Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On 11/20/2017 09:21 AM, Thomas Gleixner wrote: >> +KAISER logically keeps a "copy" of the page tables which unmap >> +the kernel while in userspace. The kernel manages the page >> +tables as normal, but the "copying" is done with a few tricks >> +that mean that we do not have to manage two full

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On 11/20/2017 09:21 AM, Thomas Gleixner wrote: >> +KAISER logically keeps a "copy" of the page tables which unmap >> +the kernel while in userspace. The kernel manages the page >> +tables as normal, but the "copying" is done with a few tricks >> +that mean that we do not have to manage two full

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On 11/20/2017 09:21 AM, Thomas Gleixner wrote: >> +} >> + >> static inline void native_set_p4d(p4d_t *p4dp, p4d_t p4d) >> { >> +#if defined(CONFIG_KAISER) && !defined(CONFIG_X86_5LEVEL) >> +/* >> + * set_pgd() does not get called when we are running >> + * CONFIG_X86_5LEVEL=y. So,

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On 11/20/2017 09:21 AM, Thomas Gleixner wrote: >> +} >> + >> static inline void native_set_p4d(p4d_t *p4dp, p4d_t p4d) >> { >> +#if defined(CONFIG_KAISER) && !defined(CONFIG_X86_5LEVEL) >> +/* >> + * set_pgd() does not get called when we are running >> + * CONFIG_X86_5LEVEL=y. So,

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On 11/20/2017 09:21 AM, Thomas Gleixner wrote: >> +page tables are switched to the full "kernel" copy. When the >> +system switches back to user mode, the user/shadow copy is used. >> + >> +The minimalistic kernel portion of the user page tables try to >> +map only what is needed to enter/exit

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On 11/20/2017 09:21 AM, Thomas Gleixner wrote: >> +page tables are switched to the full "kernel" copy. When the >> +system switches back to user mode, the user/shadow copy is used. >> + >> +The minimalistic kernel portion of the user page tables try to >> +map only what is needed to enter/exit

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On 11/20/2017 09:21 AM, Thomas Gleixner wrote: >> +pgd = native_get_shadow_pgd(pgd_offset_k(0UL)); >> +for (i = PTRS_PER_PGD / 2; i < PTRS_PER_PGD; i++) { >> +unsigned long addr = PAGE_OFFSET + i * PGDIR_SIZE; > This looks wrong. The kernel address space gets incremented by

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On 11/20/2017 09:21 AM, Thomas Gleixner wrote: >> +pgd = native_get_shadow_pgd(pgd_offset_k(0UL)); >> +for (i = PTRS_PER_PGD / 2; i < PTRS_PER_PGD; i++) { >> +unsigned long addr = PAGE_OFFSET + i * PGDIR_SIZE; > This looks wrong. The kernel address space gets incremented by

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On Fri, 10 Nov 2017, Dave Hansen wrote: > diff -puN arch/x86/entry/entry_64.S~kaiser-base arch/x86/entry/entry_64.S > --- a/arch/x86/entry/entry_64.S~kaiser-base 2017-11-10 11:22:09.007244950 > -0800 > +++ b/arch/x86/entry/entry_64.S 2017-11-10 11:22:09.031244950 -0800 > @@ -145,6 +145,16

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

On Fri, 10 Nov 2017, Dave Hansen wrote: > diff -puN arch/x86/entry/entry_64.S~kaiser-base arch/x86/entry/entry_64.S > --- a/arch/x86/entry/entry_64.S~kaiser-base 2017-11-10 11:22:09.007244950 > -0800 > +++ b/arch/x86/entry/entry_64.S 2017-11-10 11:22:09.031244950 -0800 > @@ -145,6 +145,16

[PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

From: Dave Hansen These patches are based on work from a team at Graz University of Technology: https://github.com/IAIK/KAISER . This work would not have been possible without their work as a starting point. KAISER is a countermeasure against side channel attacks

[PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

From: Dave Hansen These patches are based on work from a team at Graz University of Technology: https://github.com/IAIK/KAISER . This work would not have been possible without their work as a starting point. KAISER is a countermeasure against side channel attacks against kernel virtual

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

* Dave Hansen wrote: > From: Dave Hansen > > These patches are based on work from a team at Graz University of > Technology: https://github.com/IAIK/KAISER . This work would not have > been possible without their work as a starting

Re: [PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

* Dave Hansen wrote: > From: Dave Hansen > > These patches are based on work from a team at Graz University of > Technology: https://github.com/IAIK/KAISER . This work would not have > been possible without their work as a starting point. > Note: The original KAISER authors signed-off on

[PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

From: Dave Hansen These patches are based on work from a team at Graz University of Technology: https://github.com/IAIK/KAISER . This work would not have been possible without their work as a starting point. KAISER is a countermeasure against side channel attacks

[PATCH 08/30] x86, kaiser: unmap kernel from userspace page tables (core patch)

From: Dave Hansen These patches are based on work from a team at Graz University of Technology: https://github.com/IAIK/KAISER . This work would not have been possible without their work as a starting point. KAISER is a countermeasure against side channel attacks against kernel virtual