Xen project Mailing List

Re: [PATCH] x86/boot: Restrict directmap permissions for .text/.rodata

To: Andrew Cooper <amc96@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 6 Dec 2021 16:21:04 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=A8yGCbuRfPLdHuumi0i8w7IofLM0p4XnO4lBTRfXeZQ=; b=b2o5dMwfX5UoDwFU6pHVYmmTu5PDNP3gz+X5VM6eB+DMvcCha4G4W4DhkhWojei12sBz6oZWC6IuPvLNstgICFmoukoBrjfeoDYq30LmcUqBsaCUTIhT+OS7nijwDEP6RgL65FgwYfLmSm1eBc/+DSdmqzcvsch8l3imTQGZ5ROgoPzUwXp8CV5VEPhklbIdUIWdcONgGmxc6Gl04SFdffVrJeBLm4cmek2VENFCcRFLWGwN3IoKgQZ7uN3u7xEGTnI9+u832/2/meA2KB49oh9sHui9HcX6loSu91z0Rg3EObpnSkoTX3xIjHXgrJNoOjxnLckuB0xOAC1Z0vWHrA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hmtz5PN13TySJ9KDyuzzveVriKxOuf9ZXw39FzhnlmnFgppoQF4vwKXUUtiuJasRIcWl6w9ghUlyTbslzwcVx/WIAJD3EfuzeTdQ4qG7Mi2XmzFo1nD/3unF7TT3Vg1CJUBkkLxSal+jn2TEMwnPk4uGExJMbM0JBkosZ7fIF3MAMFKJqIdjA2O9z28quMDkusAEIFPF22DsC1Vnn9umnTgqscQWQ3XWHIbTs8B2pA1PWV9Sp2uyR/aTP3pYcyLk9cPDI6uvBpRICmRVUYXPZ7WIQSfezxUQOclomvMCfNgF/a05XlgjzWZP5fzPiXVZ1eHLoArnK1wjbmAgP5rnJA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 06 Dec 2021 15:21:26 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 06.12.2021 16:11, Andrew Cooper wrote: > On 06/12/2021 13:58, Jan Beulich wrote: >> On 06.12.2021 14:08, Andrew Cooper wrote: >>> While we've been diligent to ensure that the main text/data/rodata mappings >>> have suitable restrictions, their aliases via the directmap were left fully >>> RW. Worse, we even had pieces of code making use of this as a feature. >>> >>> Restrict the permissions, as we have no legitimate need for writeability of >>> these areas via the directmap alias. >> Where do we end up reading .text and/or .rodata through the directmap? Can't >> we zap the mappings altogether? > > I felt it was safer to keep readability via the directmap. > > I'm not aware of any logic we have which reads the directmap in order, > but it ought to be possible. Could you add a sentence to this effect to this description, please? >> As to superpage shattering - I understand this is not deemed to be an issue >> in the common case since, with Xen moved as high up below 4G as possible, >> it wouldn't normally live inside a 1G mapping anyway? This may want calling >> out here. Plus, in non-EFI, non-XEN_ALIGN_2M builds isn't this going to >> shatter a 2M page at the tail of .rodata? > > cpu0_stack has already shattered down to 4k, which is likely in the same > superpage as rodata in a non-2M build. > > But at the end of the day, it is a security/performance tradeoff. > > memcpy(__va(__pa(divide_error)), "\x0f\x0b", 2); > asm ("div %ecx" :: "c" (0)); > > is an especially low barrier for an attacker who has a partial write gadget. > > The security benefits are substantial, and the perf downsides are a > handful of extra pagetables, and a handful of pagewalks taking extra > steps, in non-fast paths (i.e. distinctly marginal). How do you easily know what paths there are accessing data on the same (potential) superpage? However, thinking about it, with the directmap mapping presumably not getting used at all, how the mapping is arranged doesn't really matter (except for the extra memory needed, but as you say that's probably marginal). Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.