Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160914104732.GE14330@leverpostej>
Date: Wed, 14 Sep 2016 11:48:01 +0100
From: Mark Rutland <mark.rutland@....com>
To: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: Kees Cook <keescook@...omium.org>, kernel-hardening@...ts.openwall.com,
	Catalin Marinas <catalin.marinas@....com>,
	Will Deacon <will.deacon@....com>,
	AKASHI Takahiro <takahiro.akashi@...aro.org>,
	James Morse <james.morse@....com>,
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH v3 0/7] arm64: Privileged Access Never using TTBR0_EL1
 switching

On Wed, Sep 14, 2016 at 11:36:46AM +0100, Mark Rutland wrote:
> On Wed, Sep 14, 2016 at 11:30:05AM +0100, Ard Biesheuvel wrote:
> > On 14 September 2016 at 11:27, Mark Rutland <mark.rutland@....com> wrote:
> > > On Wed, Sep 14, 2016 at 11:13:33AM +0100, Ard Biesheuvel wrote:
> > >> On 13 September 2016 at 18:46, Catalin Marinas <catalin.marinas@....com> wrote:
> > >> > This is the third version of the arm64 PAN emulation using TTBR0_EL1
> > >> > switching.
> > >
> > >> Given that every __get_user() call now incurs the PAN switch overhead,
> > >> I wonder if it would be worth it to stash the real TTBR0_EL1 value in,
> > >> e.g., TPIDRRO_EL0 rather than load it from memory each time. We'd have
> > >> to reload the real value of TPIDRRO_EL0 at kernel exit every time, but
> > >> only for compat tasks, and not nearly as often, obviously.
> > >
> > > FWIW, my plan for vmap'd stacks involves clobbering TPIDRRO_EL0 early
> > > upon kernel entry to reliably detect/handle stack overflow (as we need
> > > to free up GPR to detect overflow, and we need to detect that before we
> > > try to store to the stack).
> > >
> > > For non-compat tasks we must restore zero, so either way we'll end up
> > > with a load (to determine compat-ness or to load the precise value).
> > 
> > Are you saying that with vmapped stacks, we'll end up clobbering it
> > (and thus restoring it) anyway when entering the kernel, and so we
> > could use it for free afterwards while running in the kernel,
> > potentially for the real value of TTBR0_EL1?
> 
> Yes, assuming that we end up following my current plan for how to
> implement that.

Actually, after thinknig for more than a picosecond, no we can't.

We need to be able to clbober it on EL1 -> EL1 exceptions, to catch
kernel stack overflow.

So if anything, the two approaches are mutually exclusive, unless we
restore the stashed TTBR0 value back into TPIDRRO_EL0 before returning
from EL1 -> EL1.

/me fetches some more coffee.

Thanks,
Mark.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.