From patchwork Sun Mar 19 00:15:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rick Edgecombe X-Patchwork-Id: 13180137 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E02DC761A6 for ; Sun, 19 Mar 2023 00:16:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5C9E8280007; Sat, 18 Mar 2023 20:16:13 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5546F280001; Sat, 18 Mar 2023 20:16:13 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3A556280007; Sat, 18 Mar 2023 20:16:13 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 0F0FF280001 for ; Sat, 18 Mar 2023 20:16:13 -0400 (EDT) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id B5A5C1C6408 for ; Sun, 19 Mar 2023 00:16:12 +0000 (UTC) X-FDA: 80583730584.06.0E2E096 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by imf05.hostedemail.com (Postfix) with ESMTP id BB084100007 for ; Sun, 19 Mar 2023 00:16:10 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=RmaMLnX8; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1679184971; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:dkim-signature; bh=ocahhM3Bn6Dfg/QyiFRf3gcfnukdUEBCs6hjdna9J3s=; b=10RZWgm16wGxxIvQlhxA6TcoCHioieIF/JnzPjk92BI6qbxtZYa/29qZbQ0DyOAPmpH6BU I6TZzN1atSiAGwh8oTpqjsh5EmT+KJ1PlHiq1zzHNkaQHo2lvdXJqgSD8nM+lgX48qit3+ aY6uEktiBYLD4nX5COS0nH18Mup6AgQ= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=RmaMLnX8; spf=pass (imf05.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.115 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1679184971; a=rsa-sha256; cv=none; b=XOjT4hwOhjjKs59t838+BuOoQnO4YWnc5MwOAZjKwvrxBhg1AchKqUSJ7B1V5OwIhSyD/b Docb2yciwBKWYuM++Gg2iKUF1xdb1m2YGquWmWTr3Blf6ktFENBdglkRbpwteDDKaD0cbH gs/qJ96tLx7Fp2/O3DIJQeMNAsc4dfI= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679184970; x=1710720970; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=dTEoEHoAOcO1vfWEsqQCGpPA+bqJxwa+ObH7rTEuQRQ=; b=RmaMLnX8lNGgn1quXRXsp3sMI1UDnggwyA3esMojeikPHY23tkfuZsmN w5KRinzFMYjyI9na/Q51IHEPTKprvqZsbQnxRfpeAC0ZJj3E3ekUW9GoZ HlPnszu9uu8aqkuNTRk0e9qGUtNux5vB4FDfMptRfCM7kKAuZ0iRXzHDx rI6ZI7ycIR/Jc5D5f809oww434m+BpEGUHuNqoqFJidvCkb1iqfxZoIIA HaXYamIxqZ8aisargCPSpOKAI8Af8hI5KsBN35oPUS9YV8Mh2jwV8qTfT vhLd1+h4wrn0QF3USzaMjBr3/Q3xhjhYKbI3dyZ6EmTYME9EGEhI4XW5N A==; X-IronPort-AV: E=McAfee;i="6600,9927,10653"; a="338490927" X-IronPort-AV: E=Sophos;i="5.98,272,1673942400"; d="scan'208";a="338490927" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2023 17:16:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10653"; a="749672812" X-IronPort-AV: E=Sophos;i="5.98,272,1673942400"; d="scan'208";a="749672812" Received: from bmahatwo-mobl1.gar.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.135.34.5]) by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2023 17:16:08 -0700 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, szabolcs.nagy@arm.com Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu Subject: [PATCH v8 09/40] x86/mm: Remove _PAGE_DIRTY from kernel RO pages Date: Sat, 18 Mar 2023 17:15:04 -0700 Message-Id: <20230319001535.23210-10-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230319001535.23210-1-rick.p.edgecombe@intel.com> References: <20230319001535.23210-1-rick.p.edgecombe@intel.com> X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: BB084100007 X-Stat-Signature: 6m4t8em63xxtrcienp9mn75wn49g3p59 X-Rspam-User: X-HE-Tag: 1679184970-969634 X-HE-Meta: U2FsdGVkX18EDN2LmkTFnJz9BSuwzVx4E6qjqKvol2hpGqafIRsx/kHeJKIGVN87MexYp+I1ChmldmEpAKhygD2YRYt9rkC/mSnTAO6JGD33WlJxmPme1RCVlrw+9uYT7+aVANCQhBEoLEwmxyKsTe6Mn8PnEtCB9A6J47hcRpvFXJt+joPn4smdLGBPzutPPYSeDqx+WE2aO6lV49+LYgK7Jszh2YOi3pxYiFbBdhkFbsXJPyg1xdvkIzgoMXTvFWNgIwaxieugnGaYMmGIUuovspXw90RIfd9sfFEgi7ynxoxtQ8rZh/hLWFgKZp2GMLMhShKO57GlmsErnUW1yfqx7iJGEiWhanBsQZrSjVf9aprEdYQK5SaIQhT7Qsvr5iwWRMBZ1KUx3cIJ/WjkKx4YIeDdXAFYuWD8Vpp9vPwvm9Y1yAX/lOV7tOsBtAcQJgfdp34Fmf9tgmwzx7i65LpBH+e30pdNZ1cX9vtUIDoG7WoG47GArSyFyf4jxdnayjbXaCzku8R/SlaydrhKaCSoMmeu7hbKDOZLJjI4Tqys/DCaYtPg4/eeQ7WD0oOVwqOjIfixj2xMpPwwTnVfIDcYcrcXJASFftty6dXHZnz8j0vy+jfB1xIOtDk++fmmV6Qx7x/ESxvKme++mBqKGJZ+ilA7ZspH1zzQF8pxiODU69myK6/IgvsUisgCD6CZSGINZSpFdD/jI6Fnnf2vw736EH1UxEKNfc+3ONYShxMA7qoKeR0Lb9Dhk7hLncSFJRVT6nYzxo01JKjOciKJBOw8NEIfP8L8YXhS3wTy+54lqvzG4FPc3FQfkz7bwxl6U+H8/BYJEDIdykZVIlfu2TUS0vgeth5dbni8GTsOstaM0Em5wagLk3AN0TyYavU9vqqUlyPP4d6jL5T4StQr7L8R5ZQNfCLOlBp/XASNqcKAGig8NxnoPh2pCaJ74jO5LK4CWvJT3TbdjidQWuw