Re: [PATCH RFC 2/4] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI
From: Ingo Molnar
Date: Mon Jan 08 2018 - 12:18:08 EST
* Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:
> On Mon, 8 Jan 2018, Willy Tarreau wrote:
> > This allows to report the current state of the PTI protection and to
> > enable or disable it for the current task.
> >
> > Signed-off-by: Willy Tarreau <w@xxxxxx>
> > ---
> > arch/x86/include/uapi/asm/prctl.h | 3 +++
> > arch/x86/kernel/process_64.c | 24 ++++++++++++++++++++++++
> > 2 files changed, 27 insertions(+)
> >
> > diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h
> > index 5a6aac9..1f1b5bc 100644
> > --- a/arch/x86/include/uapi/asm/prctl.h
> > +++ b/arch/x86/include/uapi/asm/prctl.h
> > @@ -10,6 +10,9 @@
> > #define ARCH_GET_CPUID 0x1011
> > #define ARCH_SET_CPUID 0x1012
> >
> > +#define ARCH_GET_NOPTI 0x1021
> > +#define ARCH_SET_NOPTI 0x1022
> > +
> > #define ARCH_MAP_VDSO_X32 0x2001
> > #define ARCH_MAP_VDSO_32 0x2002
> > #define ARCH_MAP_VDSO_64 0x2003
> > diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
> > index c754662..1686d3d 100644
> > --- a/arch/x86/kernel/process_64.c
> > +++ b/arch/x86/kernel/process_64.c
> > @@ -654,6 +654,30 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2)
> > ret = put_user(base, (unsigned long __user *)arg2);
> > break;
> > }
> > + case ARCH_GET_NOPTI: {
> > + unsigned long flag;
> > +
> > + printk(KERN_DEBUG "get1: task=%p ti=%p fl=%16lx\n", task, task_thread_info(task), task_thread_info(task)->flags);
> > + flag = !!(task_thread_info(task)->flags & _TIF_NOPTI);
> > + ret = put_user(flag, (unsigned long __user *)arg2);
> > + break;
>
> Per task is really an odd choice. That should be per process I think, but
> that of course needs synchronization of some form. Aside of that we need to
> think about fork().
So per task (thread) is the most natural approach to low level asm flaggery.
Making it per thread also makes some sense conceptually: in a complex
multi-threaded runtime implementation some threads might never execute
'untrusted' code, some might. No need to penalize the 'server' threads.
Not sure we want that complexity though, and while it _should_ work I think,
mostly, there might be some unexpected implications.
Thanks,
Ingo