2019-05-29 22:18:09 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2017-12-04 22:07:36 +08:00
|
|
|
/*
|
|
|
|
* Copyright(c) 2017 Intel Corporation. All rights reserved.
|
|
|
|
*
|
|
|
|
* This code is based in part on work published here:
|
|
|
|
*
|
|
|
|
* https://github.com/IAIK/KAISER
|
|
|
|
*
|
|
|
|
* The original work was written by and and signed off by for the Linux
|
|
|
|
* kernel by:
|
|
|
|
*
|
|
|
|
* Signed-off-by: Richard Fellner <richard.fellner@student.tugraz.at>
|
|
|
|
* Signed-off-by: Moritz Lipp <moritz.lipp@iaik.tugraz.at>
|
|
|
|
* Signed-off-by: Daniel Gruss <daniel.gruss@iaik.tugraz.at>
|
|
|
|
* Signed-off-by: Michael Schwarz <michael.schwarz@iaik.tugraz.at>
|
|
|
|
*
|
|
|
|
* Major changes to the original code by: Dave Hansen <dave.hansen@intel.com>
|
|
|
|
* Mostly rewritten by Thomas Gleixner <tglx@linutronix.de> and
|
|
|
|
* Andy Lutomirsky <luto@amacapital.net>
|
|
|
|
*/
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/bug.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/uaccess.h>
|
2019-04-13 04:39:29 +08:00
|
|
|
#include <linux/cpu.h>
|
2017-12-04 22:07:36 +08:00
|
|
|
|
|
|
|
#include <asm/cpufeature.h>
|
|
|
|
#include <asm/hypervisor.h>
|
2017-12-12 23:56:42 +08:00
|
|
|
#include <asm/vsyscall.h>
|
2017-12-04 22:07:36 +08:00
|
|
|
#include <asm/cmdline.h>
|
|
|
|
#include <asm/pti.h>
|
|
|
|
#include <asm/tlbflush.h>
|
|
|
|
#include <asm/desc.h>
|
2018-07-29 18:15:33 +08:00
|
|
|
#include <asm/sections.h>
|
2020-03-27 18:26:06 +08:00
|
|
|
#include <asm/set_memory.h>
|
2017-12-04 22:07:36 +08:00
|
|
|
|
|
|
|
#undef pr_fmt
|
|
|
|
#define pr_fmt(fmt) "Kernel/User page tables isolation: " fmt
|
|
|
|
|
2017-12-04 22:07:42 +08:00
|
|
|
/* Backporting helper */
|
|
|
|
#ifndef __GFP_NOTRACK
|
|
|
|
#define __GFP_NOTRACK 0
|
|
|
|
#endif
|
|
|
|
|
2018-08-07 18:24:31 +08:00
|
|
|
/*
|
|
|
|
* Define the page-table levels we clone for user-space on 32
|
|
|
|
* and 64 bit.
|
|
|
|
*/
|
|
|
|
#ifdef CONFIG_X86_64
|
|
|
|
#define PTI_LEVEL_KERNEL_IMAGE PTI_CLONE_PMD
|
|
|
|
#else
|
|
|
|
#define PTI_LEVEL_KERNEL_IMAGE PTI_CLONE_PTE
|
|
|
|
#endif
|
|
|
|
|
2017-12-04 22:07:36 +08:00
|
|
|
static void __init pti_print_if_insecure(const char *reason)
|
|
|
|
{
|
2018-01-05 22:27:34 +08:00
|
|
|
if (boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
|
2017-12-04 22:07:36 +08:00
|
|
|
pr_info("%s\n", reason);
|
|
|
|
}
|
|
|
|
|
2017-12-12 21:39:52 +08:00
|
|
|
static void __init pti_print_if_secure(const char *reason)
|
|
|
|
{
|
2018-01-05 22:27:34 +08:00
|
|
|
if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
|
2017-12-12 21:39:52 +08:00
|
|
|
pr_info("%s\n", reason);
|
|
|
|
}
|
|
|
|
|
2019-03-12 15:47:53 +08:00
|
|
|
static enum pti_mode {
|
2018-04-07 04:55:18 +08:00
|
|
|
PTI_AUTO = 0,
|
|
|
|
PTI_FORCE_OFF,
|
|
|
|
PTI_FORCE_ON
|
|
|
|
} pti_mode;
|
|
|
|
|
2017-12-04 22:07:36 +08:00
|
|
|
void __init pti_check_boottime_disable(void)
|
|
|
|
{
|
2017-12-12 21:39:52 +08:00
|
|
|
char arg[5];
|
|
|
|
int ret;
|
|
|
|
|
2018-04-07 04:55:18 +08:00
|
|
|
/* Assume mode is auto unless overridden. */
|
|
|
|
pti_mode = PTI_AUTO;
|
|
|
|
|
2017-12-04 22:07:36 +08:00
|
|
|
if (hypervisor_is_type(X86_HYPER_XEN_PV)) {
|
2018-04-07 04:55:18 +08:00
|
|
|
pti_mode = PTI_FORCE_OFF;
|
2017-12-04 22:07:36 +08:00
|
|
|
pti_print_if_insecure("disabled on XEN PV.");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-12-12 21:39:52 +08:00
|
|
|
ret = cmdline_find_option(boot_command_line, "pti", arg, sizeof(arg));
|
|
|
|
if (ret > 0) {
|
|
|
|
if (ret == 3 && !strncmp(arg, "off", 3)) {
|
2018-04-07 04:55:18 +08:00
|
|
|
pti_mode = PTI_FORCE_OFF;
|
2017-12-12 21:39:52 +08:00
|
|
|
pti_print_if_insecure("disabled on command line.");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
if (ret == 2 && !strncmp(arg, "on", 2)) {
|
2018-04-07 04:55:18 +08:00
|
|
|
pti_mode = PTI_FORCE_ON;
|
2017-12-12 21:39:52 +08:00
|
|
|
pti_print_if_secure("force enabled on command line.");
|
|
|
|
goto enable;
|
|
|
|
}
|
2018-04-07 04:55:18 +08:00
|
|
|
if (ret == 4 && !strncmp(arg, "auto", 4)) {
|
|
|
|
pti_mode = PTI_AUTO;
|
2017-12-12 21:39:52 +08:00
|
|
|
goto autosel;
|
2018-04-07 04:55:18 +08:00
|
|
|
}
|
2017-12-12 21:39:52 +08:00
|
|
|
}
|
|
|
|
|
2019-04-13 04:39:29 +08:00
|
|
|
if (cmdline_find_option_bool(boot_command_line, "nopti") ||
|
|
|
|
cpu_mitigations_off()) {
|
2018-04-07 04:55:18 +08:00
|
|
|
pti_mode = PTI_FORCE_OFF;
|
2017-12-04 22:07:36 +08:00
|
|
|
pti_print_if_insecure("disabled on command line.");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-12-12 21:39:52 +08:00
|
|
|
autosel:
|
2018-01-05 22:27:34 +08:00
|
|
|
if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
|
2017-12-04 22:07:36 +08:00
|
|
|
return;
|
2017-12-12 21:39:52 +08:00
|
|
|
enable:
|
2017-12-04 22:07:36 +08:00
|
|
|
setup_force_cpu_cap(X86_FEATURE_PTI);
|
|
|
|
}
|
|
|
|
|
2018-07-18 17:40:52 +08:00
|
|
|
pgd_t __pti_set_user_pgtbl(pgd_t *pgdp, pgd_t pgd)
|
2017-12-04 22:07:37 +08:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Changes to the high (kernel) portion of the kernelmode page
|
|
|
|
* tables are not automatically propagated to the usermode tables.
