[patch 28/60] x86/mm/kpti: Disable global pages if KERNEL_PAGE_TABLE_ISOLATION=y

From: Thomas Gleixner
Date: Mon Dec 04 2017 - 11:51:53 EST

Next message: Thomas Gleixner: "[patch 35/60] x86/espfix: Ensure that ESPFIX is visible in user PGD"
Previous message: Thomas Gleixner: "[patch 26/60] x86/cpufeature: Make cpu bugs sticky"
In reply to: Borislav Petkov: "Re: [patch 26/60] x86/cpufeature: Make cpu bugs sticky"
Next in thread: Borislav Petkov: "Re: [patch 28/60] x86/mm/kpti: Disable global pages if KERNEL_PAGE_TABLE_ISOLATION=y"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>

Global pages stay in the TLB across context switches. Since all contexts
share the same kernel mapping, these mappings are marked as global pages
so kernel entries in the TLB are not flushed out on a context switch.

But, even having these entries in the TLB opens up something that an
attacker can use, such as the double-page-fault attack:

http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf

That means that even when KERNEL_PAGE_TABLE_ISOLATION switches page tables
on return to user space the global pages would stay in the TLB cache.

Disable global pages so that kernel TLB entries can be flushed before
returning to user space. This way, all accesses to kernel addresses from
userspace result in a TLB miss independent of the existence of a kernel
mapping.

Supress global pages via the __supported_pte_mask. The user space
mappings set PAGE_GLOBAL for the minimal kernel mappings which are
required for entry/exit. These mappings are set up manually so the
filtering does not take place.

[ The __supported_pte_mask simplification was written by Thomas Gleixner. ]

Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: keescook@xxxxxxxxxx
Cc: Denys Vlasenko <dvlasenk@xxxxxxxxxx>
Cc: moritz.lipp@xxxxxxxxxxxxxx
Cc: linux-mm@xxxxxxxxx
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: Brian Gerst <brgerst@xxxxxxxxx>
Cc: hughd@xxxxxxxxxx
Cc: daniel.gruss@xxxxxxxxxxxxxx
Cc: richard.fellner@xxxxxxxxxxxxxxxxx
Cc: Andy Lutomirski <luto@xxxxxxxxxx>
Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
Cc: michael.schwarz@xxxxxxxxxxxxxx
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Link: https://lkml.kernel.org/r/20171123003441.63DDFC6F@xxxxxxxxxxxxxxxxxx

---
arch/x86/mm/init.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -161,6 +161,12 @@ struct map_range {

static int page_size_mask;

+static void enable_global_pages(void)
+{
+ if (!static_cpu_has_bug(X86_BUG_CPU_SECURE_MODE_KPTI))
+ __supported_pte_mask |= _PAGE_GLOBAL;
+}
+
static void __init probe_page_size_mask(void)
{
/*
@@ -179,11 +185,11 @@ static void __init probe_page_size_mask(
cr4_set_bits_and_update_boot(X86_CR4_PSE);

/* Enable PGE if available */
+ __supported_pte_mask &= ~_PAGE_GLOBAL;
if (boot_cpu_has(X86_FEATURE_PGE)) {
cr4_set_bits_and_update_boot(X86_CR4_PGE);
- __supported_pte_mask |= _PAGE_GLOBAL;
- } else
- __supported_pte_mask &= ~_PAGE_GLOBAL;
+ enable_global_pages();
+ }

/* Enable 1 GB linear kernel mappings if available: */
if (direct_gbpages && boot_cpu_has(X86_FEATURE_GBPAGES)) {

Next message: Thomas Gleixner: "[patch 35/60] x86/espfix: Ensure that ESPFIX is visible in user PGD"
Previous message: Thomas Gleixner: "[patch 26/60] x86/cpufeature: Make cpu bugs sticky"
In reply to: Borislav Petkov: "Re: [patch 26/60] x86/cpufeature: Make cpu bugs sticky"
Next in thread: Borislav Petkov: "Re: [patch 28/60] x86/mm/kpti: Disable global pages if KERNEL_PAGE_TABLE_ISOLATION=y"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]