Message ID | 20250110-asi-rfc-v2-v2-28-8419288bc805@google.com |
---|---|
State | New |
Headers | show
Return-Path: <linux-snps-arc-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=UKodApCR; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=ZGPX86UQ; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256 header.s=20230601 header.b=tDVCq9we; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=linux-snps-arc-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4YV9Wk0LGXz1yPp for <incoming@patchwork.ozlabs.org>; Sat, 11 Jan 2025 05:42:58 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Message-ID: References:Mime-Version:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=JGLY2rxmqc58sLQqJEGun3Wc2MoH8k5MRC/xfdwFWWU=; b=UKodApCRKsnwApQOV719XCuRzJ vYqGmBy5gUfcpP599+NFKbGAd6vGyjp9qy2RZXutFwoiP9tkLfTk8rtfvdVz6DeS3j4jnjQWLkCn3 ROrLk211zbslVA3GO80IXvM1g0wKUYk6X3Kuf+HfB8RBMoZRPW/HBklfhmUU+PK4aWODaWtRd7f7C Mtm3u+k+ML+WAWdW9BMf3hsCGM0JEXWM6U9y8+tQyNKlUpSvZ/zUw/XWLQCCp2Frfj6wt4AHaEcuU 3AF3/TWVOCYvrVBZmjBFPILXstGJdgYQBan0IgEQbMKV6seWyRAdTRFcDkHcYSizUNZ5wUNtNdfEd Q5qtUTJQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1tWJyD-0000000GcSX-3TCY; Fri, 10 Jan 2025 18:42:57 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1tWJxE-0000000Gc3m-3uDu for linux-snps-arc@bombadil.infradead.org; Fri, 10 Jan 2025 18:41:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Type:Cc:To:From:Subject: Message-ID:References:Mime-Version:In-Reply-To:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=49F9KmkByYRspQkaSYzsGBFq+GnQYA+RnfOGnAD1TNs=; b=ZGPX86UQr0X9VJBrdJq4NBBZ9x IkqvzCCHiG3sLaROS+eh0FCWeBD/k4XYYRZBVRmLAK6Wah1KEWe9Zmex6ZSj+2KKs8wTn1ZDFzev+ n/W2Jl4xYg1yXfhaB0+CYzQn30emcvgc4aluVFwH1sAvZHL2Oz0Ox57HfxuSW4dX5noZlW8chI9gI fg8O0zYviRkb1AclHCnBgzP6uAlaAtHWDJNE0jVMYfWhrzeWH3W6TxJ6Vi362i0CzCgS5+AqtqpUB /ptjZ7Q1o9q4i/II3O86TASO/MasfOu19+gNLtQ57VH4mGaKiFBBpnF+IC4178mnoBvim/tD5607j uz4RcBkQ==; Received: from mail-wm1-x349.google.com ([2a00:1450:4864:20::349]) by desiato.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1tWJx9-00000009suJ-3swR for linux-snps-arc@lists.infradead.org; Fri, 10 Jan 2025 18:41:55 +0000 Received: by mail-wm1-x349.google.com with SMTP id 5b1f17b1804b1-43623bf2a83so20557445e9.0 for <linux-snps-arc@lists.infradead.org>; Fri, 10 Jan 2025 10:41:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1736534509; x=1737139309; darn=lists.infradead.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=49F9KmkByYRspQkaSYzsGBFq+GnQYA+RnfOGnAD1TNs=; b=tDVCq9we3SKR3ixrUjhqHqcUdE9VaneseBUzlFxy42OdQt/tGZT93O00OwWibhlJ82 7Ja3MfKZk2PcyiDADRzdkXgGwg6RSaVelkBmsAf8KISrrBDR7xwufLB7tjnacXaGen55 gHnsKYGbhbNiTIRtIEtgk86BvoQVr+Alk0nfCQu1ZTjaORnAEm9msd32Vc1fQ6DHcQ3v xPBOVpdsFHyZg4nwU5nlRAFZTM3VhIFIlJD3ArlgGqXPFlXmpBXGh0TdNHBHiaGQ6LAf MJlZCDFnoIH/Dd4pTbKOfAzcDPDt43tF/tQwR6V3Fk2BKJDcQWXSAr+X1u5ex8pQUiyM wbvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736534509; x=1737139309; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=49F9KmkByYRspQkaSYzsGBFq+GnQYA+RnfOGnAD1TNs=; b=ftKVir1yYftq7xXd27RhPlJQ2RmBjbZFpOmy8hkNWcTD/sNdhxnkG266hDf3LKIwgP