| Message ID | 20250110-asi-rfc-v2-v2-28-8419288bc805@google.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
by smtp.lore.kernel.org (Postfix) with ESMTP id 0415FE7719C
for <linux-mm@archiver.kernel.org>; Fri, 10 Jan 2025 18:42:14 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
id 09F366B00D9; Fri, 10 Jan 2025 13:41:53 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
id F19F16B00DA; Fri, 10 Jan 2025 13:41:52 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
id D47496B00DB; Fri, 10 Jan 2025 13:41:52 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com
[216.40.44.11])
by kanga.kvack.org (Postfix) with ESMTP id B5A216B00D9
for <linux-mm@kvack.org>; Fri, 10 Jan 2025 13:41:52 -0500 (EST)
Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1])
by unirelay02.hostedemail.com (Postfix) with ESMTP id 80C53120DE6
for <linux-mm@kvack.org>; Fri, 10 Jan 2025 18:41:52 +0000 (UTC)
X-FDA: 82992411264.24.5AC5D98
Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com
[209.85.128.73])
by imf03.hostedemail.com (Postfix) with ESMTP id A943720009
for <linux-mm@kvack.org>; Fri, 10 Jan 2025 18:41:50 +0000 (UTC)
Authentication-Results: imf03.hostedemail.com;
dkim=pass header.d=google.com header.s=20230601 header.b=fOCak21M;
dmarc=pass (policy=reject) header.from=google.com;
spf=pass (imf03.hostedemail.com: domain of
37GmBZwgKCAksjltvjwkpxxpun.lxvurw36-vvt4jlt.x0p@flex--jackmanb.bounces.google.com
designates 209.85.128.73 as permitted sender)
smtp.mailfrom=37GmBZwgKCAksjltvjwkpxxpun.lxvurw36-vvt4jlt.x0p@flex--jackmanb.bounces.google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=hostedemail.com;
s=arc-20220608; t=1736534510;
h=from:from:sender:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:cc:mime-version:mime-version:
content-type:content-type:content-transfer-encoding:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=49F9KmkByYRspQkaSYzsGBFq+GnQYA+RnfOGnAD1TNs=;
b=SfXfYi4vxygV/R54wRjzwno4cEdMadz0ObWVp30FFe2klkyfv8Sswk6AOQEfY6Sx3mKw5Q
SrZ1SFW57bpib7XxaoWdYtcb5RrT5c1gSQ7TxtJMg16+ticn+56OyMHn8YuiUBW5GScJP9
KuxF+UKHP2+Q7NZO6dH4tZanyNRFGEk=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736534510; a=rsa-sha256;
cv=none;
b=Q3+TGpZVVRgbX7WOk9+DyLCmJysA4rQlu1mGMM6DkwCrsZlcDCvCGd/BoqDo1OUlyhHQQx
fH3Gl5fDrnlCSV1p4YZ2AwM3/gB5sjc30Yd+eQxArUE33tDKFu6+L26tLt8md4zH7owdbn
TZbe+e9gE9Ffnh6BEp1D2rsc8/Oo22U=
ARC-Authentication-Results: i=1;
imf03.hostedemail.com;
dkim=pass header.d=google.com header.s=20230601 header.b=fOCak21M;
dmarc=pass (policy=reject) header.from=google.com;
spf=pass (imf03.hostedemail.com: domain of
37GmBZwgKCAksjltvjwkpxxpun.lxvurw36-vvt4jlt.x0p@flex--jackmanb.bounces.google.com
designates 209.85.128.73 as permitted sender)
smtp.mailfrom=37GmBZwgKCAksjltvjwkpxxpun.lxvurw36-vvt4jlt.x0p@flex--jackmanb.bounces.google.com
Received: by mail-wm1-f73.google.com with SMTP id
5b1f17b1804b1-436328fcfeeso20438575e9.1
for <linux-mm@kvack.org>; Fri, 10 Jan 2025 10:41:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20230601; t=1736534509; x=1737139309; darn=kvack.org;
h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
:date:from:to:cc:subject:date:message-id:reply-to;
bh=49F9KmkByYRspQkaSYzsGBFq+GnQYA+RnfOGnAD1TNs=;
b=fOCak21M395U8uEr4y9CPo3CrbgboD7pMAnCQAS+bQOI9xEToXRyz5RGiga4c4WaD0
7v67SHQ4Y+WAzQVdOpVj32D8Gb52DyyvjhWPxBtP6/vPmR79KSvtRTl+jiA8hsFNLUzW