|
|
|
|
*
|
|
|
|
* Users should keep in mind that, unlike the kernelmode tables,
|
|
|
|
* there is no vmalloc_fault equivalent for the usermode tables.
|
|
|
|
* Top-level entries added to init_mm's usermode pgd after boot
|
|
|
|
* will not be automatically propagated to other mms.
|
|
|
|
*/
|
|
|
|
if (!pgdp_maps_userspace(pgdp))
|
|
|
|
return pgd;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The user page tables get the full PGD, accessible from
|
|
|
|
* userspace:
|
|
|
|
*/
|
|
|
|
kernel_to_user_pgdp(pgdp)->pgd = pgd.pgd;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If this is normal user memory, make it NX in the kernel
|
|
|
|
* pagetables so that, if we somehow screw up and return to
|
|
|
|
* usermode with the kernel CR3 loaded, we'll get a page fault
|
|
|
|
* instead of allowing user code to execute with the wrong CR3.
|
|
|
|
*
|
|
|
|
* As exceptions, we don't set NX if:
|
|
|
|
* - _PAGE_USER is not set. This could be an executable
|
|
|
|
* EFI runtime mapping or something similar, and the kernel
|
|
|
|
* may execute from it
|
|
|
|
* - we don't have NX support
|
|
|
|
* - we're clearing the PGD (i.e. the new pgd is not present).
|
|
|
|
*/
|
|
|
|
if ((pgd.pgd & (_PAGE_USER|_PAGE_PRESENT)) == (_PAGE_USER|_PAGE_PRESENT) &&
|
|
|
|
(__supported_pte_mask & _PAGE_NX))
|
|
|
|
pgd.pgd |= _PAGE_NX;
|
|
|
|
|
|
|
|
/* return the copy of the PGD we want the kernel to use: */
|
|
|
|
return pgd;
|
|
|
|
}
|
|
|
|
|
2017-12-04 22:07:42 +08:00
|
|
|
/*
|
|
|
|
* Walk the user copy of the page tables (optionally) trying to allocate
|
|
|
|
* page table pages on the way down.
|
|
|
|
*
|
|
|
|
* Returns a pointer to a P4D on success, or NULL on failure.
|
|
|
|
*/
|
2018-04-07 04:55:18 +08:00
|
|
|
static p4d_t *pti_user_pagetable_walk_p4d(unsigned long address)
|
2017-12-04 22:07:42 +08:00
|
|
|
{
|
|
|
|
pgd_t *pgd = kernel_to_user_pgdp(pgd_offset_k(address));
|
|
|
|
gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
|
|
|
|
|
|
|
|
if (address < PAGE_OFFSET) {
|
|
|
|
WARN_ONCE(1, "attempt to walk user address\n");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pgd_none(*pgd)) {
|
|
|
|
unsigned long new_p4d_page = __get_free_page(gfp);
|
2018-07-20 08:06:31 +08:00
|
|
|
if (WARN_ON_ONCE(!new_p4d_page))
|
2017-12-04 22:07:42 +08:00
|
|
|
return NULL;
|
|
|
|
|
2018-01-09 00:03:41 +08:00
|
|
|
set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(new_p4d_page)));
|
2017-12-04 22:07:42 +08:00
|
|
|
}
|
|
|
|
BUILD_BUG_ON(pgd_large(*pgd) != 0);
|
|
|
|
|
|
|
|
return p4d_offset(pgd, address);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Walk the user copy of the page tables (optionally) trying to allocate
|
|
|
|
* page table pages on the way down.
|
|
|
|
*
|
|
|
|
* Returns a pointer to a PMD on success, or NULL on failure.
|
|
|
|
*/
|
2018-04-07 04:55:18 +08:00
|
|
|
static pmd_t *pti_user_pagetable_walk_pmd(unsigned long address)
|
2017-12-04 22:07:42 +08:00
|
|
|
{
|
|
|
|
gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
|
2018-07-20 08:06:31 +08:00
|
|
|
p4d_t *p4d;
|
2017-12-04 22:07:42 +08:00
|
|
|
pud_t *pud;
|
|
|
|
|
2018-07-20 08:06:31 +08:00
|
|
|
p4d = pti_user_pagetable_walk_p4d(address);
|
|
|
|
if (!p4d)
|
|
|
|
return NULL;
|
|
|
|
|
2017-12-04 22:07:42 +08:00
|
|
|
BUILD_BUG_ON(p4d_large(*p4d) != 0);
|
|
|
|
if (p4d_none(*p4d)) {
|
|
|
|
unsigned long new_pud_page = __get_free_page(gfp);
|
2018-07-20 08:06:32 +08:00
|
|
|
if (WARN_ON_ONCE(!new_pud_page))
|
2017-12-04 22:07:42 +08:00
|
|
|
return NULL;
|
|
|
|
|
2018-01-09 00:03:41 +08:00
|
|
|
set_p4d(p4d, __p4d(_KERNPG_TABLE | __pa(new_pud_page)));
|
2017-12-04 22:07:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
pud = pud_offset(p4d, address);
|
|
|
|
/* The user page tables do not use large mappings: */
|
|
|
|
if (pud_large(*pud)) {
|
|
|
|
WARN_ON(1);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
if (pud_none(*pud)) {
|
|
|
|
unsigned long new_pmd_page = __get_free_page(gfp);
|
2018-07-20 08:06:32 +08:00
|
|
|
if (WARN_ON_ONCE(!new_pmd_page))
|
2017-12-04 22:07:42 +08:00
|
|
|
return NULL;
|
|
|
|
|
2018-01-09 00:03:41 +08:00
|
|
|
set_pud(pud, __pud(_KERNPG_TABLE | __pa(new_pmd_page)));
|
2017-12-04 22:07:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return pmd_offset(pud, address);
|
|
|
|
}
|
|
|
|
|
2017-12-12 23:56:42 +08:00
|
|
|
/*
|
|
|
|
* Walk the shadow copy of the page tables (optionally) trying to allocate
|
|
|
|
* page table pages on the way down. Does not support large pages.
|
|
|
|
*
|
|
|
|
* Note: this is only used when mapping *new* kernel data into the
|
|
|
|
* user/shadow page tables. It is never used for userspace data.
|
|
|
|
*
|
|
|
|
* Returns a pointer to a PTE on success, or NULL on failure.
