Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190131192533.34130-1-thgarnie@chromium.org>
Date: Thu, 31 Jan 2019 11:24:07 -0800
From: Thomas Garnier <thgarnie@...omium.org>
To: kernel-hardening@...ts.openwall.com
Cc: kristen@...ux.intel.com,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	Borislav Petkov <bp@...en8.de>,
	"H. Peter Anvin" <hpa@...or.com>,
	x86@...nel.org,
	Jonathan Corbet <corbet@....net>,
	Masahiro Yamada <yamada.masahiro@...ionext.com>,
	Michal Marek <michal.lkml@...kovi.net>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	"David S. Miller" <davem@...emloft.net>,
	Andy Lutomirski <luto@...nel.org>,
	Paolo Bonzini <pbonzini@...hat.com>,
	Radim Krčmář <rkrcmar@...hat.com>,
	Juergen Gross <jgross@...e.com>,
	Alok Kataria <akataria@...are.com>,
	Dennis Zhou <dennis@...nel.org>,
	Tejun Heo <tj@...nel.org>,
	Christoph Lameter <cl@...ux.com>,
	"Rafael J. Wysocki" <rjw@...ysocki.net>,
	Len Brown <len.brown@...el.com>,
	Pavel Machek <pavel@....cz>,
	Steven Rostedt <rostedt@...dmis.org>,
	Joerg Roedel <joro@...tes.org>,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Boris Ostrovsky <boris.ostrovsky@...cle.com>,
	Stefano Stabellini <sstabellini@...nel.org>,
	Luis Chamberlain <mcgrof@...nel.org>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Arnd Bergmann <arnd@...db.de>,
	Luc Van Oostenryck <luc.vanoostenryck@...il.com>,
	Jason Baron <jbaron@...mai.com>,
	"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
	Kees Cook <keescook@...omium.org>,
	Andrey Ryabinin <aryabinin@...tuozzo.com>,
	Thomas Garnier <thgarnie@...gle.com>,
	Baoquan He <bhe@...hat.com>,
	Alexander Popov <alex.popov@...ux.com>,
	Jordan Borgner <mail@...dan-borgner.de>,
	Nathan Chancellor <natechancellor@...il.com>,
	Cao jin <caoj.fnst@...fujitsu.com>,
	"H.J. Lu" <hjl.tools@...il.com>,
	Alexey Dobriyan <adobriyan@...il.com>,
	Nadav Amit <namit@...are.com>,
	Yonghong Song <yhs@...com>,
	Nick Desaulniers <ndesaulniers@...gle.com>,
	Arnaldo Carvalho de Melo <acme@...hat.com>,
	Jann Horn <jannh@...gle.com>,
	Ard Biesheuvel <ard.biesheuvel@...aro.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Andi Kleen <ak@...ux.intel.com>,
	Francis Deslauriers <francis.deslauriers@...icios.com>,
	Masami Hiramatsu <mhiramat@...nel.org>,
	Mimi Zohar <zohar@...ux.ibm.com>,
	Nayna Jain <nayna@...ux.ibm.com>,
	Michael Ellerman <mpe@...erman.id.au>,
	Jan Kiszka <jan.kiszka@...mens.com>,
	Jia Zhang <qianyue.zj@...baba-inc.com>,
	Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
	Brijesh Singh <brijesh.singh@....com>,
	Jan Beulich <JBeulich@...e.com>,
	Tim Chen <tim.c.chen@...ux.intel.com>,
	Mike Rapoport <rppt@...ux.vnet.ibm.com>,
	Michal Hocko <mhocko@...e.com>,
	Stephen Rothwell <sfr@...b.auug.org.au>,
	Rafael Ávila de Espíndola <rafael@...indo.la>,
	Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
	Nicholas Piggin <npiggin@...il.com>,
	Adrian Hunter <adrian.hunter@...el.com>,
	Song Liu <songliubraving@...com>,
	Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
	Michael Forney <forney@...gle.com>,
	Palmer Dabbelt <palmer@...ive.com>,
	James Hogan <jhogan@...nel.org>,
	Joe Lawrence <joe.lawrence@...hat.com>,
	nixiaoming <nixiaoming@...wei.com>,
	linux-kernel@...r.kernel.org,
	linux-doc@...r.kernel.org,
	linux-kbuild@...r.kernel.org,
	linux-crypto@...r.kernel.org,
	kvm@...r.kernel.org,
	virtualization@...ts.linux-foundation.org,
	linux-pm@...r.kernel.org,
	xen-devel@...ts.xenproject.org,
	linux-arch@...r.kernel.org,
	linux-sparse@...r.kernel.org
Subject: [PATCH v6 00/27] x86: PIE support and option to extend KASLR randomization

There has been no major concern in the latest iterations. I am interested on
what would be the best way to slowly integrate this patchset upstream.