Vr41zZLd7HUXr1bF46osFwWlQnFtjRv1Nfh5FuZusItrNQ3+u9a0/4NFN4jypmS+T1yV
ypWKwMfqUON6L2qhRLcNXhoHrdmDydOJsLMLsg8p6KvS2QILDuDteIEuxwsVMubE/Szm
l58fZPhPap7Zwph/osg4rSrhQ1RNsh8vEkjBaWqCwwrr1MrKwPXoBJ7z6+8QpNzGg9hB
WTyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1736534509; x=1737139309;
h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
:date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=49F9KmkByYRspQkaSYzsGBFq+GnQYA+RnfOGnAD1TNs=;
b=hgjttXK+sFk0H67R/St5nryYn3bNX6lAP4IZ5313AN/2l2JDKXQEG+f0RZCI3kqugf
Ko49YnFEBvtdjAlTtg8ElU9vDJ8lcKEmpsBzzA2h0x74aPkeBJp341B73hnNtJFLZViO
HYeNeSgt6QzhFMqxCjDt5v9punVLw4ymPki8oxUiRIMeGF235qzB+xxFDokPF3tgj9w0
P++QF8TgRB21RHqMnFElE8Hw6aLSq3Iml3WYrc/rXxHQwzlC7J96OYB8IJeq+PZAQQAN
UIPAdFlBXtvlriRmyW29/hilKyGRI7+e/fK5DD1wazs3oquudaTwKIHR/n/LYQL/0NMM
15GA==
X-Forwarded-Encrypted: i=1;
AJvYcCUJ3yqXmCYcjeFUjRWbWPrb2sS11xgWqaDEr3PPQfTAZpnNjCebObWGLpFAG4RihDobDnET9mh8gQ==@kvack.org
X-Gm-Message-State: AOJu0Yy3whgOvYRk5FVV0pgG6VlUDVkMd5oLP2UXw/SzgtsPYKMLZo7q
tl4f1bbC61OzdsvdmwGO3s7YQwaXmLqeJFTqrjN7m/YiAfFYP1tDccnoUm1z9bM1fl3uX6Ahqu9
po7enKpX66A==
X-Google-Smtp-Source:
AGHT+IFKWz0raFavEVPdqLi0m3c/SgK/uJNRKjAz6M2EuA2Ei6coxzOA0we1XFhGSIskVPMsumh+r4On/rf0kg==
X-Received: from wmrn35.prod.google.com
([2002:a05:600c:5023:b0:434:f2eb:aa72])
(user=jackmanb job=prod-delivery.src-stubby-dispatcher) by
2002:a05:600c:1d07:b0:434:fa73:a907 with SMTP id
5b1f17b1804b1-436e269a5f5mr112362055e9.13.1736534508901;
Fri, 10 Jan 2025 10:41:48 -0800 (PST)
Date: Fri, 10 Jan 2025 18:40:54 +0000
In-Reply-To: <20250110-asi-rfc-v2-v2-0-8419288bc805@google.com>
Mime-Version: 1.0
References: <20250110-asi-rfc-v2-v2-0-8419288bc805@google.com>
X-Mailer: b4 0.15-dev
Message-ID: <20250110-asi-rfc-v2-v2-28-8419288bc805@google.com>
Subject: [PATCH RFC v2 28/29] x86/pti: Disable PTI when ASI is on
From: Brendan Jackman <jackmanb@google.com>
To: Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>, "H. Peter Anvin" <hpa@zytor.com>,
Andy Lutomirski <luto@kernel.org>, Peter Zijlstra <peterz@infradead.org>,
Richard Henderson <richard.henderson@linaro.org>,
Matt Turner <mattst88@gmail.com>,
Vineet Gupta <vgupta@kernel.org>, Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>,
Guo Ren <guoren@kernel.org>,
Brian Cain <bcain@quicinc.com>, Huacai Chen <chenhuacai@kernel.org>,
WANG Xuerui <kernel@xen0n.name>, Geert Uytterhoeven <geert@linux-m68k.org>,
Michal Simek <monstr@monstr.eu>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
Dinh Nguyen <dinguyen@kernel.org>, Jonas Bonn <jonas@southpole.se>,
Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>,
Stafford Horne <shorne@gmail.com>,
"James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
Helge Deller <deller@gmx.de>,
Michael Ellerman <mpe@ellerman.id.au>, Nicholas Piggin <npiggin@gmail.com>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
Naveen N Rao <naveen@kernel.org>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>, Albert Ou <aou@eecs.berkeley.edu>,
Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
Yoshinori Sato <ysato@users.sourceforge.jp>,
Rich Felker <dalias@libc.org>,
John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>,
"David S. Miller" <davem@davemloft.net>,
Andreas Larsson <andreas@gaisler.com>,
Richard Weinberger <richard@nod.at>,
Anton Ivanov <anton.ivanov@cambridgegreys.com>,
Johannes Berg <johannes@sipsolutions.net>, Chris Zankel <chris@zankel.net>,
