On 15/02/2019 10:57, Peter Zijlstra wrote:
Where are the comments and Changelog notes ? How is an arch maintainer
to be aware of this requirement when adding support for his/her arch?
Yes, it will be fixed in the next revision. I've added comment to the
core wr_assign function and also to
On 14/02/2019 13:28, Peter Zijlstra wrote:
On Thu, Feb 14, 2019 at 12:41:32AM +0200, Igor Stoppa wrote:
[...]
+#define wr_rcu_assign_pointer(p, v) ({ \
+ smp_mb(); \
+ wr_assign(p, v);\
+ p; \
+})
This
Set ARCH_HAS_PRMEM to Y for x86_64
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
The write protection of the __wr_after_init data can be verified with the
same methodology used for const data.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC
Set of test cases meant to confirm that the write rare functionality
works as expected.
It can be optionally compiled as module.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago
Refactor the test cases, in preparation for using them also for testing
__wr_after_init memory, when available.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC
.
__wr_after_init can still provide some protection, at least against
simple memory overwrite attacks
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
Verify that trying to modify a variable with the __wr_after_init
attribute will cause a crash.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC
Set ARCH_HAS_PRMEM to Y for arm64
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
Update the self-protection documentation, to mention also the use of the
__wr_after_init attribute.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed
address for the alternate map across the entire
available address range from user space (128TB - 64TB)
* convert BUG() to WARN()
* turn verification of written data into debugging option
* wr_rcu_assign_pointer() as special case of wr_assign()
* example with protection of ima_policy_flags
* doc
since the granularity
available for write protection is of one memory page.
The functionality is automatically activated by any architecture that sets
CONFIG_ARCH_HAS_PRMEM
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: D
.
This is accomplished by providing arch-specific version of the function
__init_wr_base()
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux
write-rare path.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux-integr...@vger.kernel.org
CC: kernel-harden...@lists.openwal
On 12/02/2019 04:39, Matthew Wilcox wrote:
On Tue, Feb 12, 2019 at 01:27:38AM +0200, Igor Stoppa wrote:
+#ifndef CONFIG_PRMEM
[...]
+#else
+
+#include
It's a mistake to do conditional includes like this. That way you see
include loops with some configs and not others. Our header
On 12/02/2019 03:26, Kees Cook wrote:
On Mon, Feb 11, 2019 at 5:08 PM igor.sto...@gmail.com
wrote:
On Tue, 12 Feb 2019, 4.47 Kees Cook
On Mon, Feb 11, 2019 at 4:37 PM Igor Stoppa wrote:
On 12/02/2019 02:09, Kees Cook wrote:
On Mon, Feb 11, 2019 at 3:28 PM Igor Stoppa wrote:
It
On 12/02/2019 02:09, Kees Cook wrote:
On Mon, Feb 11, 2019 at 3:28 PM Igor Stoppa wrote:
[...]
Patch-set implementing write-rare memory protection for statically
allocated data.
It seems like this could be expanded in the future to cover dynamic
memory too (i.e. just a separate base
.
This is accomplished by providing arch-specific version of the function
__init_wr_base()
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux
Verify that trying to modify a variable with the __wr_after_init
attribute will cause a crash.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC
Set of test cases meant to confirm that the write rare functionality
works as expected.
It can be optionally compiled as module.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago
.
__wr_after_init can still provide some protection, at least against
simple memory overwrite attacks
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
code to privide a
memset_user() function, which is currently missing.
clear_user() is the base for memset_user()
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC
code to privide a
memset_user() function, which is currently missing.