Changes:
 - patch v6:
   - Rebase on latest changes in jump tables and crypto.
   - Fix wording on couple commits.
   - Revisit checkpatch warnings.
   - Moving to @chromium.org.
 - patch v5:
   - Adapt new crypto modules for PIE.
   - Improve per-cpu commit message.
   - Fix xen 32-bit build error with .quad.
   - Remove extra code for ftrace.
 - patch v4:
   - Simplify early boot by removing global variables.
   - Modify the mcount location script for __mcount_loc intead of the address
     read in the ftrace implementation.
   - Edit commit description to explain better where the kernel can be located.
   - Streamlined the testing done on each patch proposal. Always testing
     hibernation, suspend, ftrace and kprobe to ensure no regressions.
 - patch v3:
   - Update on message to describe longer term PIE goal.
   - Minor change on ftrace if condition.
   - Changed code using xchgq.
 - patch v2:
   - Adapt patch to work post KPTI and compiler changes
   - Redo all performance testing with latest configs and compilers
   - Simplify mov macro on PIE (MOVABS now)
   - Reduce GOT footprint
 - patch v1:
   - Simplify ftrace implementation.
   - Use gcc mstack-protector-guard-reg=%gs with PIE when possible.
 - rfc v3:
   - Use --emit-relocs instead of -pie to reduce dynamic relocation space on
     mapped memory. It also simplifies the relocation process.
   - Move the start the module section next to the kernel. Remove the need for
     -mcmodel=large on modules. Extends module space from 1 to 2G maximum.
   - Support for XEN PVH as 32-bit relocations can be ignored with
     --emit-relocs.
   - Support for GOT relocations previously done automatically with -pie.
   - Remove need for dynamic PLT in modules.
   - Support dymamic GOT for modules.
 - rfc v2:
   - Add support for global stack cookie while compiler default to fs without
     mcmodel=kernel
   - Change patch 7 to correctly jump out of the identity mapping on kexec load
     preserve.

These patches make the changes necessary to build the kernel as Position
Independent Executable (PIE) on x86_64. A PIE kernel can be relocated below
the top 2G of the virtual address space. It allows to optionally extend the
KASLR randomization range from 1G to 3G. The chosen range is the one currently
available, future changes will allow the kernel module to have a wider
randomization range.

Thanks a lot to Ard Biesheuvel & Kees Cook on their feedback on compiler
changes, PIE support and KASLR in general. Thanks to Roland McGrath on his
feedback for using -pie versus --emit-relocs and details on compiler code
generation.

The patches:
 - 1-2, 4-13, 18-19: Change in assembly code to be PIE compliant.
 - 3: Add a new _ASM_MOVABS macro to fetch a symbol address generically.
 - 14: Adapt percpu design to work correctly when PIE is enabled.
 - 15: Provide an option to default visibility to hidden except for key symbols.
       It removes errors between compilation units.
 - 16: Add PROVIDE_HIDDEN replacement on the linker script for weak symbols to
       reduce GOT footprint.
 - 17: Adapt relocation tool to handle PIE binary correctly.
 - 20: Add support for global cookie.
 - 21: Support ftrace with PIE (used on Ubuntu config).
 - 22: Add option to move the module section just after the kernel.
 - 23: Adapt module loading to support PIE with dynamic GOT.
 - 24: Make the GOT read-only.
 - 25: Add the CONFIG_X86_PIE option (off by default).
 - 26: Adapt relocation tool to generate a 64-bit relocation table.
 - 27: Add the CONFIG_RANDOMIZE_BASE_LARGE option to increase relocation range
       from 1G to 3G (off by default).

Performance/Size impact:

Size of vmlinux (Default configuration):
 File size:
 - PIE disabled: +0.18%
 - PIE enabled: -1.977% (less relocations)
 .text section:
 - PIE disabled: same
 - PIE enabled: same

Size of vmlinux (Ubuntu configuration):
 File size:
 - PIE disabled: +0.21%
 - PIE enabled: +10%
 .text section:
 - PIE disabled: same
 - PIE enabled: +0.001%

The size increase is mainly due to not having access to the 32-bit signed
relocation that can be used with mcmodel=kernel. A small part is due to reduced
optimization for PIE code. This bug [1] was opened with gcc to provide a better
code generation for kernel PIE.

Hackbench (50% and 1600% on thread/process for pipe/sockets):
 - PIE disabled: no significant change (avg -/+ 0.5% on latest test).
 - PIE enabled: between -1% to +1% in average (default and Ubuntu config).

Kernbench (average of 10 Half and Optimal runs):
 Elapsed Time:
 - PIE disabled: no significant change (avg -0.5%)
 - PIE enabled: average -0.5% to +0.5%
 System Time:
 - PIE disabled: no significant change (avg -0.1%)
 - PIE enabled: average -0.4% to +0.4%.