Max Filippov <jcmvbkbc@gmail.com>, Arnd Bergmann <arnd@arndb.de>,
Andrew Morton <akpm@linux-foundation.org>,
Juri Lelli <juri.lelli@redhat.com>,
Vincent Guittot <vincent.guittot@linaro.org>,
Dietmar Eggemann <dietmar.eggemann@arm.com>,
Steven Rostedt <rostedt@goodmis.org>, Ben Segall <bsegall@google.com>,
Mel Gorman <mgorman@suse.de>,
Valentin Schneider <vschneid@redhat.com>,
Uladzislau Rezki <urezki@gmail.com>,
Christoph Hellwig <hch@infradead.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Mike Rapoport <rppt@kernel.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Namhyung Kim <namhyung@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Jiri Olsa <jolsa@kernel.org>,
Ian Rogers <irogers@google.com>, Adrian Hunter <adrian.hunter@intel.com>,
Dennis Zhou <dennis@kernel.org>, Tejun Heo <tj@kernel.org>,
Christoph Lameter <cl@linux.com>,
Sean Christopherson <seanjc@google.com>, Paolo Bonzini <pbonzini@redhat.com>,
Ard Biesheuvel <ardb@kernel.org>, Josh Poimboeuf <jpoimboe@kernel.org>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org, linux-alpha@vger.kernel.org,
linux-snps-arc@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
linux-csky@vger.kernel.org, linux-hexagon@vger.kernel.org,
loongarch@lists.linux.dev, linux-m68k@lists.linux-m68k.org,
linux-mips@vger.kernel.org, linux-openrisc@vger.kernel.org,
linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org,
linux-sh@vger.kernel.org, sparclinux@vger.kernel.org,
linux-um@lists.infradead.org, linux-arch@vger.kernel.org, linux-mm@kvack.org,
linux-trace-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
kvm@vger.kernel.org, linux-efi@vger.kernel.org,
Brendan Jackman <jackmanb@google.com>
Content-Type: text/plain; charset="utf-8"
X-Stat-Signature: 6y3ix3fxpkk7p3ag6dzztat9et4hoj8k
X-Rspamd-Queue-Id: A943720009
X-Rspam-User:
X-Rspamd-Server: rspam01
X-HE-Tag: 1736534510-202132
X-HE-Meta:
U2FsdGVkX18yzyyxLbk+ZdoxJPIU7M1gSt386WcxS9B0O1YumFZWRAlCXrEEtUynoeCHm7wkfFBDoOXp/RrW6sZWL4pRUhmU+HGpO4NOec2LOpl5ay5gqAd9boOZDTzsb4woz/YdncTLscIzOnYvWEqaKu3Cb7o3nea0PaakFIazQzOO9egCuGjaXbbfo+lg1TnNmG3fiRCrW5tjUQjtJy0Bic0z2nDfqsBD0M1g5DMEP7xC+nJ8TLIXBwfGBH8qSN63ttU+5Bq3YZIRnDmkxsxTjRhzbxMOcVGa1x296Y+h+tnymNn5IppVm2Pz5CLcGAKIfkCn+4AP+bMFyqVpJiKadJII9Iz8rESNn+Rpwi3KH1hhvDVuqrVV6e0GPZL6Z4zHumEm1RfKUqwCg/pdf3DyvU1pnUNpPvHc/mJAFBi/PdPLwM18UwynW9DvUurvdjjUQ4dydq9kGcRbaXrLmtdYN1A3uILW7ApcwoXbvgyRJ1+xfkOtlEcgPKOsMg1fTYDQVJUM3Jqy+PgXJ31gmvgTuBR8jLBQrKhTrKQpEIGOjZMQAqwKfPPCKEe/v9rVQsStTFLSRQ5GNsMJK6rmxbt9ftiBIWn+1zaZyzK+qpphudzO2gt5iZK/ipeZ6EJCyIJ1wQcRVxznFnscjW/0hXikP+4bif0SU6bKLX+atdqdFYcfj1c5+rVNaB7qafQoFEH1aCerkxQvurtXHwisFOeJiC1Qu6ZOiK7eXySe8Uf/cj8nDuQJPlSkw9MY9Ney7LO+rMNvRjl8aJ+vuE+Omtr0507qz0D8HVe5EYvamxsy481471FY6QcAqp0h3us3/eZpY2u55RTQylQT7ABon4JiaTZ10+w1SL+PbJIzjF3vu1Jl5+l5qguhV+OAxYwui0GuQ5u8m70jCixBs6XVEYelFQjQ8q2eweW4QoXRNtUcVGsgaY7sG0fxFUNLslYe9RaFnCqhV1JF0L4Oz9j
rvPJ/FGZ
2aj1OaFJXdRRnrgO9ELr4p+Dy7XEpQWgmMYqJbLkh0+bmB/7k2KjkuKVqlJ4G4l3QSfAeOM5p2fGBJGZRvRPPzu6Zmq/Znk7Bs5Ao0mhu/MYrER9dkrEicmJ+UIrgAvVK6LoSYlkunfqbCvyQB/PJMuXB7M3q5wS/t2Nb60W52oKjjDk/KejlHeholATfWfrgxWa5y6OwYXQqJpmoucw10bTMy+oGobD6uE7O/SANSPfFJ1V7O4nIk/735i5Rg63wLJI0i5BrAOartb+CogmgrhfWVxeAMnNtneU+b44ftTKucxBYmj7LU47gg/nTPlByJzWolB7m0m+5xZe5TRStyk12X2TVxwAMNHTkAjAhB5i1paO4XQuVm3txmNmYy0xp8ePhrJ1lOx6l3m9Xw5QmLahSx3+wKJd516NBDU4AbsCgdFXoK4NK854gbMGQAcf3b35D/7iSCU/wik7zYMK4MZIP6NiwNIhQMjJmWx5mADBWDXp3WUEfX8UYkccAcdE9xi3nQASCMH78HZPeJc/vpnAzzQdZwlplxKWAD1ydryhJRVobqjvs+IPpCiD/S3ecmN3gGqt8RhrB3PPRD4n/ay7/K4uC7c292oqnrhRBRcP0DV9f8u3LzsgeU0doRXnilgXVWXWEG01120buitNnPjMFZqxaZlL76jUX1YD4w64piyn0K5BYLdhpL6hf3lGt4Mky
