mbox series

[00/26] Address Space Isolation (ASI) 2024

Message ID 20240712-asi-rfc-24-v1-0-144b319a40d8@google.com (mailing list archive)
Headers show
Series Address Space Isolation (ASI) 2024 | expand

Message

Brendan Jackman July 12, 2024, 5 p.m. UTC
Overview
========
This RFC demonstrates an implementation of Address Space Isolation
(ASI), similar to Junaid Shahid’s proposal from 2022 [1].

Until now, mitigating hardware vulnerabilities has required one or both
of:

- Highly custom mitigations being developed under pressure for every
  specific exploit,
- Prohibitive performance penalties.

ASI is an attempt to improve both of these points by providing a single
technique that mitigates a very broad class of vulnerabilities while
still achieving a tolerable performance overhead.

The basic idea is to run the kernel in a “restricted address space”,
where any page that could contain “sensitive” data is unmapped. When the
kernel needs to access such data, a page fault occurs, in which we
switch back to the normal (“unrestricted”) address space and perform
vulnerability mitigations. Before returning to potentially malicious
code (VM guest/userspace) we transition back into the restricted address
space and get a chance to perform additional mitigations. Thus, we only
pay the cost of security mitigations for kernel entries (such as VM
Exit) that actually access sensitive data. If we can arrange for these
accesses to be infrequent, it becomes viable to perform aggressive
mitigations on address space transitions. For example, in this RFC we
attempt to obliterate indirect branch predictor training, without
needing to concern ourselves too much with microarchitectural details of
specific exploits. My talk at LSF/MM/BPF this year [2] has some
additional conceptual introduction with diagrams etc, plus some more
detailed discussion of the strategic pros and cons of ASI. Junaid’s RFC
cover letter [1] has some additional discussion too, I won’t rehash it
in detail.

Like Junaid’s RFC, this only implements ASI for protecting against
malicious KVM guests; this is a somewhat simpler use-case to start with.
However, ASI is written as a framework so that we can later use it to
sandbox bare metal processes too. Work has begun on prototyping this but
we don’t have a working implementation yet.

Rough structure of this series:

- 01-14: Establish ASI infrastructure, e.g. for manipulating pagetables,
  performing address space transitions.
- 15-19: Map data into the restricted address space.
- 20-23: Finalize a functionality correct ASI for KVM. 
- 24-26: Switch it on and demonstrate actual vuln mitigation.

What’s new in this RFC?
=======================
Since Junaid’s initial efforts, Google has steadily invested more and
more deeply towards ASI as a keystone of hardware security. This RFC is
basically the same system that Junaid presented, but I’ve done my best
to shrink it as much as possible. So, this is really just enough to
demonstrate ASI working end-to-end.

The most radical simplifications are the removal of “local nonsensitive”
memory (see [1] for explanation) and the removal of all of the
TLB-flushing smarts. Those will be implemented later as an enhancement.

What’s needed to make this a PATCH?
===================================

.:: Major problems

Aside from general missing features and performance issues there are two
major problems with this patchset:

 1. It adds a page flag.

 2. It creates artificial OOM conditions.

See “mm: asi: Map non-user buddy allocations as nonsensitive” for
details of both problems.

I hope to solve these with a more intrusive but less hacky integration
into the buddy allocator. This was discussed at LSF/MM/BPF [2], I won’t
go into detail here, I just failed to get a prototype ready in time for
this RFC. I’ll need to have one ready before I can reasonably ask to
merge anything. It remains an open question if we can find a way to
merge a minimal ASI without that complex integration, without creating
technical debt such as a page flag.

.:: Configuration

As well as the above, I think it needs a cleaner idea of how ASI should
be configured. In this RFC, it’s enabled by setting asi=on on the kernel
command-line, and has barely any interaction with bugs.c. ASI does not
trivially fit into the existing configuration mechanism:

  a. Existing mitigations are generally configured per-vuln, while ASI
  is not a per-vuln mitigation.

  b. ASI will never be strictly equivalent to any other mitigation
  configuration (because it deliberately drops protection for at least
  some memory), so making it the default represents a moderately bold
  policy decision.

