From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D900FC021B2 for ; Wed, 26 Feb 2025 01:33:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 44112280003; Tue, 25 Feb 2025 20:33:39 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3F0E4280002; Tue, 25 Feb 2025 20:33:39 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2B901280003; Tue, 25 Feb 2025 20:33:39 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 0DE6E280002 for ; Tue, 25 Feb 2025 20:33:39 -0500 (EST) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id B12FD1C7E76 for ; Wed, 26 Feb 2025 01:33:38 +0000 (UTC) X-FDA: 83160373716.26.00CDC22 Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com [209.85.210.46]) by imf16.hostedemail.com (Postfix) with ESMTP id C9D5A180006 for ; Wed, 26 Feb 2025 01:33:36 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=bO8qpEpr; spf=pass (imf16.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.210.46 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740533616; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ebnR0JarUmGpdugflrkwySQrLMMn1nm/13vqMSjIKHA=; b=MrhTEC79YoeoIaOobO+nynBDjUnmX234zFVnajMvG49Nsok0xAJD1f7JLySzNoJ/5zwfJB e0kBjP6YninxJgmA01s2LPPuCrBKLODNoxRo6QJWXMGl+Z+E1vAmYXMiclWWdsonW1i7fE ++aYQxQNX2qBkraSMrXZDEnPwEQKRDw= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=bO8qpEpr; spf=pass (imf16.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.210.46 as permitted sender) smtp.mailfrom=jeffxu@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740533616; a=rsa-sha256; cv=none; b=7AK9vQD/hHQ3ILsAyXrGxZAykk1EsbyBkpx+pgBwH29/TyTnp7S7hFGdV+sSzcytYQDZ+M b2Yu5Gqn9eqEwNnS0Hw4aTYBXufaJkX4piK6s0aoqlQsft2mADzVDmirWka+Ky6XYj8tvQ UrwcnhXHm1AfGSke8nxx+Y7PiR1EXE0= Received: by mail-ot1-f46.google.com with SMTP id 46e09a7af769-7272a4b685eso1049604a34.0 for ; Tue, 25 Feb 2025 17:33:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1740533616; x=1741138416; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ebnR0JarUmGpdugflrkwySQrLMMn1nm/13vqMSjIKHA=; b=bO8qpEprQKptJ7aiLzNdO8Nt5YxyHS0fHN2jFvQuXqxvrGs2kdtZxJyJau4SUomdB0 sR2yQzPvWeNlxmPDLvdYoJboGAsfgSrIvNHWwYYdZKmZKSWiPe938DJdHjGA0xddp6Kq 4ShMeXrkphCCccPeWFb/0o9hruqHogRB+Loq0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740533616; x=1741138416; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ebnR0JarUmGpdugflrkwySQrLMMn1nm/13vqMSjIKHA=; b=fdK8NQQPogLBHzXZLosX93pHQJH4vbOIFisEFS61IBxI1f2r8f9XGv5FxET6qmcefo WYaKlrLuwU6EP549+On0ywXB8WkC4jvjCWjonHp45OZ8nD9XjlbIPCvnEA4NXnMZDkct NvNyDO3ZQI9pEGzFpftSW6wB6/zp1F0U1qhOWi7OkjhovVdkr5gMEVyBx7zQa8ehwv+j uXPkzAH4fxYdR4wxWycVjyn1TTxpdXdkAphwGAZreIqhlEbkpBdRpA6jf6LwqRxEG0eW mv1X1bxbxp+re9DYiwHnNZg7p3kFi849/h0d4dQhIRtsBl1yFouXhbCW2ys7StynavNW uvMQ== X-Forwarded-Encrypted: i=1; AJvYcCXMJwSGAEzoUNy7caYq5WJkTXH7CIC/pljFL07IwlRTjW4kX07BtukJIvbeUZ69gzArMjM4LcNW9g==@kvack.org X-Gm-Message-State: AOJu0YxU2rbSZT1063hNqIbeHh5N3ZFql4UWWwHWfLl+x4ZAIg6zKRxY Mq/d4nxMXJHYbU/jTDz0YJ3Q7jt1vK+wTp0i/G5DEDKX0HHZehXAB+fb/Q4tNDkiI/y95tY7Qtw QDfOnIEPSDdWWMshQXAy54xBMcSSgn1KwyPww X-Gm-Gg: ASbGncszezvbryUYpyjhEXGg13uEyNz3ji4PoylVVRe/ipjqICpN3TX1Y5sc2GfrOox Z4DZserwadqOm3X7ECE8AZub7nEDGLJhihiHXPeDNLPrsK12/HUTVmQDNnZgSENFIp5qyeNdfxs SXQrKw0AUvfR5Zz766xSjMMMmGn/ONluw6hog= X-Google-Smtp-Source: