From: Jeff Xu <jeffxu@google.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: "Stephen Röttger" <sroettger@google.com>,
jeffxu@chromium.org, luto@kernel.org, jorgelo@chromium.org,
keescook@chromium.org, groeck@chromium.org, jannh@google.com,
akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1
Date: Thu, 18 May 2023 13:20:06 -0700 [thread overview]
Message-ID: <CALmYWFuSTc5Q7Hrra8FijE11+Y1KiROa=xCZWL1D3ifthrrDMQ@mail.gmail.com> (raw)
In-Reply-To: <2b14036e-aed8-4212-bc0f-51ec4fe5a5c1@intel.com>
Hello Dave,
Thanks for your email.
On Thu, May 18, 2023 at 8:38 AM Dave Hansen <dave.hansen@intel.com> wrote:
>
> On 5/17/23 16:48, Jeff Xu wrote:
> > However, there are a few challenges I have not yet worked through.
> > First, the code needs to track when the first signaling entry occurs
> > (saving the PKRU register to the thread struct) and when it is last
> > returned (restoring the PKRU register from the thread struct).
>
> Would tracking signal "depth" work in the face of things like siglongjmp?
>
Thank you for your question! I am eager to learn more about this area
and I worry about blind spots. I will investigate and get back to you.
> Taking a step back...
>
> Here's my concern about this whole thing: it's headed down a rabbit hole
> which is *highly* specialized both in the apps that will use it and the
> attacks it will mitigate. It probably *requires* turning off a bunch of
> syscalls (like io_uring) that folks kinda like in general.
>
ChromeOS currently disabled io_uring, but it is not required to do so.
io_uring supports the IORING_OP_MADVICE operation, which calls the
do_madvise() function. This means that io_uring will have the same
pkey checks as the madvice() system call. From that perspective, we
will fully support io_uring for this feature.
> We're balancing that highly specialized mitigation with a feature that
> add new ABI, touches core memory management code and signal handling.
>
The ABI change uses the existing flag field in pkey_alloc() which is
reserved. The implementation is backward compatible with all existing
pkey usages in both kernel and user space. Or do you have other
concerns about ABI in mind ?
Yes, you are right about the risk of touching core mm code. To
minimize the risk, I try to control the scope of the change (it is
about 3 lines in mprotect, more in munmap but really just 3 effective
lines from syscall entry). I added new self-tests in mm to make sure
it doesn't regress in api behavior. I run those tests before and after
my kernel code change to make sure the behavior remains the same, I
tested it on 5.15 and 6.1 and 6.4-rc1. Actually, the testing
discovered a behavior change for mprotect() between 6.1 and 6.4 (not
from this patch, there are refactoring works going on in mm) see this
thread [1]
I hope those steps will help to mitigate the risk.
Agreed on signaling handling is a tough part: what do you think about
the approach (modifying PKRU from saved stack after XSAVE), is there a
blocker ?
> On the x86 side, PKRU is a painfully special snowflake. It's exposed in
> the "XSAVE" ABIs, but not actually managed *with* XSAVE in the kernel.
> This would be making it an even more special snowflake because it would
I admit I'm quite ignorant on XSAVE to understand the above
statement, and how that is related. Could you explain it to me please
? And what is in your mind that might improve the situation ?
> need new altstack ABI and handling.
>
I thought adding protected memory support to signaling handling is an
independent project with its own weight. As Jann Horn points out in
[2]: "we could prevent the attacker from corrupting the signal
context if we can protect the signal stack with a pkey." However,
the kernel will send SIGSEGV when the stack is protected by PKEY, so
there is a benefit to make this work. (Maybe Jann can share some more
thoughts on the benefits)
And I believe we could do this in a way with minimum ABI change, as below:
- allocate PKEY with a new flag (PKEY_ALTSTACK)
- at sigaltstack() call, detect the memory is PKEY_ALTSTACK protected,
(similar as what mprotect does in this patch) and save it along with
stack address/size.