|
|
|
|
*/
|
2018-09-02 12:01:28 +08:00
|
|
|
static pte_t *pti_user_pagetable_walk_pte(unsigned long address)
|
2017-12-12 23:56:42 +08:00
|
|
|
{
|
|
|
|
gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
|
2018-07-20 08:06:32 +08:00
|
|
|
pmd_t *pmd;
|
2017-12-12 23:56:42 +08:00
|
|
|
pte_t *pte;
|
|
|
|
|
2018-07-20 08:06:32 +08:00
|
|
|
pmd = pti_user_pagetable_walk_pmd(address);
|
|
|
|
if (!pmd)
|
|
|
|
return NULL;
|
|
|
|
|
2017-12-12 23:56:42 +08:00
|
|
|
/* We can't do anything sensible if we hit a large mapping. */
|
|
|
|
if (pmd_large(*pmd)) {
|
|
|
|
WARN_ON(1);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pmd_none(*pmd)) {
|
|
|
|
unsigned long new_pte_page = __get_free_page(gfp);
|
|
|
|
if (!new_pte_page)
|
|
|
|
return NULL;
|
|
|
|
|
2018-01-09 00:03:41 +08:00
|
|
|
set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(new_pte_page)));
|
2017-12-12 23:56:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
pte = pte_offset_kernel(pmd, address);
|
|
|
|
if (pte_flags(*pte) & _PAGE_USER) {
|
|
|
|
WARN_ONCE(1, "attempt to walk to user pte\n");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
return pte;
|
|
|
|
}
|
|
|
|
|
2018-08-07 18:24:31 +08:00
|
|
|
#ifdef CONFIG_X86_VSYSCALL_EMULATION
|
2017-12-12 23:56:42 +08:00
|
|
|
static void __init pti_setup_vsyscall(void)
|
|
|
|
{
|
|
|
|
pte_t *pte, *target_pte;
|
|
|
|
unsigned int level;
|
|
|
|
|
|
|
|
pte = lookup_address(VSYSCALL_ADDR, &level);
|
|
|
|
if (!pte || WARN_ON(level != PG_LEVEL_4K) || pte_none(*pte))
|
|
|
|
return;
|
|
|
|
|
|
|
|
target_pte = pti_user_pagetable_walk_pte(VSYSCALL_ADDR);
|
|
|
|
if (WARN_ON(!target_pte))
|
|
|
|
return;
|
|
|
|
|
|
|
|
*target_pte = *pte;
|
|
|
|
set_vsyscall_pgtable_user_bits(kernel_to_user_pgdp(swapper_pg_dir));
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static void __init pti_setup_vsyscall(void) { }
|
|
|
|
#endif
|
|
|
|
|
2018-08-07 18:24:31 +08:00
|
|
|
enum pti_clone_level {
|
|
|
|
PTI_CLONE_PMD,
|
|
|
|
PTI_CLONE_PTE,
|
|
|
|
};
|
|
|
|
|
2018-04-07 04:55:18 +08:00
|
|
|
static void
|
2018-08-07 18:24:31 +08:00
|
|
|
pti_clone_pgtable(unsigned long start, unsigned long end,
|
|
|
|
enum pti_clone_level level)
|
2017-12-04 22:07:42 +08:00
|
|
|
{
|
|
|
|
unsigned long addr;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Clone the populated PMDs which cover start to end. These PMD areas
|
|
|
|
* can have holes.
|
|
|
|
*/
|
2018-08-07 18:24:31 +08:00
|
|
|
for (addr = start; addr < end;) {
|
|
|
|
pte_t *pte, *target_pte;
|
2017-12-04 22:07:42 +08:00
|
|
|
pmd_t *pmd, *target_pmd;
|
|
|
|
pgd_t *pgd;
|
|
|
|
p4d_t *p4d;
|
|
|
|
pud_t *pud;
|
|
|
|
|
2018-07-18 17:41:01 +08:00
|
|
|
/* Overflow check */
|
|
|
|
if (addr < start)
|
|
|
|
break;
|
|
|
|
|
2017-12-04 22:07:42 +08:00
|
|
|
pgd = pgd_offset_k(addr);
|
|
|
|
if (WARN_ON(pgd_none(*pgd)))
|
|
|
|
return;
|
|
|
|
p4d = p4d_offset(pgd, addr);
|
|
|
|
if (WARN_ON(p4d_none(*p4d)))
|
|
|
|
return;
|
2018-08-07 18:24:31 +08:00
|
|
|
|
2017-12-04 22:07:42 +08:00
|
|
|
pud = pud_offset(p4d, addr);
|
2018-08-07 18:24:31 +08:00
|
|
|
if (pud_none(*pud)) {
|
2019-08-29 05:54:55 +08:00
|
|
|
WARN_ON_ONCE(addr & ~PUD_MASK);
|
|
|
|
addr = round_up(addr + 1, PUD_SIZE);
|
2017-12-04 22:07:42 +08:00
|
|
|
continue;
|
2018-08-07 18:24:31 +08:00
|
|
|
}
|
|
|
|
|
2017-12-04 22:07:42 +08:00
|
|
|
pmd = pmd_offset(pud, addr);
|
2018-08-07 18:24:31 +08:00
|
|
|
if (pmd_none(*pmd)) {
|
2019-08-29 05:54:55 +08:00
|
|
|
WARN_ON_ONCE(addr & ~PMD_MASK);
|
|
|
|
addr = round_up(addr + 1, PMD_SIZE);
|
2017-12-04 22:07:42 +08:00
|
|
|
continue;
|
2018-08-07 18:24:31 +08:00
|
|
|
}
|
2017-12-04 22:07:42 +08:00
|
|
|
|
2018-08-07 18:24:31 +08:00
|
|
|
if (pmd_large(*pmd) || level == PTI_CLONE_PMD) {
|
|
|
|
target_pmd = pti_user_pagetable_walk_pmd(addr);
|
|
|
|
if (WARN_ON(!target_pmd))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Only clone present PMDs. This ensures only setting
|
|
|
|
* _PAGE_GLOBAL on present PMDs. This should only be
|
|
|
|
* called on well-known addresses anyway, so a non-
|
|
|
|
* present PMD would be a surprise.
|
|
|
|
*/
|
|
|
|
if (WARN_ON(!(pmd_flags(*pmd) & _PAGE_PRESENT)))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Setting 'target_pmd' below creates a mapping in both
|
|
|
|
* the user and kernel page tables. It is effectively
|
|
|
|
* global, so set it as global in both copies. Note:
|
|
|
|
* the X86_FEATURE_PGE check is not _required_ because
|
|
|
|
* the CPU ignores _PAGE_GLOBAL when PGE is not
|
2021-03-18 22:28:01 +08:00
|
|
|
* supported. The check keeps consistency with
|
2018-08-07 18:24:31 +08:00
|
|
|
* code that only set this bit when supported.
|
|
|
|
*/
|
|
|
|
if (boot_cpu_has(X86_FEATURE_PGE))
|
|
|
|
*pmd = pmd_set_flags(*pmd, _PAGE_GLOBAL);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Copy the PMD. That is, the kernelmode and usermode
|
|
|
|
* tables will share the last-level page tables of this
|
|
|
|
* address range
|
|
|
|
*/
|
|
|
|
*target_pmd = *pmd;
|
|
|
|
|
|
|
|
addr += PMD_SIZE;
|
|
|
|
|
|
|
|
} else if (level == PTI_CLONE_PTE) {
|
|
|
|
|
|
|
|
/* Walk the page-table down to the pte level */
|
|
|
|
pte = pte_offset_kernel(pmd, addr);
|
|
|
|
if (pte_none(*pte)) {
|
|
|
|
addr += PAGE_SIZE;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Only clone present PTEs */
|
|
|
|
if (WARN_ON(!(pte_flags(*pte) & _PAGE_PRESENT)))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* Allocate PTE in the user page-table */
|
|
|
|
target_pte = pti_user_pagetable_walk_pte(addr);
|
|
|
|
if (WARN_ON(!target_pte))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* Set GLOBAL bit in both PTEs */
|
|
|
|
if (boot_cpu_has(X86_FEATURE_PGE))
|
|
|
|
*pte = pte_set_flags(*pte, _PAGE_GLOBAL);
|
|
|
|
|
|
|
|
/* Clone the PTE */
|
|
|
|
*target_pte = *pte;
|
|
|
|
|
|
|
|
addr += PAGE_SIZE;
|
|
|
|
|
|
|
|
} else {
|
|
|
|
BUG();
|
|
|
|
}
|
2017-12-04 22:07:42 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-07-18 17:41:03 +08:00
|
|
|
#ifdef CONFIG_X86_64
|
2017-12-04 22:07:45 +08:00
|
|
|
/*
|
|
|
|
* Clone a single p4d (i.e. a top-level entry on 4-level systems and a
|
|
|
|
* next-level entry on 5-level systems.
|
|
|
|
*/
|
|
|
|
static void __init pti_clone_p4d(unsigned long addr)
|
|
|
|
{
|
|
|
|
p4d_t *kernel_p4d, *user_p4d;
|
|
|
|
pgd_t *kernel_pgd;
|
|
|
|
|
|
|
|
user_p4d = pti_user_pagetable_walk_p4d(addr);
|
2018-07-20 08:06:31 +08:00
|
|
|
if (!user_p4d)
|
|
|
|
return;
|
|
|
|
|
2017-12-04 22:07:45 +08:00
|
|
|
kernel_pgd = pgd_offset_k(addr);
|
|
|
|
kernel_p4d = p4d_offset(kernel_pgd, addr);
|
|
|
|
*user_p4d = *kernel_p4d;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
x86/pti/64: Remove the SYSCALL64 entry trampoline
The SYSCALL64 trampoline has a couple of nice properties:
- The usual sequence of SWAPGS followed by two GS-relative accesses to
set up RSP is somewhat slow because the GS-relative accesses need
to wait for SWAPGS to finish. The trampoline approach allows
RIP-relative accesses to set up RSP, which avoids the stall.