ASI also warrants configuration beyond on/off: In general because it
provides a way to avoid paying mitigation cost most of the time, in my
opinion ASI is best used in a mode that mitigates exploits beyond those
that are currently known to be possible on a given platform. For
example, in this RFC we attempt to obliterate _all_ indirect branch
predictor training before leaving the restricted address space, even on
platforms where no practical exploit is known to necessitate this. But I
expect many users to reject this philosophy, and the kernel ought to
support a different policy.

Input on this topic would be appreciated - even if it feels like
bikeshedding, I think it’s likely to provoke more interesting discussion
as a side effect. Otherwise I’ll just come up with _something_ and we
can discuss more at [PATCH] time. Perhaps a simple starting point would
be “mitigations=asi”.

.:: Minor issues

- KVM’s rseq_test fails with asi=on. I think this is “just” a
  performance problem; KVM rseq logic is known to trigger ASI
  transitions without additional optimisations that will be explored for
  a later series.

- fill_return_buffer() causes an “unreachable instruction” objtool
  warning. I haven’t investigated this.

- Some BUGs that should probably not crash the kernel.

What is “sensitive memory”?
===========================

ASI is fundamentally creating a new security boundary. So, where does
the boundary go? In other words, what gets mapped into the restricted
address space?

This is determined at allocation time. In this RFC, there is a new
__GFP_SENSITIVE flag (currently only supported for buddy allocations,
not slab), and everything else is considered non-sensitive. This
default-nonsensitive approach is known as a “denylist” model. By simply
adding __GFP_SENSITIVE to GFP_USER, we can already deliver significant
protection from real-world attacks, while already being within reach of
pretty high performance results (more on this later). 

However, it’s obviously not the case that all data worth leaking is
always in GFP_USER pages. There are two ways to respond to this problem:

1. Expand the denylist, i.e. try to set __GFP_SENSITIVE for all memory
   that can contain secrets.

2. Switch to an “allowlist” model where sensitive is the default. Then
   our job would instead be to set __GFP_NONSENSITIVE wherever we can
   determine it’s safe and worthwhile for performance.

Option 2 clearly puts us in a stronger security posture, but it has the
major disadvantage of risking unpredictable performance impacts: since
ASI transitions are costly, a random system change that causes new pages
to start being touched by the kernel is much more likely to create
sudden, hard-to-diagnose performance degradations. This makes switching
ASI on in production a much scarier proposition.

Opinions at LSF/MM/BPF were surprisingly relaxed about this topic. So if
possible I’d like to prefer option 1, and focus on getting Linux as soon
as possible to a version of ASI that’s viable to run in production, and
from there iterate towards stronger security guarantees. However,
discussion is welcome.

Performance
===========

I’m a little embarrassed that I don’t have performance data with this
RFC, progress on getting this data has been painful so I decided to just
get discussion started on the implementation, and I hope to follow up
soon with data. Since the initial patchset I’ll be proposing to merge
will be minimal (something similar in scope to this RFC), we should
expect it to perform badly. So, I’ll need to put together a
forward-looking branch that includes that patchset plus additional
features from future patchsets, so that we can prove that good
performance is achievable longer-term.

Google’s internal version of ASI shows less than 5% degradation on all
end-to-end performance metrics, less than 1% is common. However for some
workloads this has required more advanced optimisations than those I
expect to post in the initial upstream branch, so we can expect a worse
degradation in some cases.

The branch that I published for LSF/MM/BPF [2] (not radically different
from this RFC) showed comparable performance to Safe RET for a single-VM
Redis benchmark (<5%), although this was not a rigorous analysis. See
[5] for a graph showing that ASI performs dramatically better than a
comparable blanket mitigation (IBPB on VM Exit).

I’m planning to try and run either the VM-supported workloads from
mmtests [3], or some set of workloads from PerfKit Benchmarker [4],
whichever turns out to be easiest. I’ll compare ASI against
mitigations=off and one or two example configurations for existing
mitigations. Let me know if you have any specific requests/suggestions
for workloads or baseline-comparisons.