AGHT+IFfBkogeI+J+TIhuVzZ9liBdFBVMLOI9W8jdXh42R/dMGuOgxyd/PaAvwBTUDzVj6zG3B2V7PXvso8cUKCSbEU= X-Received: by 2002:a05:6830:2b22:b0:727:2d05:aa9b with SMTP id 46e09a7af769-7274c25fa25mr3476833a34.6.1740533615690; Tue, 25 Feb 2025 17:33:35 -0800 (PST) MIME-Version: 1.0 References: <20250224225246.3712295-1-jeffxu@google.com> <20250224225246.3712295-2-jeffxu@google.com> <9abd68d9-3e6d-46a0-b92c-5aee0a90abf3@lucifer.local> In-Reply-To: <9abd68d9-3e6d-46a0-b92c-5aee0a90abf3@lucifer.local> From: Jeff Xu Date: Tue, 25 Feb 2025 17:33:24 -0800 X-Gm-Features: AQ5f1Jp3JOWAzv-64Vb5PKwzbpnpGSYiSOq3FsK4TQhOwG3l29ADM_4sybBE2Pc Message-ID: Subject: Re: [PATCH v7 1/7] mseal, system mappings: kernel config and header change To: Lorenzo Stoakes Cc: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, torvalds@linux-foundation.org, vbabka@suse.cz, Liam.Howlett@oracle.com, adhemerval.zanella@linaro.org, oleg@redhat.com, avagin@gmail.com, benjamin@sipsolutions.net, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, jorgelo@chromium.org, sroettger@google.com, hch@lst.de, ojeda@kernel.org, thomas.weissschuh@linutronix.de, adobriyan@gmail.com, johannes@sipsolutions.net, pedro.falcato@gmail.com, hca@linux.ibm.com, willy@infradead.org, anna-maria@linutronix.de, mark.rutland@arm.com, linus.walleij@linaro.org, Jason@zx2c4.com, deller@gmx.de, rdunlap@infradead.org, davem@davemloft.net, peterx@redhat.com, f.fainelli@gmail.com, gerg@kernel.org, dave.hansen@linux.intel.com, mingo@kernel.org, ardb@kernel.org, mhocko@suse.com, 42.hyeyoo@gmail.com, peterz@infradead.org, ardb@google.com, enh@google.com, rientjes@google.com, groeck@chromium.org, mpe@ellerman.id.au, aleksandr.mikhalitsyn@canonical.com, mike.rapoport@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam11 X-Rspamd-Queue-Id: C9D5A180006 X-Stat-Signature: n5o8r19gmjaw67tmhr3k4cga9ocuptaz X-HE-Tag: 1740533616-888949 X-HE-Meta: U2FsdGVkX1/llVbtXCKKJRJpchuXzOPv9/iOZ0PoZWIALFQaskx/ChzIZf8hxbRM7ZizX0IIejE+5VCgIvnk8U6KFVjA0hISFM0p/Uj19L+rlOUPVqVw4+lA88qcAMXLBTv2rlc+87W8DyPuykt08YMU51JUuEfJSv1k7VZIx9n7vxGQCiMbddQnvZuLpXA9TsSDOfVTt2I5gjXuyaU731l8MwQe5pA1M0p+l7jYgzs7B470o2GskXOapAT9KYRox9nCmC3hT+vnVwRsd8rKLdnICoPB1iqouRJUxhJ8I5PvVravI2TL/x0YrgmkUk/2RdxSIhDTykVsUbWVAjoiuW6GqAAUJJ6ilbVIZE2JmhBdvSyKoF06cfix2ITZ6lNVawSuUTMTe+s4xq2ywaWbtOAnNui9fTO1OviJpS89lWnz/yIEELQWGYaOBShQB3QjPc3edVejXF6nvoIMFRDdFKYwq0FSD1mfXzF2EOhyAQPDINPLSq1UaMfPKeE/lNqXpaRgcZu00mhBZchvrdfrXWdUqtyxL8RjFCJvyZxFxugr3+oswacyNnIqsE5MPiPOmwKpckO5u4NCN+BliHS8UjhtxM19HcpMdnjPGgedNaksbpQYPZO92OX61EDW1WP84TgvvTGXM/Gqa32oOCpNCM5DKGoFBfDpy2rVTNOPg446NjHcAl/+rP+oTO9DezIaAcK7Td27oD15+unoeDtvqdMiZPgxqHGaYMW5CniCE2VT5doXnNqj6EijJqT6TiKBfWaKfBHMvKoMga9mL0rIpskGjjWNcHE5xP5SXFq8Ywz0xcNqAw+S7bhxTzZ7vGuJmcBTc1DmQD2vkpPunDPWQ/aG4j6W+YjRsu4bbi8dD3GuaiD3yFDE18jP66u66AE160oixZU/2KI66v/JkokseO4DKWbFo7Td2duKwZP/DstofZdl9RZ5Qbqe1klYagJCbuV5Y1/q3HFqwoDtlf5 Jq1aNfCB rbGbFL60HcwcYGqsOUXC5HKp/njhbnyaTm5k9/3GjthS6mAGnKeeQwQrFqO1hsLsm3ohcwC+oDCEkZl1fsWar3+vRaSO0wh1KgXNKGxZXUid+9XsAAv1mco3VB2WhxjZc5sk+0aq5JPXXb+oNa12D1AvfRX/EVfcTTgOkXPs0Nku0Nc0juuj75bu3UnP+cpiPCAXFQHG+9pjVYSP0fSjJ6OCoOhTyN5EgbrR/NWSyGGwkSadnGIpLorCj1udiLGQdqw6T58noIfGMQCDm1Y2v2O1yrTs55M6ER8OAAJSfIfFZpGA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.012272, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Feb 