clear_user() is the base for memset_user()
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC
Set ARCH_HAS_PRMEM to Y for arm64
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
write-rare path.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux-integr...@vger.kernel.org
CC: kernel-harden...@lists.openwal
Set ARCH_HAS_PRMEM to Y for x86_64
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
Update the self-protection documentation, to mention also the use of the
__wr_after_init attribute.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed
Refactor the test cases, in preparation for using them also for testing
__wr_after_init memory, when available.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC
The write protection of the __wr_after_init data can be verified with the
same methodology used for const data.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC
ilable address range from user space (128TB - 64TB)
* convert BUG() to WARN()
* turn verification of written data into debugging option
* wr_rcu_assign_pointer() as special case of wr_assign()
* example with protection of ima_policy_flags
* documentation
Igor Stoppa (12):
__wr_after_init: Core
On 21/12/2018 21:45, Matthew Wilcox wrote:
On Fri, Dec 21, 2018 at 11:38:16AM -0800, Nadav Amit wrote:
On Dec 19, 2018, at 1:33 PM, Igor Stoppa wrote:
+static inline void *wr_memset(void *p, int c, __kernel_size_t len)
+{
+ return __wr_op((unsigned long)p, (unsigned long)c, len
On 21/12/2018 21:43, Matthew Wilcox wrote:
On Fri, Dec 21, 2018 at 09:07:54PM +0200, Igor Stoppa wrote:
On 21/12/2018 20:41, Matthew Wilcox wrote:
On Fri, Dec 21, 2018 at 08:14:14PM +0200, Igor Stoppa wrote:
+static inline int memtst(void *p, int c, __kernel_size_t len)
I don
On 21/12/2018 20:41, Matthew Wilcox wrote:
On Fri, Dec 21, 2018 at 08:14:14PM +0200, Igor Stoppa wrote:
+static inline int memtst(void *p, int c, __kernel_size_t len)
I don't understand why you're verifying that writes actually happen
in production code. Sure, write lib/test_
On 21/12/2018 20:25, Matthew Wilcox wrote:
On Fri, Dec 21, 2018 at 08:14:12PM +0200, Igor Stoppa wrote:
+unsigned long __memset_user(void __user *addr, int c, unsigned long size)
+{
+ long __d0;
+ unsigned long pattern = 0;
+ int i;
+
+ for (i = 0; i < 8
After each write operation, confirm that it was successful, otherwise
generate a warning.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC
.
__wr_after_init can still provide some protection, at least against
simple memory overwrite attacks
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
Set of test cases meant to confirm that the write rare functionality
works as expected.
It can be optionally compiled as module.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago
Verify that trying to modify a variable with the __wr_after_init
attribute will cause a crash.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC
Update the self-protection documentation, to mention also the use of the
__wr_after_init attribute.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed
o activate both section and label, the arch must set CONFIG_ARCH_HAS_PRMEM
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux-integr...@vger.
To avoid code duplication, re-use __memset_user(), when clearing
user-space memory.
The overhead should be minimal (2 extra register assignments) and
outside of the writing loop.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees
The write protection of the __wr_after_init data can be verified with the
same methodology used for const data.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC
Refactor the test cases, in preparation for using them also for testing
__wr_after_init memory, when available.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC
rt of memset()
- wr_memcpy(): write rare counterpart of memcpy()
- wr_assign(): write rare counterpart of the assignment ('=') operator
- wr_rcu_assign_pointer(): write rare counterpart of rcu_assign_pointer()
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wi
, in a preemptible
system, however the amount of data to be altered is likely to be far
smaller than a page.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed
Create x86_64 specific version of memset for user space, based on
clear_user().
This will be used for implementing wr_memset() in the __wr_after_init
scenario, where write-rare variables have an alternate mapping for
writing.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC
On 21/12/2018 19:23, Andy Lutomirski wrote:
On Thu, Dec 20, 2018 at 11:19 AM Igor Stoppa wrote:
On 20/12/2018 20:49, Matthew Wilcox wrote:
I think you're causing yourself more headaches by implementing this "op"
function.
I probably misinterpreted the initial critic
On 20/12/2018 20:49, Matthew Wilcox wrote:
I think you're causing yourself more headaches by implementing this "op"
function.
I probably misinterpreted the initial criticism on my first patchset,
about duplication. Somehow, I'm still thinking to the endgame of having
higher-level functi
Hi,
On 20/12/2018 19:30, Thiago Jung Bauermann wrote:
Hello Igor,
Igor Stoppa writes:
diff --git a/security/integrity/ima/ima_init.c
b/security/integrity/ima/ima_init.c
index 59d834219cd6..5f4e13e671bf 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
Hi,
On 20/12/2018 19:20, Thiago Jung Bauermann wrote:
Hello Igor,
+/*
+ * The following two variables are statically allocated by the linker
+ * script at the the boundaries of the memory region (rounded up to
+ * multiples of PAGE_SIZE) reserved for __wr_after_init.