What’s next?
============

This cover letter is getting rather long, but briefly here are some work
items that need to be done for a “complete ASI”, but which I’d like to
defer until infrastructure is already in place in-tree:

- More sensitivity annotations, which will require more allocator
  integrations

- More advanced/flexible mitigations in address space transitions

- Support for sandboxing bare-metal processes

- Avoid address space transitions by expanding the scope of what can be
  run in the restricted address space (e.g. context-switching between
  tasks in the same mm, returning to userspace)

- Deferring TLB flushing and using PCID properly

- Preventing cross-SMT attacks by halting sibling hyperthreads

- Non-x86 support (this isn’t prototyped at all, requires research,
  probably a much longer-term topic).

Acknowledgements
================

Thanks to Alexander Chartre for the initial implementation that inspired
Junaid’s RFC. 

Of course thanks to Junaid Shahid and Ofir Weisse for their fantastic
work on the 2022 RFC and Google’s initial internal implementation.

Reiji Watanabe, Yosry Ahmed and Patrick Bellasi are also major
contributors to this effort from Google (you’ll see them attributed in
commit messages too).

Further thanks to Alexandra Sandulescu and Matteo Rizzo who have
provided security expertise for Google’s deployment. Alexandra is also
working on reliable easy-to-run exploit PoCs (as kernel selftests) which
have helped us to gain confidence that ASI actually mitigates
vulnerabilities.

References
==========
[1] Junaid’s RFC:
    https://lore.kernel.org/all/20220223052223.1202152-1-junaids@google.com/

[2] LSF/MM/BPF: https://www.youtube.com/watch?v=DxaN6X_fdlI
    LWN coverage: https://lwn.net/Articles/974390/
    Code: http://github.com/googleprodkernel/linux-kvm/tree/asi-lsfmmbpf-24

[3] mmtests: https://github.com/gormanm/mmtests

[4] PerfKit Benchmarker: https://github.com/GoogleCloudPlatform/PerfKitBenchmarker

[5] Performance data at LSF/MM/BPF (timestamp link):
    https://youtu.be/DxaN6X_fdlI?t=557

To: Thomas Gleixner <tglx@linutronix.de>
To: Ingo Molnar <mingo@redhat.com>
To: Borislav Petkov <bp@alien8.de>
To: Dave Hansen <dave.hansen@linux.intel.com>
To: H. Peter Anvin <hpa@zytor.com>
To: Andy Lutomirski <luto@kernel.org>
To: "H. Peter Anvin" <hpa@zytor.com>
To: Peter Zijlstra <peterz@infradead.org>

To: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>

To: Alexandre Chartre <alexandre.chartre@oracle.com>
To: Liran Alon <liran.alon@oracle.com>
To: Jan Setje-Eilers <jan.setjeeilers@oracle.com>

To: Catalin Marinas <catalin.marinas@arm.com>
To: Will Deacon <will@kernel.org>
To: Mark Rutland <mark.rutland@arm.com>

To: Andrew Morton <akpm@linux-foundation.org>
To: Mel Gorman <mgorman@suse.de>
To: Lorenzo Stoakes <lstoakes@gmail.com>
To: David Hildenbrand <david@redhat.com>
To: Vlastimil Babka <vbabka@suse.cz>
To: Michal Hocko <mhocko@kernel.org>
To: Khalid Aziz <khalid.aziz@oracle.com>

To: Juri Lelli <juri.lelli@redhat.com>
To: Vincent Guittot <vincent.guittot@linaro.org>
To: Dietmar Eggemann <dietmar.eggemann@arm.com>
To: Steven Rostedt <rostedt@goodmis.org>
To: Valentin Schneider <vschneid@redhat.com>