mxDtEnnSajivw5fSQGVXdofCdJRTGCZss261VYR1nQO88zLodATYdnkHT1B0CZYDNaHU E2q0PBzyCkpf9QH+5dLgFmy3W7ZGb8uT9trjiSB7tOBZ+DZGSx8WwzDvDV6qnP5i1V8i Ngu1Up03vRskObryqzKOIJkeeWaEdvcaW3yTOCqFUbG4d+Ss8jvjBF6K/rnj1ClQMbgh 8sCrSUF+nK+TnxZweUURDnsW1/UVxyAmrqb8IJanbn+awIgV2aBCoDi9ydBtFZHLzQes FL9Q== X-Forwarded-Encrypted: i=1; AJvYcCVtnUAaSNlL4p41/miUc7pDpWt4OJ9R3Rv1mr3CRAXpvRVCdgsKlqi7jCJ4bqM5TStCvwGWxs6jIPRdkkgZZA==@lists.infradead.org X-Gm-Message-State: AOJu0YxscCESCT1oX2tTjWPxrTpngnNLE+xV1avlTG8q/GTOs0XCEAQT NbkfKymsDYdlWbshNvSUmqmVZxN8OjrLrhl2hBcXICPXStiejxUiNiVNHqH/i77SZmVPERg67TW AHQKkbdw9ww== X-Google-Smtp-Source: AGHT+IFKWz0raFavEVPdqLi0m3c/SgK/uJNRKjAz6M2EuA2Ei6coxzOA0we1XFhGSIskVPMsumh+r4On/rf0kg== X-Received: from wmrn35.prod.google.com ([2002:a05:600c:5023:b0:434:f2eb:aa72]) (user=jackmanb job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:1d07:b0:434:fa73:a907 with SMTP id 5b1f17b1804b1-436e269a5f5mr112362055e9.13.1736534508901; Fri, 10 Jan 2025 10:41:48 -0800 (PST) Date: Fri, 10 Jan 2025 18:40:54 +0000 In-Reply-To: <20250110-asi-rfc-v2-v2-0-8419288bc805@google.com> Mime-Version: 1.0 References: <20250110-asi-rfc-v2-v2-0-8419288bc805@google.com> X-Mailer: b4 0.15-dev Message-ID: <20250110-asi-rfc-v2-v2-28-8419288bc805@google.com> Subject: [PATCH RFC v2 28/29] x86/pti: Disable PTI when ASI is on From: Brendan Jackman <jackmanb@google.com> To: Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, Dave Hansen <dave.hansen@linux.intel.com>, "H. Peter Anvin" <hpa@zytor.com>, Andy Lutomirski <luto@kernel.org>, Peter Zijlstra <peterz@infradead.org>, Richard Henderson <richard.henderson@linaro.org>, Matt Turner <mattst88@gmail.com>, Vineet Gupta <vgupta@kernel.org>, Russell King <linux@armlinux.org.uk>, Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, Guo Ren <guoren@kernel.org>, Brian Cain <bcain@quicinc.com>, Huacai Chen <chenhuacai@kernel.org>, WANG Xuerui <kernel@xen0n.name>, Geert Uytterhoeven <geert@linux-m68k.org>, Michal Simek <monstr@monstr.eu>, Thomas Bogendoerfer <tsbogend@alpha.franken.de>, Dinh Nguyen <dinguyen@kernel.org>, Jonas Bonn <jonas@southpole.se>, Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>, Stafford Horne <shorne@gmail.com>, "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>, Helge Deller <deller@gmx.de>, Michael Ellerman <mpe@ellerman.id.au>, Nicholas Piggin <npiggin@gmail.com>, Christophe Leroy <christophe.leroy@csgroup.eu>, Naveen N Rao <naveen@kernel.org>, Madhavan Srinivasan <maddy@linux.ibm.com>, Paul Walmsley <paul.walmsley@sifive.com>, Palmer Dabbelt <palmer@dabbelt.com>, Albert Ou <aou@eecs.berkeley.edu>, Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>, Alexander Gordeev <agordeev@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Sven Schnelle <svens@linux.ibm.com>, Yoshinori Sato <ysato@users.sourceforge.jp>, Rich Felker <dalias@libc.org>, John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, "David S. Miller" <davem@davemloft.net>, Andreas Larsson <andreas@gaisler.com>, Richard Weinberger <richard@nod.at>, Anton Ivanov <anton.ivanov@cambridgegreys.com>, Johannes Berg <johannes@sipsolutions.net>, Chris Zankel <chris@zankel.net>, Max Filippov <jcmvbkbc@gmail.com>, Arnd Bergmann <arnd@arndb.de>, Andrew Morton <akpm@linux-foundation.org>, Juri Lelli <juri.lelli@redhat.com>, Vincent Guittot <vincent.guittot@linaro.org>, Dietmar Eggemann <dietmar.eggemann@arm.com>, Steven Rostedt <rostedt@goodmis.org>, Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>, Valentin Schneider <vschneid@redhat.com>, Uladzislau Rezki <urezki@gmail.com>, Christoph Hellwig <hch@infradead.org>, Masami Hiramatsu <mhiramat@kernel.org>, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>, Mike Rapoport <rppt@kernel.org>, Arnaldo Carvalho de Melo <acme@kernel.org>, Namhyung Kim <namhyung@kernel.org>, Mark Rutland <mark.rutland@arm.com>, Alexander Shishkin <alexander.shishkin@linux.intel.com>, Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>, Adrian Hunter <adrian.hunter@intel.com>, Dennis Zhou <dennis@kernel.org>, Tejun Heo <tj@kernel.org>, Christoph Lameter <cl@linux.com>, Sean Christopherson <seanjc@google.com>, Paolo Bonzini <pbonzini@redhat.com>, Ard Biesheuvel <ardb@kernel.org>, Josh Poimboeuf <jpoimboe@kernel.org>, Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Cc: x86@kernel.org, linux-kernel@vger.kernel.org, linux-alpha@vger.kernel.org, linux-snps-arc@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-csky@vger.kernel.org, linux-hexagon@vger.kernel.org, loongarch@lists.linux.dev, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-openrisc@vger.kernel.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, sparclinux@vger.kernel.org, linux-um@lists.infradead.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-trace-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org, kvm@vger.kernel.org, linux-efi@vger.kernel.org, Brendan Jackman <jackmanb@google.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250110_184152_455549_0CDE4038 X-CRM114-Status: GOOD ( 21.47 ) X-Spam-Score: -8.0 (--------) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Now that ASI has support for sandboxing userspace, although userspace now has much more mapped than it would under KPTI, in theory none of that data is important to protect. Note that one particular impact of this is it makes locally defeating KASLR easier. I don't think this is a great loss given [1] etc. Content analysis details: (-8.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:349 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.4 DKIMWL_WL_MED DKIMwl.org - Medium trust sender X-BeenThere: linux-snps-arc@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Linux on Synopsys ARC Processors <linux-snps-arc.lists.infradead.org> List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-snps-arc>, <mailto:linux-snps-arc-request@lists.infradead.org?subject=unsubscribe> List-Archive: <http://lists.infradead.org/pipermail/linux-snps-arc/> List-Post: <mailto:linux-snps-arc@lists.infradead.org> List-Help: <mailto:linux-snps-arc-request@lists.infradead.org?subject=help> List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-snps-arc>, <mailto:linux-snps-arc-request@lists.infradead.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-snps-arc" <linux-snps-arc-bounces@lists.infradead.org> Errors-To: linux-snps-arc-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org |
