Re: [RFC PATCH] Add support for eXclusive Page Frame Ownership (XPFO)

From: Balbir Singh
Date: Thu Mar 31 2016 - 20:21:22 EST

On Mon, Mar 21, 2016 at 7:44 PM, Juerg Haefliger
<juerg.haefliger@xxxxxxx> wrote:
> Hi Balbir,
> Apologies for the slow reply.
No problem, I lost this in my inbox as well due to the reply latency.
> On 03/01/2016 03:10 AM, Balbir Singh wrote:
>> On 27/02/16 01:21, Juerg Haefliger wrote:
>>> This patch adds support for XPFO which protects against 'ret2dir' kernel
>>> attacks. The basic idea is to enforce exclusive ownership of page frames
>>> by either the kernel or userland, unless explicitly requested by the
>>> kernel. Whenever a page destined for userland is allocated, it is
>>> unmapped from physmap. When such a page is reclaimed from userland, it is
>>> mapped back to physmap.
>> physmap == xen physmap? Please clarify
> No, it's not XEN related. I might have the terminology wrong. Physmap is what
> the original authors used for describing <quote> a large, contiguous virtual
> memory region inside kernel address space that contains a direct mapping of part
> or all (depending on the architecture) physical memory. </quote>
Thanks for clarifying
>>> Mapping/unmapping from physmap is accomplished by modifying the PTE
>>> permission bits to allow/disallow access to the page.
>>> Additional fields are added to the page struct for XPFO housekeeping.
>>> Specifically a flags field to distinguish user vs. kernel pages, a
>>> reference counter to track physmap map/unmap operations and a lock to
>>> protect the XPFO fields.
>>> Known issues/limitations:
>>> - Only supported on x86-64.
>> Is it due to lack of porting or a design limitation?
> Lack of porting. Support for other architectures will come later.
>>> - Only supports 4k pages.
>>> - Adds additional data to the page struct.
>>> - There are most likely some additional and legitimate uses cases where
>>> the kernel needs to access userspace. Those need to be identified and
>>> made XPFO-aware.
>> Why not build an audit mode for it?
> Can you elaborate what you mean by this?
What I meant is when the kernel needs to access userspace and XPFO is
not aware of it
and is going to block it, write to a log/trace buffer so that it can
be audited for correctness

>>> - There's a performance impact if XPFO is turned on. Per the paper
>>> referenced below it's in the 1-3% ballpark. More performance testing
>>> wouldn't hurt. What tests to run though?
>>> Reference paper by the original patch authors:
>>> Suggested-by: Vasileios P. Kemerlis <vpk@xxxxxxxxxxxx>
>>> Signed-off-by: Juerg Haefliger <juerg.haefliger@xxxxxxx>
>> This patch needs to be broken down into smaller patches - a series
> Agreed.

I think it will be good to describe what is XPFO aware

1. How are device mmap'd shared between kernel/user covered?
2. How is copy_from/to_user covered?
3. How is vdso covered?
4. More...

Balbir Singh.