To: Paul Turner <pjt@google.com>
To: Reiji Watanabe <reijiw@google.com>
To: Junaid Shahid <junaids@google.com>
To: Ofir Weisse <oweisse@google.com>
To: Yosry Ahmed <yosryahmed@google.com>
To: Patrick Bellasi <derkling@google.com>
To: KP Singh <kpsingh@google.com>
To: Alexandra Sandulescu <aesa@google.com>
To: Matteo Rizzo <matteorizzo@google.com>
To: Jann Horn <jannh@google.com>

Cc: x86@kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: kvm@vger.kernel.org

Signed-off-by: Brendan Jackman <jackmanb@google.com>
---
Brendan Jackman (15):
      x86: Create CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION
      objtool: let some noinstr functions make indirect calls
      mm: asi: Add infrastructure for boot-time enablement
      mm: asi: ASI support in interrupts/exceptions
      mm: asi: Avoid warning from NMI userspace accesses in ASI context
      mm: Add __PAGEFLAG_FALSE
      mm: asi: Map non-user buddy allocations as nonsensitive
      mm: asi: Map kernel text and static data as nonsensitive
      mm: asi: Map vmalloc/vmap data as nonsesnitive
      KVM: x86: asi: Restricted address space for VM execution
      KVM: x86: asi: Stabilize CR3 when potentially accessing with ASI
      mm: asi: Stabilize CR3 in switch_mm_irqs_off()
      mm: asi: Make TLB flushing correct under ASI
      mm: asi: Stop ignoring asi=on cmdline flag
      KVM: x86: asi: Add some mitigations on address space transitions

Junaid Shahid (8):
      mm: asi: Make some utility functions noinstr compatible
      mm: asi: Introduce ASI core API
      mm: asi: Switch to unrestricted address space before a context switch
      mm: asi: Use separate PCIDs for restricted address spaces
      mm: asi: Make __get_current_cr3_fast() ASI-aware
      mm: asi: ASI page table allocation functions
      mm: asi: Functions to map/unmap a memory range into ASI page tables
      mm: asi: Add basic infrastructure for global non-sensitive mappings

Ofir Weisse (1):
      mm: asi: asi_exit() on PF, skip handling if address is accessible