uq1uHeeD lBLwf/ZKjvAWb5gYkSOrQ2D+WZMjQ1hbgjH48DNyAnM1ySbKNxFi/+L3myCJS51r05wmV5s9O9i/Wtf1LerDLb6I1n/CGS8d3Dw7yqbxlPkgvgheUfvxkyMEBwsOxmebZHMXmdB5TrBS9+7NPBcCXj9wQyMQKDDSf+BKmJpoM/iWef47HeGtopDAH0f+wzuimTetw2GUPAHJ93lhEMCjwiJoy2QRJ+g2AI2AINo9M3bWXv9ql3Rj4J/1G70w6SCInDm7a06P9ijzp+dDKykCXuqX1ZlGPNkCN7jktw1arz0KdqO6iltO9UExhbr7TpD4Q4SMmU936vZCjAPB8tLfpcuukDXkyFsee4v5XIHlXtj+uq2ATL1q13EqPWdz8DiWP6DkvdeDkGwqWNDTznZ3PgfjetwIWIB92/D2nYqKtJM3PjXY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: New processors that support Shadow Stack regard Write=0,Dirty=1 PTEs as shadow stack pages. In normal cases, it can be helpful to create Write=1 PTEs as also Dirty=1 if HW dirty tracking is not needed, because if the Dirty bit is not already set the CPU has to set Dirty=1 when the memory gets written to. This creates additional work for the CPU. So traditional wisdom was to simply set the Dirty bit whenever you didn't care about it. However, it was never really very helpful for read-only kernel memory. When CR4.CET=1 and IA32_S_CET.SH_STK_EN=1, some instructions can write to such supervisor memory. The kernel does not set IA32_S_CET.SH_STK_EN, so avoiding kernel Write=0,Dirty=1 memory is not strictly needed for any functional reason. But having Write=0,Dirty=1 kernel memory doesn't have any functional benefit either, so to reduce ambiguity between shadow stack and regular Write=0 pages, remove Dirty=1 from any kernel Write=0 PTEs. Co-developed-by: Yu-cheng Yu Signed-off-by: Yu-cheng Yu Signed-off-by: Rick Edgecombe Reviewed-by: Kees Cook Acked-by: Mike Rapoport (IBM) Tested-by: Pengfei Xu Tested-by: John Allen Tested-by: Kees Cook --- v6: - Also remove dirty from newly added set_memory_rox() v5: - Spelling and grammar in commit log (Boris) v3: - Update commit log (Andrew Cooper, Peterz) v2: - Normalize PTE bit descriptions between patches --- arch/x86/include/asm/pgtable_types.h | 6 +++--- arch/x86/mm/pat/set_memory.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h index 447d4bee25c4..0646ad00178b 100644 --- a/arch/x86/include/asm/pgtable_types.h +++ b/arch/x86/include/asm/pgtable_types.h @@ -192,10 +192,10 @@ enum page_cache_mode { #define _KERNPG_TABLE (__PP|__RW| 0|___A| 0|___D| 0| 0| _ENC) #define _PAGE_TABLE_NOENC (__PP|__RW|_USR|___A| 0|___D| 0| 0) #define _PAGE_TABLE (__PP|__RW|_USR|___A| 0|___D| 0| 0| _ENC) -#define __PAGE_KERNEL_RO (__PP| 0| 0|___A|__NX|___D| 0|___G) -#define __PAGE_KERNEL_ROX (__PP| 0| 0|___A| 0|___D| 0|___G) +#define __PAGE_KERNEL_RO (__PP| 0| 0|___A|__NX| 0| 0|___G) +#define __PAGE_KERNEL_ROX (__PP| 0| 0|___A| 0| 0| 0|___G) #define __PAGE_KERNEL_NOCACHE (__PP|__RW| 0|___A|__NX|___D| 0|___G| __NC) -#define __PAGE_KERNEL_VVAR (__PP| 0|_USR|___A|__NX|___D| 0|___G) +#define __PAGE_KERNEL_VVAR (__PP| 0|_USR|___A|__NX| 0| 0|___G) #define __PAGE_KERNEL_LARGE (__PP|__RW| 0|___A|__NX|___D|_PSE|___G) #define __PAGE_KERNEL_LARGE_EXEC (__PP|__RW| 0|___A| 0|___D|_PSE|___G) #define __PAGE_KERNEL_WP (__PP|__RW| 0|___A|__NX|___D| 0|___G| __WP) diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index 356758b7d4b4..1b5c0dc9f32b 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -2073,12 +2073,12 @@ int set_memory_nx(unsigned long addr, int numpages) int set_memory_ro(unsigned long addr, int numpages) { - return change_page_attr_clear(&addr, numpages, __pgprot(_PAGE_RW), 0); + return change_page_attr_clear(&addr, numpages, __pgprot(_PAGE_RW | _PAGE_DIRTY), 0); } int set_memory_rox(unsigned long addr, int numpages) { - pgprot_t clr = __pgprot(_PAGE_RW); + pgprot_t clr = __pgprot(_PAGE_RW | _PAGE_DIRTY); if (__supported_pte_mask & _PAGE_NX) clr.pgprot |= _PAGE_NX;