[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82303

diffstat:
 Documentation/x86/x86_64/mm.txt              |    3 
 Makefile                                     |    3 
 arch/x86/Kconfig                             |   45 ++++++
 arch/x86/Makefile                            |   58 ++++++++
 arch/x86/boot/boot.h                         |    2 
 arch/x86/boot/compressed/Makefile            |    5 
 arch/x86/boot/compressed/misc.c              |   10 +
 arch/x86/crypto/aegis128-aesni-asm.S         |    6 
 arch/x86/crypto/aegis128l-aesni-asm.S        |    8 -
 arch/x86/crypto/aegis256-aesni-asm.S         |    6 
 arch/x86/crypto/aes-x86_64-asm_64.S          |   45 ++++--
 arch/x86/crypto/aesni-intel_asm.S            |    8 -
 arch/x86/crypto/camellia-aesni-avx-asm_64.S  |   42 +++---
 arch/x86/crypto/camellia-aesni-avx2-asm_64.S |   44 +++---
 arch/x86/crypto/camellia-x86_64-asm_64.S     |    8 -
 arch/x86/crypto/cast5-avx-x86_64-asm_64.S    |   50 ++++---
 arch/x86/crypto/cast6-avx-x86_64-asm_64.S    |   44 +++---
 arch/x86/crypto/des3_ede-asm_64.S            |   96 +++++++++-----
 arch/x86/crypto/ghash-clmulni-intel_asm.S    |    4 
 arch/x86/crypto/glue_helper-asm-avx.S        |    4 
 arch/x86/crypto/glue_helper-asm-avx2.S       |    6 
 arch/x86/crypto/morus1280-avx2-asm.S         |    4 
 arch/x86/crypto/morus1280-sse2-asm.S         |    8 -
 arch/x86/crypto/morus640-sse2-asm.S          |    6 
 arch/x86/crypto/sha256-avx2-asm.S            |   23 ++-
 arch/x86/entry/calling.h                     |    2 
 arch/x86/entry/entry_32.S                    |    3 
 arch/x86/entry/entry_64.S                    |   23 ++-
 arch/x86/include/asm/alternative.h           |    6 
 arch/x86/include/asm/asm.h                   |    1 
 arch/x86/include/asm/jump_label.h            |    8 -
 arch/x86/include/asm/kvm_host.h              |    8 -
 arch/x86/include/asm/module.h                |   11 +
 arch/x86/include/asm/page_64_types.h         |   10 +
 arch/x86/include/asm/paravirt_types.h        |   12 +
 arch/x86/include/asm/percpu.h                |   25 ++-
 arch/x86/include/asm/pgtable_64_types.h      |    6 
 arch/x86/include/asm/pm-trace.h              |    2 
 arch/x86/include/asm/processor.h             |   13 +
 arch/x86/include/asm/sections.h              |    4 
 arch/x86/include/asm/setup.h                 |    2 
 arch/x86/include/asm/stackprotector.h        |   19 ++
 arch/x86/kernel/Makefile                     |    6 
 arch/x86/kernel/acpi/wakeup_64.S             |   31 ++--
 arch/x86/kernel/asm-offsets.c                |    3 
 arch/x86/kernel/asm-offsets_32.c             |    3 
 arch/x86/kernel/asm-offsets_64.c             |    3 
 arch/x86/kernel/cpu/common.c                 |    3 
 arch/x86/kernel/cpu/microcode/core.c         |    4 
 arch/x86/kernel/ftrace.c                     |   51 +++++++
 arch/x86/kernel/head64.c                     |   23 ++-
 arch/x86/kernel/head_32.S                    |    3 
 arch/x86/kernel/head_64.S                    |   31 +++-
 arch/x86/kernel/kvm.c                        |    6 
 arch/x86/kernel/module.c                     |  181 ++++++++++++++++++++++++++-
 arch/x86/kernel/module.lds                   |    3 
 arch/x86/kernel/process.c                    |    5 
 arch/x86/kernel/relocate_kernel_64.S         |    2 
 arch/x86/kernel/setup_percpu.c               |    5 
 arch/x86/kernel/vmlinux.lds.S                |   13 +
 arch/x86/kvm/svm.c                           |    4 
 arch/x86/kvm/vmx/vmx.c                       |    2 
 arch/x86/lib/cmpxchg16b_emu.S                |    8 -
 arch/x86/mm/dump_pagetables.c                |    3 
 arch/x86/platform/pvh/head.S                 |   14 +-
 arch/x86/power/hibernate_asm_64.S            |    4 
 arch/x86/tools/relocs.c                      |  173 +++++++++++++++++++++++--
 arch/x86/tools/relocs.h                      |    4 
 arch/x86/tools/relocs_common.c               |   15 +-
 arch/x86/xen/xen-asm.S                       |   12 -
 arch/x86/xen/xen-head.S                      |   11 -
 drivers/base/firmware_loader/main.c          |    4 
 include/asm-generic/sections.h               |    6 
 include/asm-generic/vmlinux.lds.h            |   12 +
 include/linux/compiler.h                     |    7 +
 init/Kconfig                                 |   16 ++
 kernel/kallsyms.c                            |   16 +-
 kernel/trace/trace.h                         |    4 
 lib/dynamic_debug.c                          |    4 
 scripts/link-vmlinux.sh                      |   14 ++
 scripts/recordmcount.c                       |   78 +++++++----
 81 files changed, 1130 insertions(+), 350 deletions(-)

Patchset is based on next-20190130.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.