- The trampoline avoids any percpu access before CR3 is set up,
which means that no percpu memory needs to be mapped in the user
page tables. This prevents using Meltdown to read any percpu memory
outside the cpu_entry_area and prevents using timing leaks
to directly locate the percpu areas.
The downsides of using a trampoline may outweigh the upsides, however.
It adds an extra non-contiguous I$ cache line to system calls, and it
forces an indirect jump to transfer control back to the normal kernel
text after CR3 is set up. The latter is because x86 lacks a 64-bit
direct jump instruction that could jump from the trampoline to the entry
text. With retpolines enabled, the indirect jump is extremely slow.
Change the code to map the percpu TSS into the user page tables to allow
the non-trampoline SYSCALL64 path to work under PTI. This does not add a
new direct information leak, since the TSS is readable by Meltdown from the
cpu_entry_area alias regardless. It does allow a timing attack to locate
the percpu area, but KASLR is more or less a lost cause against local
attack on CPUs vulnerable to Meltdown regardless. As far as I'm concerned,
on current hardware, KASLR is only useful to mitigate remote attacks that
try to attack the kernel without first gaining RCE against a vulnerable
user process.
On Skylake, with CONFIG_RETPOLINE=y and KPTI on, this reduces syscall
overhead from ~237ns to ~228ns.
There is a possible alternative approach: Move the trampoline within 2G of
the entry text and make a separate copy for each CPU. This would allow a
direct jump to rejoin the normal entry path. There are pro's and con's for
this approach:
+ It avoids a pipeline stall
- It executes from an extra page and read from another extra page during
the syscall. The latter is because it needs to use a relative
addressing mode to find sp1 -- it's the same *cacheline*, but accessed
using an alias, so it's an extra TLB entry.
- Slightly more memory. This would be one page per CPU for a simple
implementation and 64-ish bytes per CPU or one page per node for a more
complex implementation.
- More code complexity.
The current approach is chosen for simplicity and because the alternative
does not provide a significant benefit, which makes it worth.
[ tglx: Added the alternative discussion to the changelog ]
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lkml.kernel.org/r/8c7c6e483612c3e4e10ca89495dc160b1aa66878.1536015544.git.luto@kernel.org
2018-09-04 06:59:44 +08:00
|
|
|
* Clone the CPU_ENTRY_AREA and associated data into the user space visible
|
|
|
|
* page table.
|
2017-12-04 22:07:45 +08:00
|
|
|
*/
|
|
|
|
static void __init pti_clone_user_shared(void)
|
|
|
|
{
|
x86/pti/64: Remove the SYSCALL64 entry trampoline
The SYSCALL64 trampoline has a couple of nice properties:
- The usual sequence of SWAPGS followed by two GS-relative accesses to
set up RSP is somewhat slow because the GS-relative accesses need
to wait for SWAPGS to finish. The trampoline approach allows
RIP-relative accesses to set up RSP, which avoids the stall.
- The trampoline avoids any percpu access before CR3 is set up,
which means that no percpu memory needs to be mapped in the user
page tables. This prevents using Meltdown to read any percpu memory
outside the cpu_entry_area and prevents using timing leaks
to directly locate the percpu areas.
The downsides of using a trampoline may outweigh the upsides, however.
It adds an extra non-contiguous I$ cache line to system calls, and it
forces an indirect jump to transfer control back to the normal kernel
text after CR3 is set up. The latter is because x86 lacks a 64-bit
direct jump instruction that could jump from the trampoline to the entry
text. With retpolines enabled, the indirect jump is extremely slow.
Change the code to map the percpu TSS into the user page tables to allow
the non-trampoline SYSCALL64 path to work under PTI. This does not add a
new direct information leak, since the TSS is readable by Meltdown from the
cpu_entry_area alias regardless. It does allow a timing attack to locate
the percpu area, but KASLR is more or less a lost cause against local
attack on CPUs vulnerable to Meltdown regardless. As far as I'm concerned,
on current hardware, KASLR is only useful to mitigate remote attacks that
try to attack the kernel without first gaining RCE against a vulnerable
user process.
On Skylake, with CONFIG_RETPOLINE=y and KPTI on, this reduces syscall
overhead from ~237ns to ~228ns.
There is a possible alternative approach: Move the trampoline within 2G of
the entry text and make a separate copy for each CPU. This would allow a
direct jump to rejoin the normal entry path. There are pro's and con's for
this approach:
+ It avoids a pipeline stall
- It executes from an extra page and read from another extra page during
the syscall. The latter is because it needs to use a relative
addressing mode to find sp1 -- it's the same *cacheline*, but accessed
using an alias, so it's an extra TLB entry.
- Slightly more memory. This would be one page per CPU for a simple
implementation and 64-ish bytes per CPU or one page per node for a more
complex implementation.
- More code complexity.
The current approach is chosen for simplicity and because the alternative
does not provide a significant benefit, which makes it worth.
[ tglx: Added the alternative discussion to the changelog ]
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lkml.kernel.org/r/8c7c6e483612c3e4e10ca89495dc160b1aa66878.1536015544.git.luto@kernel.org
2018-09-04 06:59:44 +08:00
|
|
|
unsigned int cpu;
|
|
|
|
|
2017-12-04 22:07:45 +08:00
|
|
|
pti_clone_p4d(CPU_ENTRY_AREA_BASE);
|
x86/pti/64: Remove the SYSCALL64 entry trampoline
The SYSCALL64 trampoline has a couple of nice properties:
- The usual sequence of SWAPGS followed by two GS-relative accesses to
set up RSP is somewhat slow because the GS-relative accesses need
to wait for SWAPGS to finish. The trampoline approach allows
RIP-relative accesses to set up RSP, which avoids the stall.
- The trampoline avoids any percpu access before CR3 is set up,
which means that no percpu memory needs to be mapped in the user
page tables. This prevents using Meltdown to read any percpu memory
outside the cpu_entry_area and prevents using timing leaks
to directly locate the percpu areas.
The downsides of using a trampoline may outweigh the upsides, however.
It adds an extra non-contiguous I$ cache line to system calls, and it
forces an indirect jump to transfer control back to the normal kernel
text after CR3 is set up. The latter is because x86 lacks a 64-bit
direct jump instruction that could jump from the trampoline to the entry
text. With retpolines enabled, the indirect jump is extremely slow.
Change the code to map the percpu TSS into the user page tables to allow
the non-trampoline SYSCALL64 path to work under PTI. This does not add a
new direct information leak, since the TSS is readable by Meltdown from the
cpu_entry_area alias regardless. It does allow a timing attack to locate
the percpu area, but KASLR is more or less a lost cause against local
attack on CPUs vulnerable to Meltdown regardless. As far as I'm concerned,
on current hardware, KASLR is only useful to mitigate remote attacks that
try to attack the kernel without first gaining RCE against a vulnerable
user process.
