your requirements. I appreciate your time to make this feature useful. Please take note that the security feature often takes away capabilities. Sometimes it is impossible to meet security, usability or performance goals simultaneously. I'm trying my best to get all aspected satisfied. -Jeff > Thanks!