On Mon, Dec 04, 2017 at 03:07:34PM +0100, Thomas Gleixner wrote:
> From: Dave Hansen <dave.han...@linux.intel.com>
>
> Global pages stay in the TLB across context switches. Since all contexts
> share the same kernel mapping, these mappings are marked as global pages
> so kernel entries in the TLB are not flushed out on a context switch.
>
> But, even having these entries in the TLB opens up something that an
> attacker can use, such as the double-page-fault attack:
>
> http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
>
> That means that even when KERNEL_PAGE_TABLE_ISOLATION switches page tables
> on return to user space the global pages would stay in the TLB cache.
>
> Disable global pages so that kernel TLB entries can be flushed before
> returning to user space. This way, all accesses to kernel addresses from
> userspace result in a TLB miss independent of the existence of a kernel
> mapping.
>
> Supress global pages via the __supported_pte_mask. The user space
"Suppress"
Otherwise
Reviewed-by: Borislav Petkov <b...@suse.de>
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284
(AG Nürnberg)
--