+ */
+extern long __start
On 19/12/2018 23:33, Igor Stoppa wrote:
+ if (WARN_ONCE(op >= WR_OPS_NUMBER, "Invalid WR operation.") ||
+ WARN_ONCE(!is_wr_after_init(dst, len), "Invalid WR range."))
+ return (void *)dst;
+
+ offset = dst - (unsigned long)&__star
patch.pl sources, to figure out the actual
test.
Signed-off-by: Igor Stoppa
CC: Andy Whitcroft
CC: Joe Perches
CC: Andi Kleen
CC: linux-kernel@vger.kernel.org
---
scripts/checkpatch.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.p
On 12/12/2018 11:49, Martin Schwidefsky wrote:
On Wed, 5 Dec 2018 15:13:56 -0800
Andy Lutomirski wrote:
Hi s390 and powerpc people: it would be nice if this generic
implementation *worked* on your architectures and that it will allow
you to add some straightforward way to add a better arch
Refactor the test cases, in preparation for using them also for testing
__wr_after_init memory, when available.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr
Verify that trying to modify a variable with the __wr_after_init
attribute will cause a crash.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
CC: kernel
, in a preemptible
system, however the amount of data to be altered is likely to be far
smaller than a page.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
rare counterpart of memcpy()
- wr_assign(): write rare counterpart of the assignment ('=') operator
- wr_rcu_assign_pointer(): write rare counterpart of rcu_assign_pointer()
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees
After each write operation, confirm that it was successful, otherwise
generate a warning.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
Set of test cases meant to confirm that the write rare functionality
works as expected.
It can be optionally compiled as module.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux
.
__wr_after_init can still provide some protection, at least against
simple memory overwrite attacks
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
CC: kernel
The write protection of the __wr_after_init data can be verified with the
same methodology used for const data.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr
Update the self-protection documentation, to mention also the use of the
__wr_after_init attribute.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
CC
To avoid code duplication, re-use __memset_user(), when clearing
user-space memory.
The overhead should be minimal (2 extra register assignments) and
outside of the writing loop.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees
ck.org
CC: linux-kernel@vger.kernel.org
Igor Stoppa (12):
[PATCH 01/12] x86_64: memset_user()
[PATCH 02/12] __wr_after_init: linker section and label
[PATCH 03/12] __wr_after_init: generic header
[PATCH 04/12] __wr_after_init: x86_64: __wr_op
[PATCH 05/12] __wr_af
Create x86_64 specific version of memset for user space, based on
clear_user().
This will be used for implementing wr_memset() in the __wr_after_init
scenario, where write-rare variables have an alternate mapping for
writing.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC
o activate both section and label, the arch must set CONFIG_ARCH_HAS_PRMEM
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
CC: kernel-harden...@lists.openw
patch.pl sources, to figure out the actual
test.
Signed-off-by: Igor Stoppa
CC: Andy Whitcroft
CC: Joe Perches
CC: linux-kernel@vger.kernel.org
---
scripts/checkpatch.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index c883ec
On 19/12/2018 14:29, Joe Perches wrote:
On Wed, 2018-12-19 at 11:59 +, Andy Whitcroft wrote:
On Wed, Dec 19, 2018 at 02:44:36AM -0800, Joe Perches wrote:
To cover both cases perhaps:
"please ensure that this config symbols is described fully (less than
$min_conf_desc_
patch.pl sources, to figure out the actual
test.