On Skylake, with CONFIG_RETPOLINE=y and KPTI on, this reduces syscall
overhead from ~237ns to ~228ns.
There is a possible alternative approach: Move the trampoline within 2G of
the entry text and make a separate copy for each CPU. This would allow a
direct jump to rejoin the normal entry path. There are pro's and con's for
this approach:
+ It avoids a pipeline stall
- It executes from an extra page and read from another extra page during
the syscall. The latter is because it needs to use a relative
addressing mode to find sp1 -- it's the same *cacheline*, but accessed
using an alias, so it's an extra TLB entry.
- Slightly more memory. This would be one page per CPU for a simple
implementation and 64-ish bytes per CPU or one page per node for a more
complex implementation.
- More code complexity.
The current approach is chosen for simplicity and because the alternative
does not provide a significant benefit, which makes it worth.
[ tglx: Added the alternative discussion to the changelog ]
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lkml.kernel.org/r/8c7c6e483612c3e4e10ca89495dc160b1aa66878.1536015544.git.luto@kernel.org
2018-09-04 06:59:44 +08:00
|
|
|
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
|
|
/*
|
2021-01-26 01:34:29 +08:00
|
|
|
* The SYSCALL64 entry code needs one word of scratch space
|
|
|
|
* in which to spill a register. It lives in the sp2 slot
|
|
|
|
* of the CPU's TSS.
|
x86/pti/64: Remove the SYSCALL64 entry trampoline
The SYSCALL64 trampoline has a couple of nice properties:
- The usual sequence of SWAPGS followed by two GS-relative accesses to
set up RSP is somewhat slow because the GS-relative accesses need
to wait for SWAPGS to finish. The trampoline approach allows
RIP-relative accesses to set up RSP, which avoids the stall.
- The trampoline avoids any percpu access before CR3 is set up,
which means that no percpu memory needs to be mapped in the user
page tables. This prevents using Meltdown to read any percpu memory
outside the cpu_entry_area and prevents using timing leaks
to directly locate the percpu areas.
The downsides of using a trampoline may outweigh the upsides, however.
It adds an extra non-contiguous I$ cache line to system calls, and it
forces an indirect jump to transfer control back to the normal kernel
text after CR3 is set up. The latter is because x86 lacks a 64-bit
direct jump instruction that could jump from the trampoline to the entry
text. With retpolines enabled, the indirect jump is extremely slow.
Change the code to map the percpu TSS into the user page tables to allow
the non-trampoline SYSCALL64 path to work under PTI. This does not add a
new direct information leak, since the TSS is readable by Meltdown from the
cpu_entry_area alias regardless. It does allow a timing attack to locate
the percpu area, but KASLR is more or less a lost cause against local
attack on CPUs vulnerable to Meltdown regardless. As far as I'm concerned,
on current hardware, KASLR is only useful to mitigate remote attacks that
try to attack the kernel without first gaining RCE against a vulnerable
user process.
On Skylake, with CONFIG_RETPOLINE=y and KPTI on, this reduces syscall
overhead from ~237ns to ~228ns.
There is a possible alternative approach: Move the trampoline within 2G of
the entry text and make a separate copy for each CPU. This would allow a
direct jump to rejoin the normal entry path. There are pro's and con's for
this approach:
+ It avoids a pipeline stall
- It executes from an extra page and read from another extra page during
the syscall. The latter is because it needs to use a relative
addressing mode to find sp1 -- it's the same *cacheline*, but accessed
using an alias, so it's an extra TLB entry.
- Slightly more memory. This would be one page per CPU for a simple
implementation and 64-ish bytes per CPU or one page per node for a more
complex implementation.
- More code complexity.
The current approach is chosen for simplicity and because the alternative
does not provide a significant benefit, which makes it worth.
[ tglx: Added the alternative discussion to the changelog ]
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lkml.kernel.org/r/8c7c6e483612c3e4e10ca89495dc160b1aa66878.1536015544.git.luto@kernel.org
2018-09-04 06:59:44 +08:00
|
|
|
*
|
|
|
|
* This is done for all possible CPUs during boot to ensure
|
2020-06-02 12:52:40 +08:00
|
|
|
* that it's propagated to all mms.
|
x86/pti/64: Remove the SYSCALL64 entry trampoline
The SYSCALL64 trampoline has a couple of nice properties:
- The usual sequence of SWAPGS followed by two GS-relative accesses to
set up RSP is somewhat slow because the GS-relative accesses need
to wait for SWAPGS to finish. The trampoline approach allows
RIP-relative accesses to set up RSP, which avoids the stall.
- The trampoline avoids any percpu access before CR3 is set up,
which means that no percpu memory needs to be mapped in the user
page tables. This prevents using Meltdown to read any percpu memory
outside the cpu_entry_area and prevents using timing leaks
to directly locate the percpu areas.
The downsides of using a trampoline may outweigh the upsides, however.
It adds an extra non-contiguous I$ cache line to system calls, and it
forces an indirect jump to transfer control back to the normal kernel
text after CR3 is set up. The latter is because x86 lacks a 64-bit
direct jump instruction that could jump from the trampoline to the entry
text. With retpolines enabled, the indirect jump is extremely slow.
Change the code to map the percpu TSS into the user page tables to allow
the non-trampoline SYSCALL64 path to work under PTI. This does not add a
new direct information leak, since the TSS is readable by Meltdown from the
cpu_entry_area alias regardless. It does allow a timing attack to locate
the percpu area, but KASLR is more or less a lost cause against local
attack on CPUs vulnerable to Meltdown regardless. As far as I'm concerned,
on current hardware, KASLR is only useful to mitigate remote attacks that
try to attack the kernel without first gaining RCE against a vulnerable
user process.
On Skylake, with CONFIG_RETPOLINE=y and KPTI on, this reduces syscall
overhead from ~237ns to ~228ns.
There is a possible alternative approach: Move the trampoline within 2G of
the entry text and make a separate copy for each CPU. This would allow a
direct jump to rejoin the normal entry path. There are pro's and con's for
this approach:
+ It avoids a pipeline stall
- It executes from an extra page and read from another extra page during
the syscall. The latter is because it needs to use a relative
addressing mode to find sp1 -- it's the same *cacheline*, but accessed
using an alias, so it's an extra TLB entry.
- Slightly more memory. This would be one page per CPU for a simple
implementation and 64-ish bytes per CPU or one page per node for a more
complex implementation.
- More code complexity.
The current approach is chosen for simplicity and because the alternative
does not provide a significant benefit, which makes it worth.
