On 8/27/25 9:09 AM, Kevin Brodsky wrote:
On 26/08/2025 21:18, Yang Shi wrote:
from a contiguous cache of pages could help minimise the overhead, as
proposed for x86 in [1].
I'm a little bit confused about how this can work. The contiguous
cache of pages should be some large page, for example, 2M. But the
page table pages allocated from the cache may have different
permissions if I understand correctly. The default permission is RO,
but some of them may become R/W at sometime, for example, when calling
set_pte_at(). You still need to split the linear mapping, right?
When such a helper is called, *all* PTPs become writeable - there is no
per-PTP permission switching.
OK, so all PTPs in the same contiguous cache will become writeable
even though the helper (i.e. set_pte_at()) is just called on one of
the PTPs. But doesn't it compromise the page table hardening somehow?
The PTPs from the same cache may belong to different processes.
First just a note that this is true regardless of how the PTPs are
allocated (i.e. this is already the case in this version of the series).
Either way, yes you are right, this approach does not introduce any
isolation *between* page tables - pgtable helpers are able to write to
all page tables. In principle it should be possible to use a different
pkey for kernel and user page tables, but that would make the kpkeys
level switching in helpers quite a bit more complicated. Isolating
further is impractical as we have so few pkeys (just 8 on arm64).
That said, what kpkeys really tries to protect against is the direct
corruption of critical data by arbitrary (unprivileged) code. If the
attacker is able to manipulate calls to set_pte() and the likes, kpkeys
cannot provide much protection - even if we restricted the writes to a
specific set of page tables, the attacker would still be able to insert
a translation to any arbitrary physical page.
I see. Thanks for elaborating this.
Yang
- Kevin