Signed-off-by: Igor Stoppa
CC: Andy Whitcroft
CC: Joe Perches
CC: linux-kernel@vger.kernel.org
---
scripts/checkpatch.pl | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index c883ec
On 06/12/2018 11:44, Peter Zijlstra wrote:
On Wed, Dec 05, 2018 at 03:13:56PM -0800, Andy Lutomirski wrote:
+ if (op == WR_MEMCPY)
+ memcpy((void *)wr_poking_addr, (void *)src, len);
+ else if (op == WR_MEMSET)
+ memset((u8 *)wr_poking_addr, (u8)src, l
On 06/12/2018 06:44, Matthew Wilcox wrote:
On Tue, Dec 04, 2018 at 02:18:01PM +0200, Igor Stoppa wrote:
+void *__wr_op(unsigned long dst, unsigned long src, __kernel_size_t len,
+ enum wr_op_type op)
+{
+ temporary_mm_state_t prev;
+ unsigned long flags
On 06/12/2018 01:13, Andy Lutomirski wrote:
+ kasan_disable_current();
+ if (op == WR_MEMCPY)
+ memcpy((void *)wr_poking_addr, (void *)src, len);
+ else if (op == WR_MEMSET)
+ memset((u8 *)wr_poking_addr, (u8)src, len);
+ else if (op == WR_RCU_
Verify that trying to modify a variable with the __wr_after_init
modifier wil lcause a crash.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
elay, in a preemptible
system, however the amount of data to be altered is likely to be far
smaller than a page.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: ker
The write protection of the __wr_after_init data can be verified with the
same methodology used for const data.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel
Set of test cases meant to confirm that the write rare functionality
works as expected.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
[1] https://www.openwall.com/lists/kernel-hardening/2018/11/22/8
[2] https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1793199.html
[3] https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1810245.html
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Pete
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel-harden...@lists.openwall.com
CC: linux...@kvack.org
CC: linux-kernel@vger.kernel.org
---
include/asm-generic/vml
Refactor the test cases, in preparation for using them also for testing
__wr_after_init memory.
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: linux-integr...@vger.kernel.org
CC: kernel-harden
Hi,
On 13/11/2018 20:36, Andy Lutomirski wrote:
On Tue, Nov 13, 2018 at 10:33 AM Igor Stoppa wrote:
I forgot one sentence :-(
On 13/11/2018 20:31, Igor Stoppa wrote:
On 13/11/2018 19:47, Andy Lutomirski wrote:
For general rare-writish stuff, I don't think we want IRQs running
with
On 13/11/2018 19:16, Andy Lutomirski wrote:
> On Tue, Nov 13, 2018 at 6:25 AM Igor Stoppa wrote:
[...]
>> How about having one mm_struct for each writer (core or thread)?
>>
>
> I don't think that helps anything. I think the mm_struct used for
> prmem (or rare_
On 01/11/2018 01:19, Andy Lutomirski wrote:
ISTM you don't need that atomic operation -- you could take a spinlock
and then just add one directly to the variable.
It was my intention to provide a 1:1 conversion of existing code, as it
should be easier to verify the correctness of the conve
On 30/10/2018 23:02, Andy Lutomirski wrote:
On Oct 30, 2018, at 1:43 PM, Igor Stoppa wrote:
There is no need to process each of these tens of thousands allocations and
initialization as write-rare.
Would it be possible to do the same here?
I don’t see why not, although getting the
Hi,
I'm getting the following build error:
/home/igor/dev/kernel/linux/drivers/cpufreq/intel_pstate.c: In function
‘show_base_frequency’:
/home/igor/dev/kernel/linux/drivers/cpufreq/intel_pstate.c:726:10:
error: implicit declaration of function
‘intel_pstate_get_cppc_guranteed’; did you mean ‘
On 25/10/2018 01:13, Peter Zijlstra wrote:
On Wed, Oct 24, 2018 at 12:35:03AM +0300, Igor Stoppa wrote:
+static __always_inline
+bool __pratomic_long_op(bool inc, struct pratomic_long_t *l)
+{
+ struct page *page;
+ uintptr_t base;
+ uintptr_t offset;
+ unsigned long
On 26/10/2018 10:41, Peter Zijlstra wrote:
On Wed, Oct 24, 2018 at 12:34:49AM +0300, Igor Stoppa wrote:
+static __always_inline
That's far too large for inline.
The reason for it is that it's supposed to minimize the presence of
gadgets that might be used in JOP attacks.
I a
On 28/10/2018 09:52, Steven Rostedt wrote:
If a change log depends on other commits for context, it is
insufficient.
ok, I will adjust the change logs accordingly
--
thanks, igor
On 24/10/2018 14:43, Alexey Dobriyan wrote:
On Wed, Oct 24, 2018 at 12:35:00AM +0300, Igor Stoppa wrote:
Some of the data structures used in list management are composed by two
pointers. Since the kernel is now configured by default to randomize the
layout of data structures soleley composed
On 29/10/2018 11:45, Chris von Recklinghausen wrote:
[...]