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>
|
| Series |
Address Space Isolation (ASI)
|
expand
|
diff --git a/arch/x86/include/asm/pti.h b/arch/x86/include/asm/pti.h index ab167c96b9ab474b33d778453db0bb550f42b0ac..79b9ba927db9b76ac3cc72cdda6f8b5fc413d352 100644 --- a/arch/x86/include/asm/pti.h +++ b/arch/x86/include/asm/pti.h @@ -3,12 +3,14 @@ #define _ASM_X86_PTI_H #ifndef __ASSEMBLY__ +#include <linux/types.h> + #ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION extern void pti_init(void); -extern void pti_check_boottime_disable(void); +extern void pti_check_boottime_disable(bool asi_enabled); extern void pti_finalize(void); #else -static inline void pti_check_boottime_disable(void) { } +static inline void pti_check_boottime_disable(bool asi_enabled) { } #endif #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c index ded3a47f2a9c1f554824d4ad19f3b48bce271274..4ccf6d60705652805342abefc5e71cd00c563207 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -754,8 +754,8 @@ void __init init_mem_mapping(void) { unsigned long end; - pti_check_boottime_disable(); asi_check_boottime_disable(); + pti_check_boottime_disable(boot_cpu_has(X86_FEATURE_ASI)); probe_page_size_mask(); setup_pcid(); diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c index 851ec8f1363a8b389ea4579cc68bf3300a4df27c..b7132080d3c9b6962a0252383190335e171bafa6 100644 --- a/arch/x86/mm/pti.c +++ b/arch/x86/mm/pti.c @@ -76,7 +76,7 @@ static enum pti_mode { PTI_FORCE_ON } pti_mode; -void __init pti_check_boottime_disable(void) +void __init pti_check_boottime_disable(bool asi_enabled) { if (hypervisor_is_type(X86_HYPER_XEN_PV)) { pti_mode = PTI_FORCE_OFF; @@ -91,6 +91,18 @@ void __init pti_check_boottime_disable(void) return; } + if (asi_enabled) { + /* + * Having both ASI and PTI enabled is not a totally ridiculous + * thing to do; if you want ASI but you are not confident in the + * sensitivity annotations then it provides useful + * defence-in-depth. But, the implementation doesn't support it. + */ + if (pti_mode != PTI_FORCE_OFF) + pti_print_if_insecure("disabled by ASI"); + return; + } + if (pti_mode == PTI_FORCE_ON) pti_print_if_secure("force enabled on command line.");
Now that ASI has support for sandboxing userspace, although userspace now has much more mapped than it would under KPTI, in theory none of that data is important to protect. Note that one particular impact of this is it makes locally defeating KASLR easier. I don't think this is a great loss given [1] etc. Why do we pass in an argument instead of just having pti_check_boottime_disable() check boot_cpu_has(X86_FEATURE_ASI)? Just for clarity: I wanted it to be at least _sort of_ visible that it would break if you reordered asi_check_boottime_disable() afterwards. [1]: https://gruss.cc/files/prefetch.pdf and https://dl.acm.org/doi/pdf/10.1145/3623652.3623669 Signed-off-by: Brendan Jackman <jackmanb@google.com> --- arch/x86/include/asm/pti.h | 6 ++++-- arch/x86/mm/init.c | 2 +- arch/x86/mm/pti.c | 14 +++++++++++++- 3 files changed, 18 insertions(+), 4 deletions(-)