Reiji Watanabe (1):
      mm: asi: Map dynamic percpu memory as nonsensitive

Yosry Ahmed (1):
      percpu: clean up all mappings when pcpu_map_pages() fails

 arch/alpha/include/asm/Kbuild            |   1 +
 arch/arc/include/asm/Kbuild              |   1 +
 arch/arm/include/asm/Kbuild              |   1 +
 arch/arm64/include/asm/Kbuild            |   1 +
 arch/csky/include/asm/Kbuild             |   1 +
 arch/hexagon/include/asm/Kbuild          |   1 +
 arch/loongarch/include/asm/Kbuild        |   1 +
 arch/m68k/include/asm/Kbuild             |   1 +
 arch/microblaze/include/asm/Kbuild       |   1 +
 arch/mips/include/asm/Kbuild             |   1 +
 arch/nios2/include/asm/Kbuild            |   1 +
 arch/openrisc/include/asm/Kbuild         |   1 +
 arch/parisc/include/asm/Kbuild           |   1 +
 arch/powerpc/include/asm/Kbuild          |   1 +
 arch/riscv/include/asm/Kbuild            |   1 +
 arch/s390/include/asm/Kbuild             |   1 +
 arch/sh/include/asm/Kbuild               |   1 +
 arch/sparc/include/asm/Kbuild            |   1 +
 arch/um/include/asm/Kbuild               |   1 +
 arch/x86/Kconfig                         |  27 ++
 arch/x86/include/asm/asi.h               | 267 +++++++++++
 arch/x86/include/asm/cpufeatures.h       |   1 +
 arch/x86/include/asm/disabled-features.h |   8 +-
 arch/x86/include/asm/idtentry.h          |  50 ++-
 arch/x86/include/asm/kvm_host.h          |   5 +
 arch/x86/include/asm/nospec-branch.h     |   2 +
 arch/x86/include/asm/processor.h         |  15 +-
 arch/x86/include/asm/special_insns.h     |   8 +-
 arch/x86/include/asm/tlbflush.h          |   5 +
 arch/x86/kernel/process.c                |   2 +
 arch/x86/kernel/traps.c                  |  22 +
 arch/x86/kvm/svm/svm.c                   |   2 +
 arch/x86/kvm/vmx/nested.c                |   8 +
 arch/x86/kvm/vmx/vmx.c                   | 124 +++--
 arch/x86/kvm/x86.c                       |  60 ++-
 arch/x86/lib/retpoline.S                 |   7 +
 arch/x86/mm/Makefile                     |   1 +
 arch/x86/mm/asi.c                        | 748 +++++++++++++++++++++++++++++++
 arch/x86/mm/fault.c                      | 119 ++++-
 arch/x86/mm/init.c                       |   5 +-
 arch/x86/mm/init_64.c                    |  25 +-
 arch/x86/mm/mm_internal.h                |   3 +
 arch/x86/mm/tlb.c                        | 136 +++++-
 arch/xtensa/include/asm/Kbuild           |   1 +
 include/asm-generic/asi.h                |  84 ++++
 include/asm-generic/vmlinux.lds.h        |  11 +
 include/linux/compiler_types.h           |   8 +
 include/linux/gfp_types.h                |  15 +-
 include/linux/mm_types.h                 |   7 +
 include/linux/page-flags.h               |  16 +
 include/linux/pgtable.h                  |   3 +
 include/trace/events/mmflags.h           |  12 +-
 kernel/fork.c                            |   3 +
 kernel/sched/core.c                      |   3 +
 mm/init-mm.c                             |   4 +
 mm/internal.h                            |   2 +
 mm/page_alloc.c                          | 143 +++++-
 mm/percpu-vm.c                           |  52 ++-
 mm/percpu.c                              |   4 +-
 mm/vmalloc.c                             |  61 ++-
 tools/objtool/check.c                    |  14 +
 tools/perf/builtin-kmem.c                |   1 +
 62 files changed, 1977 insertions(+), 136 deletions(-)
---
base-commit: a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6
change-id: 20240524-asi-rfc-24-2ea47c41352d

Best regards,

Comments

Brendan Jackman July 12, 2024, 5:09 p.m. UTC | #1
Well, off to a good start...

REFLECT MODE:
    The To: and Cc: headers will be fully populated, but the only
    address given to the mail server for actual delivery will be
    Brendan Jackman <jackmanb@google.com>

    Addresses in To: and Cc: headers will NOT receive this series.

Apparently gmail is too clever for this and sent my mail out anyway.
So, some corrections, more probably to come on monday.

On Fri, Jul 12, 2024 at 05:00:18PM +0000, Brendan Jackman wrote:
> Overview
> ========
> This RFC 

Yes, this is an RFC, definitely not a PATCH. Sorry for the bogus
subject...

> Rough structure of this series:
> 
> - 01-14: Establish ASI infrastructure, e.g. for manipulating pagetables,
>   performing address space transitions.
> - 15-19: Map data into the restricted address space.

Actually 15-20

> - 20-23: Finalize a functionality correct ASI for KVM. 

21-24

> - 24-26: Switch it on and demonstrate actual vuln mitigation.

25-26
Brendan Jackman Sept. 11, 2024, 4:37 p.m. UTC | #2
On Fri, 12 Jul 2024 at 19:00, Brendan Jackman <jackmanb@google.com> wrote:
>
> Overview
> ========
> This RFC demonstrates an implementation of Address Space Isolation
> (ASI), similar to Junaid Shahid’s proposal from 2022 [1].

Hi all,

I'll be discussing this series at the x86 MC at LPC next week. I
didn't get any high-level feedback so now would be a great time to
take a look and see if you have any thoughts about the basic
structure.

There are some bugs in this code but for an RFC it's basically
representative enough of what ASI will eventually look like.

In case it piques your interest here is some performance data I've
just gathered:

https://gist.github.com/bjackman/673415ee46fab01aa8d5f6ab1321b5b5