[ tglx: Added the alternative discussion to the changelog ]
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lkml.kernel.org/r/8c7c6e483612c3e4e10ca89495dc160b1aa66878.1536015544.git.luto@kernel.org
2018-09-04 06:59:44 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
unsigned long va = (unsigned long)&per_cpu(cpu_tss_rw, cpu);
|
|
|
|
phys_addr_t pa = per_cpu_ptr_to_phys((void *)va);
|
|
|
|
pte_t *target_pte;
|
|
|
|
|
|
|
|
target_pte = pti_user_pagetable_walk_pte(va);
|
|
|
|
if (WARN_ON(!target_pte))
|
|
|
|
return;
|
|
|
|
|
|
|
|
*target_pte = pfn_pte(pa >> PAGE_SHIFT, PAGE_KERNEL);
|
|
|
|
}
|
2017-12-04 22:07:45 +08:00
|
|
|
}
|
|
|
|
|
2018-07-18 17:41:03 +08:00
|
|
|
#else /* CONFIG_X86_64 */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* On 32 bit PAE systems with 1GB of Kernel address space there is only
|
|
|
|
* one pgd/p4d for the whole kernel. Cloning that would map the whole
|
|
|
|
* address space into the user page-tables, making PTI useless. So clone
|
|
|
|
* the page-table on the PMD level to prevent that.
|
|
|
|
*/
|
|
|
|
static void __init pti_clone_user_shared(void)
|
|
|
|
{
|
|
|
|
unsigned long start, end;
|
|
|
|
|
|
|
|
start = CPU_ENTRY_AREA_BASE;
|
|
|
|
end = start + (PAGE_SIZE * CPU_ENTRY_AREA_PAGES);
|
|
|
|
|
2018-08-07 18:24:31 +08:00
|
|
|
pti_clone_pgtable(start, end, PTI_CLONE_PMD);
|
2018-07-18 17:41:03 +08:00
|
|
|
}
|
|
|
|
#endif /* CONFIG_X86_64 */
|
|
|
|
|
2017-12-16 05:08:18 +08:00
|
|
|
/*
|
2018-03-07 12:32:15 +08:00
|
|
|
* Clone the ESPFIX P4D into the user space visible page table
|
2017-12-16 05:08:18 +08:00
|
|
|
*/
|
|
|
|
static void __init pti_setup_espfix64(void)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_X86_ESPFIX64
|
|
|
|
pti_clone_p4d(ESPFIX_BASE_ADDR);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2017-12-04 22:07:47 +08:00
|
|
|
/*
|
2020-06-10 14:37:01 +08:00
|
|
|
* Clone the populated PMDs of the entry text and force it RO.
|
2017-12-04 22:07:47 +08:00
|
|
|
*/
|
2018-07-18 17:41:07 +08:00
|
|
|
static void pti_clone_entry_text(void)
|
2017-12-04 22:07:47 +08:00
|
|
|
{
|
2018-08-07 18:24:31 +08:00
|
|
|
pti_clone_pgtable((unsigned long) __entry_text_start,
|
2020-06-10 14:37:01 +08:00
|
|
|
(unsigned long) __entry_text_end,
|
2018-08-07 18:24:31 +08:00
|
|
|
PTI_CLONE_PMD);
|
2017-12-04 22:07:47 +08:00
|
|
|
}
|
|
|
|
|
2018-04-07 04:55:18 +08:00
|
|
|
/*
|
|
|
|
* Global pages and PCIDs are both ways to make kernel TLB entries
|
|
|
|
* live longer, reduce TLB misses and improve kernel performance.
|
|
|
|
* But, leaving all kernel text Global makes it potentially accessible
|
|
|
|
* to Meltdown-style attacks which make it trivial to find gadgets or
|
|
|
|
* defeat KASLR.
|
|
|
|
*
|
|
|
|
* Only use global pages when it is really worth it.
|
|
|
|
*/
|
|
|
|
static inline bool pti_kernel_image_global_ok(void)
|
|
|
|
{
|
|
|
|
/*
|
2021-03-18 22:28:01 +08:00
|
|
|
* Systems with PCIDs get little benefit from global
|
2018-04-07 04:55:18 +08:00
|
|
|
* kernel text and are not worth the downsides.
|
|
|
|
*/
|
|
|
|
if (cpu_feature_enabled(X86_FEATURE_PCID))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Only do global kernel image for pti=auto. Do the most
|
|
|
|
* secure thing (not global) if pti=on specified.
|
|
|
|
*/
|
|
|
|
if (pti_mode != PTI_AUTO)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* K8 may not tolerate the cleared _PAGE_RW on the userspace
|
|
|
|
* global kernel image pages. Do the safe thing (disable
|
|
|
|
* global kernel image). This is unlikely to ever be
|
|
|
|
* noticed because PTI is disabled by default on AMD CPUs.
|
|
|
|
*/
|
|
|
|
if (boot_cpu_has(X86_FEATURE_K8))
|
|
|
|
return false;
|
|
|
|
|
2018-04-21 06:20:26 +08:00
|
|
|
/*
|
|
|
|
* RANDSTRUCT derives its hardening benefits from the
|
|
|
|
* attacker's lack of knowledge about the layout of kernel
|
|
|
|
* data structures. Keep the kernel image non-global in
|
|
|
|
* cases where RANDSTRUCT is in use to help keep the layout a
|
|
|
|
* secret.
|
|
|
|
*/
|
|
|
|
if (IS_ENABLED(CONFIG_GCC_PLUGIN_RANDSTRUCT))
|
|
|
|
return false;
|
|
|
|
|
2018-04-07 04:55:18 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* For some configurations, map all of kernel text into the user page
|
|
|
|
* tables. This reduces TLB misses, especially on non-PCID systems.
|
|
|
|
*/
|
2018-07-18 17:41:06 +08:00
|
|
|
static void pti_clone_kernel_text(void)
|
2018-04-07 04:55:18 +08:00
|
|
|
{
|
2018-04-21 06:20:23 +08:00
|
|
|
/*
|
|
|
|
* rodata is part of the kernel image and is normally
|
|
|
|
* readable on the filesystem or on the web. But, do not
|
|
|
|
* clone the areas past rodata, they might contain secrets.
|
|
|
|
*/
|
2018-04-07 04:55:18 +08:00
|
|
|
unsigned long start = PFN_ALIGN(_text);
|
2018-08-07 02:56:34 +08:00
|
|
|
unsigned long end_clone = (unsigned long)__end_rodata_aligned;
|
2019-10-30 05:13:37 +08:00
|
|
|
unsigned long end_global = PFN_ALIGN((unsigned long)_etext);
|
2018-04-07 04:55:18 +08:00
|
|
|
|
|
|
|
if (!pti_kernel_image_global_ok())
|
|
|
|
return;
|
|
|
|
|
2018-04-21 06:20:23 +08:00
|
|
|
pr_debug("mapping partial kernel image into user address space\n");
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note that this will undo _some_ of the work that
|
|
|
|
* pti_set_kernel_image_nonglobal() did to clear the
|
|
|
|
* global bit.
|
|
|
|
*/
|
2018-08-07 18:24:31 +08:00
|
|
|
pti_clone_pgtable(start, end_clone, PTI_LEVEL_KERNEL_IMAGE);
|
2018-08-03 06:58:25 +08:00
|
|
|
|
|
|
|
/*
|
2018-08-07 18:24:31 +08:00
|
|
|
* pti_clone_pgtable() will set the global bit in any PMDs
|
2018-08-03 06:58:25 +08:00
|
|
|
* that it clones, but we also need to get any PTEs in
|
|
|
|
* the last level for areas that are not huge-page-aligned.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Set the global bit for normal non-__init kernel text: */
|
|
|
|
set_memory_global(start, (end_global - start) >> PAGE_SHIFT);
|
2018-04-07 04:55:18 +08:00
|
|
|
}
|
|
|
|
|
2019-03-12 15:47:53 +08:00
|
|
|
static void pti_set_kernel_image_nonglobal(void)
|
x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image
Summary:
In current kernels, with PTI enabled, no pages are marked Global. This
potentially increases TLB misses. But, the mechanism by which the Global
bit is set and cleared is rather haphazard. This patch makes the process
more explicit. In the end, it leaves us with Global entries in the page
tables for the areas truly shared by userspace and kernel and increases
TLB hit rates.
