Re: [PATCH RFC 2/4] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI

From: Ingo Molnar
Date: Mon Jan 08 2018 - 12:05:40 EST



(Expanded the Cc: list.)

* Willy Tarreau <w@xxxxxx> wrote:

> This allows to report the current state of the PTI protection and to
> enable or disable it for the current task.
>
> Signed-off-by: Willy Tarreau <w@xxxxxx>
> ---
> arch/x86/include/uapi/asm/prctl.h | 3 +++
> arch/x86/kernel/process_64.c | 24 ++++++++++++++++++++++++
> 2 files changed, 27 insertions(+)
>
> diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
> index 5a6aac9..1f1b5bc 100644
> --- a/arch/x86/include/uapi/asm/prctl.h
> +++ b/arch/x86/include/uapi/asm/prctl.h
> @@ -10,6 +10,9 @@
> #define ARCH_GET_CPUID 0x1011
> #define ARCH_SET_CPUID 0x1012
>
> +#define ARCH_GET_NOPTI 0x1021
> +#define ARCH_SET_NOPTI 0x1022
> +
> #define ARCH_MAP_VDSO_X32 0x2001
> #define ARCH_MAP_VDSO_32 0x2002
> #define ARCH_MAP_VDSO_64 0x2003
> diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
> index c754662..1686d3d 100644
> --- a/arch/x86/kernel/process_64.c
> +++ b/arch/x86/kernel/process_64.c
> @@ -654,6 +654,30 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2)
> ret = put_user(base, (unsigned long __user *)arg2);
> break;
> }
> + case ARCH_GET_NOPTI: {
> + unsigned long flag;
> +
> + printk(KERN_DEBUG "get1: task=%p ti=%p fl=%16lx\n", task, task_thread_info(task), task_thread_info(task)->flags);
> + flag = !!(task_thread_info(task)->flags & _TIF_NOPTI);
> + ret = put_user(flag, (unsigned long __user *)arg2);
> + break;
> + }
> +
> + case ARCH_SET_NOPTI:
> + if (!capable(CAP_SYS_RAWIO))
> + return -EPERM;
> +
> + printk(KERN_DEBUG "set1: task=%p ti=%p fl=%16lx doit=%d arg2=%ld\n", task, task_thread_info(task), task_thread_info(task)->flags, doit, arg2);
> +
> + if (doit) {
> + if (arg2)
> + task_thread_info(task)->flags |= _TIF_NOPTI;
> + else
> + task_thread_info(task)->flags &= ~_TIF_NOPTI;
> +
> + printk(KERN_DEBUG "set2: task=%p ti=%p fl=%16lx\n", task, task_thread_info(task), task_thread_info(task)->flags);
> + }
> + break;

Btw., we could enforce the CAP_SYS_RAWIO permission check only if it's _clearing_
the PTI flag.

I.e. this would allow apps and runtime environments to opt into PTI, without
having to rely on external security frameworks getting it right.

Note that there is somewhat of a fuzzy detail regarding AMD CPUs which are marked
as 'Meltdown safe': should an explicit request to turn on PTI be honored by the
kernel? Should that be some sort of separate 'force PTI on' attribute?

Thanks,

Ingo