24, 2025 at 10:05=E2=80=AFPM Lorenzo Stoakes wrote: > > +config ARCH_HAS_MSEAL_SYSTEM_MAPPINGS > > + bool > > + help > > + Control MSEAL_SYSTEM_MAPPINGS access based on architecture. > > + > > + A 64-bit kernel is required for the memory sealing feature. > > + No specific hardware features from the CPU are needed. > > + > > + To enable this feature, the architecture needs to update their > > + special mappings calls to include the sealing flag and confirm > > + that it doesn't unmap/remap system mappings during the life > > + time of the process. After the architecture enables this, a > > + distribution can set CONFIG_MSEAL_SYSTEM_MAPPING to manage acce= ss > > + to the feature. > > Architectures also need to be confirmed not to require any form of VDSO > relocation, which as discussed in previous series some arches appear to > need to do. I'd mention that here. > This might need clarification, the system mapping includes vdso, right ? Why the focus on vdso ? The sentence "... it doesn't unmap/remap system mappings during the lifetime of the process." already cover what you want here, I think. > > + > > + For complete descriptions of memory sealing, please see > > + Documentation/userspace-api/mseal.rst > > + > > config HAVE_PERF_EVENTS > > bool > > help > > diff --git a/security/Kconfig b/security/Kconfig > > index f10dbf15c294..15a86a952910 100644 > > --- a/security/Kconfig > > +++ b/security/Kconfig > > @@ -51,6 +51,24 @@ config PROC_MEM_NO_FORCE > > > > endchoice > > > > +config MSEAL_SYSTEM_MAPPINGS > > + bool "mseal system mappings" > > + depends on 64BIT > > + depends on ARCH_HAS_MSEAL_SYSTEM_MAPPINGS > > + depends on !CHECKPOINT_RESTORE > > + help > > + Seal system mappings such as vdso, vvar, sigpage, uprobes, etc. > > Let's be specific here, 'etc.' could mean _anything_. Also you aren't > sealing most of this, let's just list what you are _actually_ sealing > here. Which is AFAIK VDSO only? > I will remove "etc" and list all the mappings. Those mappings are: vdso, vvar, vvar_vclock, vectors (arm compact-mode) and sigpage (arm compact-mode), uprobe. We seal all system mappings that x86-64 and arm64 have. > You can update this later as time goes on if/when you expand this. > > > + > > + A 64-bit kernel is required for the memory sealing feature. > > + No specific hardware features from the CPU are needed. > > + > > + Note: CHECKPOINT_RESTORE, UML, gVisor, rr are known to relocate= or > > + unmap system mapping, therefore this config can't be enabled > > + universally. > > Thanks for putting this here, appreciate it! > > Could we tweak this though? I'd like to make it crystal clear, so I don't > think 'note' sufficies and this sounds a little too vague. > > I think 'warning' is more appropriate here since you're breaking things f= or > people who might be unaware. And we need to say this -breaks- programs: > > WARNING: This feature breaks programs which rely on relocating or > unmapping system mappings. > > Known broken software at the time of writing includes > CHECKPOINT_RESTORE, UML, gVisor and rr. > > I think this is critical. > Sure.