|
Message-Id: <20161104144534.14790-1-juerg.haefliger@hpe.com> Date: Fri, 4 Nov 2016 15:45:32 +0100 From: Juerg Haefliger <juerg.haefliger@....com> To: linux-kernel@...r.kernel.org, linux-mm@...ck.org, kernel-hardening@...ts.openwall.com, linux-x86_64@...r.kernel.org Cc: vpk@...columbia.edu, juerg.haefliger@....com Subject: [RFC PATCH v3 0/2] Add support for eXclusive Page Frame Ownership (XPFO) Changes from: v2 -> v3: - Removed 'depends on DEBUG_KERNEL' and 'select DEBUG_TLBFLUSH'. These are left-overs from the original patch and are not required. - Make libata XPFO-aware, i.e., properly handle pages that were unmapped by XPFO. This takes care of the temporary hack in v2 that forced the use of a bounce buffer in block/blk-map.c. v1 -> v2: - Moved the code from arch/x86/mm/ to mm/ since it's (mostly) arch-agnostic. - Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO for x86. - Use page_ext for the additional per-page data. - Removed the clearing of pages. This can be accomplished by using PAGE_POISONING. - Split up the patch into multiple patches. - Fixed additional issues identified by reviewers. This patch series adds support for XPFO which protects against 'ret2dir' kernel attacks. The basic idea is to enforce exclusive ownership of page frames by either the kernel or userspace, unless explicitly requested by the kernel. Whenever a page destined for userspace is allocated, it is unmapped from physmap (removed from the kernel's page table). When such a page is reclaimed from userspace, it is mapped back to physmap. Additional fields in the page_ext struct are used for XPFO housekeeping. Specifically two flags to distinguish user vs. kernel pages and to tag unmapped pages and a reference counter to balance kmap/kunmap operations and a lock to serialize access to the XPFO fields. Known issues/limitations: - Only supports x86-64 (for now) - Only supports 4k pages (for now) - There are most likely some legitimate uses cases where the kernel needs to access userspace which need to be made XPFO-aware - Performance penalty Reference paper by the original patch authors: http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf Juerg Haefliger (2): Add support for eXclusive Page Frame Ownership (XPFO) xpfo: Only put previous userspace pages into the hot cache arch/x86/Kconfig | 3 +- arch/x86/mm/init.c | 2 +- drivers/ata/libata-sff.c | 4 +- include/linux/highmem.h | 15 +++- include/linux/page_ext.h | 7 ++ include/linux/xpfo.h | 41 +++++++++ lib/swiotlb.c | 3 +- mm/Makefile | 1 + mm/page_alloc.c | 10 ++- mm/page_ext.c | 4 + mm/xpfo.c | 214 +++++++++++++++++++++++++++++++++++++++++++++++ security/Kconfig | 19 +++++ 12 files changed, 315 insertions(+), 8 deletions(-) create mode 100644 include/linux/xpfo.h create mode 100644 mm/xpfo.c -- 2.10.1
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.