Series |
Address Space Isolation (ASI)
|
expand
|
diff --git a/arch/x86/include/asm/pti.h b/arch/x86/include/asm/pti.h index ab167c96b9ab474b33d778453db0bb550f42b0ac..79b9ba927db9b76ac3cc72cdda6f8b5fc413d352 100644 --- a/arch/x86/include/asm/pti.h +++ b/arch/x86/include/asm/pti.h @@ -3,12 +3,14 @@ #define _ASM_X86_PTI_H #ifndef __ASSEMBLY__ +#include <linux/types.h> + #ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION extern void pti_init(void); -extern void pti_check_boottime_disable(void); +extern void pti_check_boottime_disable(bool asi_enabled); extern void pti_finalize(void); #else -static inline void pti_check_boottime_disable(void) { } +static inline void pti_check_boottime_disable(bool asi_enabled) { } #endif #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c index ded3a47f2a9c1f554824d4ad19f3b48bce271274..4ccf6d60705652805342abefc5e71cd00c563207 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -754,8 +754,8 @@ void __init init_mem_mapping(void) { unsigned long end; - pti_check_boottime_disable(); asi_check_boottime_disable(); + pti_check_boottime_disable(boot_cpu_has(X86_FEATURE_ASI)); probe_page_size_mask(); setup_pcid(); diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c index 851ec8f1363a8b389ea4579cc68bf3300a4df27c..b7132080d3c9b6962a0252383190335e171bafa6 100644 --- a/arch/x86/mm/pti.c +++ b/arch/x86/mm/pti.c @@ -76,7 +76,7 @@ static enum pti_mode { PTI_FORCE_ON } pti_mode; -void __init pti_check_boottime_disable(void) +void __init pti_check_boottime_disable(bool asi_enabled) { if (hypervisor_is_type(X86_HYPER_XEN_PV)) { pti_mode = PTI_FORCE_OFF; @@ -91,6 +91,18 @@ void __init pti_check_boottime_disable(void) return; } + if (asi_enabled) { + /* + * Having both ASI and PTI enabled is not a totally ridiculous + * thing to do; if you want ASI but you are not confident in the + * sensitivity annotations then it provides useful + * defence-in-depth. But, the implementation doesn't support it. + */ + if (pti_mode != PTI_FORCE_OFF) + pti_print_if_insecure("disabled by ASI"); + return; + } + if (pti_mode == PTI_FORCE_ON) pti_print_if_secure("force enabled on command line.");
Now that ASI has support for sandboxing userspace, although userspace now has much more mapped than it would under KPTI, in theory none of that data is important to protect. Note that one particular impact of this is it makes locally defeating KASLR easier. I don't think this is a great loss given [1] etc. Why do we pass in an argument instead of just having pti_check_boottime_disable() check boot_cpu_has(X86_FEATURE_ASI)? Just for clarity: I wanted it to be at least _sort of_ visible that it would break if you reordered asi_check_boottime_disable() afterwards. [1]: https://gruss.cc/files/prefetch.pdf and https://dl.acm.org/doi/pdf/10.1145/3623652.3623669 Signed-off-by: Brendan Jackman <jackmanb@google.com> --- arch/x86/include/asm/pti.h | 6 ++++-- arch/x86/mm/init.c | 2 +- arch/x86/mm/pti.c | 14 +++++++++++++- 3 files changed, 18 insertions(+), 4 deletions(-)