The place this patch really shines in on systems without PCIDs. In this
case, we are using an lseek microbenchmark[1] to see how a reasonably
non-trivial syscall behaves. Higher is better:
No Global pages (baseline): 6077741 lseeks/sec
88 Global Pages (this set): 7528609 lseeks/sec (+23.9%)
On a modern Skylake desktop with PCIDs, the benefits are tangible, but not
huge for a kernel compile (lower is better):
No Global pages (baseline): 186.951 seconds time elapsed ( +- 0.35% )
28 Global pages (this set): 185.756 seconds time elapsed ( +- 0.09% )
-1.195 seconds (-0.64%)
I also re-checked everything using the lseek1 test[1]:
No Global pages (baseline): 15783951 lseeks/sec
28 Global pages (this set): 16054688 lseeks/sec
+270737 lseeks/sec (+1.71%)
The effect is more visible, but still modest.
Details:
The kernel page tables are inherited from head_64.S which rudely marks
them as _PAGE_GLOBAL. For PTI, we have been relying on the grace of
$DEITY and some insane behavior in pageattr.c to clear _PAGE_GLOBAL.
This patch tries to do better.
First, stop filtering out "unsupported" bits from being cleared in the
pageattr code. It's fine to filter out *setting* these bits but it
is insane to keep us from clearing them.
Then, *explicitly* go clear _PAGE_GLOBAL from the kernel identity map.
Do not rely on pageattr to do it magically.
After this patch, we can see that "GLB" shows up in each copy of the
page tables, that we have the same number of global entries in each
and that they are the *same* entries.
/sys/kernel/debug/page_tables/current_kernel:11
/sys/kernel/debug/page_tables/current_user:11
/sys/kernel/debug/page_tables/kernel:11
9caae8ad6a1fb53aca2407ec037f612d current_kernel.GLB
9caae8ad6a1fb53aca2407ec037f612d current_user.GLB
9caae8ad6a1fb53aca2407ec037f612d kernel.GLB
A quick visual audit also shows that all the entries make sense.
0xfffffe0000000000 is the cpu_entry_area and 0xffffffff81c00000
is the entry/exit text:
0xfffffe0000000000-0xfffffe0000002000 8K ro GLB NX pte
0xfffffe0000002000-0xfffffe0000003000 4K RW GLB NX pte
0xfffffe0000003000-0xfffffe0000006000 12K ro GLB NX pte
0xfffffe0000006000-0xfffffe0000007000 4K ro GLB x pte
0xfffffe0000007000-0xfffffe000000d000 24K RW GLB NX pte
0xfffffe000002d000-0xfffffe000002e000 4K ro GLB NX pte
0xfffffe000002e000-0xfffffe000002f000 4K RW GLB NX pte
0xfffffe000002f000-0xfffffe0000032000 12K ro GLB NX pte
0xfffffe0000032000-0xfffffe0000033000 4K ro GLB x pte
0xfffffe0000033000-0xfffffe0000039000 24K RW GLB NX pte
0xffffffff81c00000-0xffffffff81e00000 2M ro PSE GLB x pmd
[1.] https://github.com/antonblanchard/will-it-scale/blob/master/tests/lseek1.c
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Kees Cook <keescook@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nadav Amit <namit@vmware.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/20180406205517.C80FBE05@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2018-04-07 04:55:17 +08:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
* The identity map is created with PMDs, regardless of the
|
|
|
|
* actual length of the kernel. We need to clear
|
|
|
|
* _PAGE_GLOBAL up to a PMD boundary, not just to the end
|
|
|
|
* of the image.
|
|
|
|
*/
|
|
|
|
unsigned long start = PFN_ALIGN(_text);
|
|
|
|
unsigned long end = ALIGN((unsigned long)_end, PMD_PAGE_SIZE);
|
|
|
|
|
2018-08-03 06:58:25 +08:00
|
|
|
/*
|
|
|
|
* This clears _PAGE_GLOBAL from the entire kernel image.
|
|
|
|
* pti_clone_kernel_text() map put _PAGE_GLOBAL back for
|
|
|
|
* areas that are mapped to userspace.
|
|
|
|
*/
|
x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image
Summary:
In current kernels, with PTI enabled, no pages are marked Global. This
potentially increases TLB misses. But, the mechanism by which the Global
bit is set and cleared is rather haphazard. This patch makes the process
more explicit. In the end, it leaves us with Global entries in the page
tables for the areas truly shared by userspace and kernel and increases
TLB hit rates.
The place this patch really shines in on systems without PCIDs. In this
case, we are using an lseek microbenchmark[1] to see how a reasonably
non-trivial syscall behaves. Higher is better:
No Global pages (baseline): 6077741 lseeks/sec
88 Global Pages (this set): 7528609 lseeks/sec (+23.9%)
On a modern Skylake desktop with PCIDs, the benefits are tangible, but not
huge for a kernel compile (lower is better):
No Global pages (baseline): 186.951 seconds time elapsed ( +- 0.35% )
28 Global pages (this set): 185.756 seconds time elapsed ( +- 0.09% )
-1.195 seconds (-0.64%)
I also re-checked everything using the lseek1 test[1]:
No Global pages (baseline): 15783951 lseeks/sec
28 Global pages (this set): 16054688 lseeks/sec
+270737 lseeks/sec (+1.71%)
The effect is more visible, but still modest.
Details:
The kernel page tables are inherited from head_64.S which rudely marks
them as _PAGE_GLOBAL. For PTI, we have been relying on the grace of
$DEITY and some insane behavior in pageattr.c to clear _PAGE_GLOBAL.
This patch tries to do better.
First, stop filtering out "unsupported" bits from being cleared in the
pageattr code. It's fine to filter out *setting* these bits but it
is insane to keep us from clearing them.
Then, *explicitly* go clear _PAGE_GLOBAL from the kernel identity map.
Do not rely on pageattr to do it magically.
After this patch, we can see that "GLB" shows up in each copy of the
page tables, that we have the same number of global entries in each
and that they are the *same* entries.
/sys/kernel/debug/page_tables/current_kernel:11
/sys/kernel/debug/page_tables/current_user:11
/sys/kernel/debug/page_tables/kernel:11
9caae8ad6a1fb53aca2407ec037f612d current_kernel.GLB
9caae8ad6a1fb53aca2407ec037f612d current_user.GLB
9caae8ad6a1fb53aca2407ec037f612d kernel.GLB
A quick visual audit also shows that all the entries make sense.
0xfffffe0000000000 is the cpu_entry_area and 0xffffffff81c00000
is the entry/exit text:
0xfffffe0000000000-0xfffffe0000002000 8K ro GLB NX pte
0xfffffe0000002000-0xfffffe0000003000 4K RW GLB NX pte
0xfffffe0000003000-0xfffffe0000006000 12K ro GLB NX pte
0xfffffe0000006000-0xfffffe0000007000 4K ro GLB x pte
0xfffffe0000007000-0xfffffe000000d000 24K RW GLB NX pte
0xfffffe000002d000-0xfffffe000002e000 4K ro GLB NX pte
0xfffffe000002e000-0xfffffe000002f000 4K RW GLB NX pte
0xfffffe000002f000-0xfffffe0000032000 12K ro GLB NX pte
0xfffffe0000032000-0xfffffe0000033000 4K ro GLB x pte
0xfffffe0000033000-0xfffffe0000039000 24K RW GLB NX pte
0xffffffff81c00000-0xffffffff81e00000 2M ro PSE GLB x pmd
[1.] https://github.com/antonblanchard/will-it-scale/blob/master/tests/lseek1.c
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Kees Cook <keescook@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nadav Amit <namit@vmware.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/20180406205517.C80FBE05@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2018-04-07 04:55:17 +08:00
|
|
|
set_memory_nonglobal(start, (end - start) >> PAGE_SHIFT);
|
|
|
|
}
|
|
|
|
|
2017-12-04 22:07:36 +08:00
|
|
|
/*
|
|
|
|
* Initialize kernel page table isolation
|
|
|
|
*/
|
|
|
|
void __init pti_init(void)
|
|
|
|
{
|
2019-03-30 03:00:38 +08:00
|
|
|
if (!boot_cpu_has(X86_FEATURE_PTI))
|
2017-12-04 22:07:36 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
pr_info("enabled\n");
|
2017-12-04 22:07:45 +08:00
|
|
|
|
2018-07-18 17:41:15 +08:00
|
|
|
#ifdef CONFIG_X86_32
|
|
|
|
/*
|
|
|
|
* We check for X86_FEATURE_PCID here. But the init-code will
|
|
|
|
* clear the feature flag on 32 bit because the feature is not
|
|
|
|
* supported on 32 bit anyway. To print the warning we need to
|
|
|
|
* check with cpuid directly again.
|
|
|
|
*/
|
2018-08-07 18:24:29 +08:00
|
|
|
if (cpuid_ecx(0x1) & BIT(17)) {
|
2018-07-18 17:41:15 +08:00
|
|
|
/* Use printk to work around pr_fmt() */
|
|
|
|
printk(KERN_WARNING "\n");
|
|
|
|
printk(KERN_WARNING "************************************************************\n");
|
|
|
|
printk(KERN_WARNING "** WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! **\n");
|
|
|
|
printk(KERN_WARNING "** **\n");
|
|
|
|
printk(KERN_WARNING "** You are using 32-bit PTI on a 64-bit PCID-capable CPU. **\n");
|
|
|
|
printk(KERN_WARNING "** Your performance will increase dramatically if you **\n");
|
|
|
|
printk(KERN_WARNING "** switch to a 64-bit kernel! **\n");
|
|
|
|
printk(KERN_WARNING "** **\n");
|
|
|
|
printk(KERN_WARNING "** WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! **\n");
|
|
|
|
printk(KERN_WARNING "************************************************************\n");
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2017-12-04 22:07:45 +08:00
|
|
|
pti_clone_user_shared();
|
x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image
Summary:
In current kernels, with PTI enabled, no pages are marked Global. This
potentially increases TLB misses. But, the mechanism by which the Global
bit is set and cleared is rather haphazard. This patch makes the process
more explicit. In the end, it leaves us with Global entries in the page
tables for the areas truly shared by userspace and kernel and increases
TLB hit rates.
The place this patch really shines in on systems without PCIDs. In this
case, we are using an lseek microbenchmark[1] to see how a reasonably
non-trivial syscall behaves. Higher is better:
No Global pages (baseline): 6077741 lseeks/sec
88 Global Pages (this set): 7528609 lseeks/sec (+23.9%)
On a modern Skylake desktop with PCIDs, the benefits are tangible, but not
huge for a kernel compile (lower is better):
No Global pages (baseline): 186.951 seconds time elapsed ( +- 0.35% )
28 Global pages (this set): 185.756 seconds time elapsed ( +- 0.09% )
-1.195 seconds (-0.64%)
I also re-checked everything using the lseek1 test[1]:
No Global pages (baseline): 15783951 lseeks/sec
28 Global pages (this set): 16054688 lseeks/sec
+270737 lseeks/sec (+1.71%)
The effect is more visible, but still modest.
Details:
The kernel page tables are inherited from head_64.S which rudely marks
them as _PAGE_GLOBAL. For PTI, we have been relying on the grace of
$DEITY and some insane behavior in pageattr.c to clear _PAGE_GLOBAL.
This patch tries to do better.
First, stop filtering out "unsupported" bits from being cleared in the
pageattr code. It's fine to filter out *setting* these bits but it
is insane to keep us from clearing them.
Then, *explicitly* go clear _PAGE_GLOBAL from the kernel identity map.
Do not rely on pageattr to do it magically.
After this patch, we can see that "GLB" shows up in each copy of the
page tables, that we have the same number of global entries in each
and that they are the *same* entries.
/sys/kernel/debug/page_tables/current_kernel:11
/sys/kernel/debug/page_tables/current_user:11
/sys/kernel/debug/page_tables/kernel:11
9caae8ad6a1fb53aca2407ec037f612d current_kernel.GLB
9caae8ad6a1fb53aca2407ec037f612d current_user.GLB
9caae8ad6a1fb53aca2407ec037f612d kernel.GLB
A quick visual audit also shows that all the entries make sense.
0xfffffe0000000000 is the cpu_entry_area and 0xffffffff81c00000
is the entry/exit text:
0xfffffe0000000000-0xfffffe0000002000 8K ro GLB NX pte
0xfffffe0000002000-0xfffffe0000003000 4K RW GLB NX pte
0xfffffe0000003000-0xfffffe0000006000 12K ro GLB NX pte
0xfffffe0000006000-0xfffffe0000007000 4K ro GLB x pte
0xfffffe0000007000-0xfffffe000000d000 24K RW GLB NX pte
0xfffffe000002d000-0xfffffe000002e000 4K ro GLB NX pte
0xfffffe000002e000-0xfffffe000002f000 4K RW GLB NX pte
0xfffffe000002f000-0xfffffe0000032000 12K ro GLB NX pte
0xfffffe0000032000-0xfffffe0000033000 4K ro GLB x pte
0xfffffe0000033000-0xfffffe0000039000 24K RW GLB NX pte
0xffffffff81c00000-0xffffffff81e00000 2M ro PSE GLB x pmd
[1.] https://github.com/antonblanchard/will-it-scale/blob/master/tests/lseek1.c
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Kees Cook <keescook@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nadav Amit <namit@vmware.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/20180406205517.C80FBE05@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2018-04-07 04:55:17 +08:00
|
|
|
|
|
|
|
/* Undo all global bits from the init pagetables in head_64.S: */
|
|
|
|
pti_set_kernel_image_nonglobal();
|
|
|
|
/* Replace some of the global bits just for shared entry text: */
|
2017-12-04 22:07:47 +08:00
|
|
|
pti_clone_entry_text();
|
2017-12-16 05:08:18 +08:00
|
|
|
pti_setup_espfix64();
|
2017-12-12 23:56:42 +08:00
|
|
|
pti_setup_vsyscall();
|
2017-12-04 22:07:36 +08:00
|
|
|
}
|
2018-07-18 17:41:06 +08:00
|
|
|
|
|
|
|
/*
|
2018-07-18 17:41:07 +08:00
|
|
|
* Finalize the kernel mappings in the userspace page-table. Some of the
|
|
|
|
* mappings for the kernel image might have changed since pti_init()
|
|
|
|
* cloned them. This is because parts of the kernel image have been
|
|
|
|
* mapped RO and/or NX. These changes need to be cloned again to the
|
|
|
|
* userspace page-table.
|
2018-07-18 17:41:06 +08:00
|
|
|
*/
|
|
|
|
void pti_finalize(void)
|
|
|
|
{
|
2019-08-28 22:24:47 +08:00
|
|
|
if (!boot_cpu_has(X86_FEATURE_PTI))
|
|
|
|
return;
|
2018-07-18 17:41:06 +08:00
|
|
|
/*
|
2018-07-18 17:41:07 +08:00
|
|
|
* We need to clone everything (again) that maps parts of the
|
|
|
|
* kernel image.
|
2018-07-18 17:41:06 +08:00
|
|
|
*/
|
2018-07-18 17:41:07 +08:00
|
|
|
pti_clone_entry_text();
|
2018-07-18 17:41:06 +08:00
|
|
|
pti_clone_kernel_text();
|
2018-08-08 19:16:40 +08:00
|
|
|
|
|
|
|
debug_checkwx_user();
|
2018-07-18 17:41:06 +08:00
|
|
|
}
|