Could you add code somewhere (lkdtm driver if possible) to demonstrate
the issue and verify the code change?
Sure.
Eventually, I'd like to add test cases for each functionality.
I didn't do it right away for those parts which are
On 25/10/2018 03:13, Matthew Wilcox wrote:
On Thu, Oct 25, 2018 at 02:01:02AM +0300, Igor Stoppa wrote:
@@ -1747,6 +1750,10 @@ void *__vmalloc_node_range(unsigned long size, unsigned
long align,
if (!addr)
return NULL;
+ va = __find_vmap_area((unsigned long)addr
On 25/10/2018 17:43, Dave Hansen wrote:
+static bool is_address_protected(void *p)
+{
+ struct page *page;
+ struct vmap_area *area;
+
+ if (unlikely(!is_vmalloc_addr(p)))
+ return false;
+ page = vmalloc_to_page(p);
+ if (unlikely(!page))
+
On 25/10/2018 01:28, Dave Hansen wrote:
On 10/23/18 2:34 PM, Igor Stoppa wrote:
Wrappers around the basic write rare functionality, addressing several
common data types found in the kernel, allowing to specify the new
values through immediates, like constants and defines.
I have to wonder
On 25/10/2018 01:26, Dave Hansen wrote:
On 10/23/18 2:34 PM, Igor Stoppa wrote:
+#define VM_PMALLOC 0x0100 /* pmalloc area - see docs */
+#define VM_PMALLOC_WR 0x0200 /* pmalloc write rare area */
+#define VM_PMALLOC_PROTECTED 0x0400
On 25/10/2018 01:24, Dave Hansen wrote:
+static __always_inline bool __is_wr_after_init(const void *ptr, size_t size)
+{
+ size_t start = (size_t)&__start_wr_after_init;
+ size_t end = (size_t)&__end_wr_after_init;
+ size_t low = (size_t)ptr;
+ size_t high = (size_t)ptr +
On 24/10/2018 06:12, Matthew Wilcox wrote:
On Wed, Oct 24, 2018 at 12:34:55AM +0300, Igor Stoppa wrote:
The connection between each page and its vmap_area avoids more expensive
searches through the btree of vmap_areas.
Typo -- it's an rbtree.
ack
+++ b/include/linux/mm_ty
On 24/10/2018 17:56, Tycho Andersen wrote:
On Wed, Oct 24, 2018 at 05:03:01PM +0300, Igor Stoppa wrote:
On 24/10/18 14:37, Mathieu Desnoyers wrote:
Also, is it the right approach to duplicate existing APIs, or should we
rather hook into page fault handlers and let the kernel do those "s
Hi,
On 24/10/18 06:27, Randy Dunlap wrote:
a. It seems backwards (or upside down) to have a test case select a feature
(PRMEM)
instead of depending on that feature.
b. Since PRMEM depends on MMU (in patch 04/17), the "select" here could try to
enabled PRMEM even when MMU is not enabled.
Chan
On 24/10/18 14:37, Mathieu Desnoyers wrote:
I could not find a description of the overall context of this patch
(e.g. a patch 00/17 ?) that would explain the attack vectors this aims
to protect against.
Apologies, I have to admit I was a bit baffled about what to do: the
patchset spans across
y that was obtained from it is
automatically freed. This is the only way to release protected memory.
Signed-off-by: Igor Stoppa
CC: Michal Hocko
CC: Vlastimil Babka
CC: "Kirill A. Shutemov"
CC: Andrew Morton
CC: Pavel Tatashin
CC: linux...@kvack.org
CC: linux-kernel@vger.kernel.or
he current write-rare mechanism works
only on x86_64 and not arm64, due to arm64 mappings.
Signed-off-by: Igor Stoppa
CC: Arnd Bergmann
CC: Thomas Gleixner
CC: Kate Stewart
CC: Greg Kroah-Hartman
CC: Philippe Ombredanne
CC: linux-a...@vger.kernel.org
CC: linux-kernel@vger.kernel.org
---
include/a
1 - 100 of 461 matches
Mail list logo