- at signaling handling, use the saved info to fill in PKRU.
The ABI change is similar to PKEY_ENFORCE_API, and there is no
backward compatibility issue.
Will these mentioned help our case ? What do you think ?
(Stephan has more info on gains, as far as I know, V8 engineers have
worked/thought really hard to come to a suitable solution to make
chrome browser safer)
[1] https://lore.kernel.org/linux-mm/20230516165754.pocx4kaagn3yyw3r@revolver/T/
[2] https://docs.google.com/document/d/1OlnJbR5TMoaOAJsf4hHOc-FdTmYK2aDUI7d2hfCZSOo/edit?resourcekey=0-v9UJXONYsnG5PlCBbcYqIw#
Thanks!
Best regards,
-Jeff
next prev parent reply other threads:[~2023-05-18 20:20 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-15 13:05 jeffxu
2023-05-15 13:05 ` [PATCH 1/6] PKEY: Introduce PKEY_ENFORCE_API flag jeffxu
2023-05-16 23:14 ` Dave Hansen
2023-05-16 23:55 ` Jeff Xu
2023-05-17 11:07 ` Stephen Röttger
2023-05-15 13:05 ` [PATCH 2/6] PKEY: Add arch_check_pkey_enforce_api() jeffxu
2023-05-18 21:43 ` Dave Hansen
2023-05-18 22:51 ` Jeff Xu
2023-05-19 0:00 ` Dave Hansen
2023-05-19 11:22 ` Stephen Röttger
2023-05-15 13:05 ` [PATCH 3/6] PKEY: Apply PKEY_ENFORCE_API to mprotect jeffxu
2023-05-16 20:07 ` Kees Cook
2023-05-16 22:23 ` Jeff Xu
2023-05-16 23:18 ` Dave Hansen
2023-05-16 23:36 ` Jeff Xu
2023-05-17 4:50 ` Jeff Xu
2023-05-15 13:05 ` [PATCH 4/6] PKEY:selftest pkey_enforce_api for mprotect jeffxu
2023-05-15 13:05 ` [PATCH 5/6] KEY: Apply PKEY_ENFORCE_API to munmap jeffxu
2023-05-16 20:06 ` Kees Cook
2023-05-16 22:24 ` Jeff Xu
2023-05-16 23:23 ` Dave Hansen
2023-05-17 0:08 ` Jeff Xu
2023-05-15 13:05 ` [PATCH 6/6] PKEY:selftest pkey_enforce_api for munmap jeffxu
2023-05-15 14:28 ` [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1 Dave Hansen
2023-05-15 15:03 ` Stephen Röttger
2023-05-16 7:06 ` Stephen Röttger
2023-05-16 22:41 ` Dave Hansen
2023-05-17 10:51 ` Stephen Röttger
2023-05-17 15:07 ` Dave Hansen
2023-05-17 15:21 ` Jeff Xu
2023-05-17 15:29 ` Dave Hansen
2023-05-17 23:48 ` Jeff Xu
2023-05-18 15:37 ` Dave Hansen
2023-05-18 20:20 ` Jeff Xu [this message]
2023-05-18 21:04 ` Dave Hansen
2023-05-19 11:13 ` Stephen Röttger
2023-05-24 20:15 ` Jeff Xu
2023-05-16 20:08 ` Kees Cook
2023-05-16 22:17 ` Jeff Xu
2023-05-16 22:30 ` Dave Hansen
2023-05-16 23:39 ` Jeff Xu
2023-05-17 10:49 ` Stephen Röttger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALmYWFuSTc5Q7Hrra8FijE11+Y1KiROa=xCZWL1D3ifthrrDMQ@mail.gmail.com' \
--to=jeffxu@google.com \
--cc=akpm@linux-foundation.org \
--cc=dave.hansen@intel.com \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=sroettger@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox