On 26/08/2025 21:18, Yang Shi wrote: >> >>>> from a contiguous cache of pages could help minimise the overhead, as >>>> proposed for x86 in [1]. >>> I'm a little bit confused about how this can work. The contiguous >>> cache of pages should be some large page, for example, 2M. But the >>> page table pages allocated from the cache may have different >>> permissions if I understand correctly. The default permission is RO, >>> but some of them may become R/W at sometime, for example, when calling >>> set_pte_at(). You still need to split the linear mapping, right? >> When such a helper is called, *all* PTPs become writeable - there is no >> per-PTP permission switching. > > OK, so all PTPs in the same contiguous cache will become writeable > even though the helper (i.e. set_pte_at()) is just called on one of > the PTPs. But doesn't it compromise the page table hardening somehow? > The PTPs from the same cache may belong to different processes.
First just a note that this is true regardless of how the PTPs are allocated (i.e. this is already the case in this version of the series). Either way, yes you are right, this approach does not introduce any isolation *between* page tables - pgtable helpers are able to write to all page tables. In principle it should be possible to use a different pkey for kernel and user page tables, but that would make the kpkeys level switching in helpers quite a bit more complicated. Isolating further is impractical as we have so few pkeys (just 8 on arm64). That said, what kpkeys really tries to protect against is the direct corruption of critical data by arbitrary (unprivileged) code. If the attacker is able to manipulate calls to set_pte() and the likes, kpkeys cannot provide much protection - even if we restricted the writes to a specific set of page tables, the attacker would still be able to insert a translation to any arbitrary physical page. - Kevin
