Re: [PATCH RFC 3/4] x86/pti: don't mark the user PGD with _PAGE_NX.
From: Ingo Molnar
Date: Mon Jan 08 2018 - 12:21:11 EST
* Dave Hansen <dave.hansen@xxxxxxxxx> wrote:
> On 01/08/2018 08:12 AM, Willy Tarreau wrote:
> > Since we're going to keep running on the same PGD when returning to
> > userspace for certain performance-critical tasks, we'll need the user
> > pages to be executable. So this code disables the extra protection
> > that was added consisting in marking user pages _PAGE_NX so that this
> > pgd remains usable for userspace.
> >
> > Note: it isn't necessarily the best approach, but one way or another
> > if we want to be able to return to userspace from the kernel,
> > we'll have to have this executable anyway. Another approach
> > might consist in using another pgd for userland+kernel but
> > the current core really looks like an extra careful measure
> > to catch early bugs if any.
>
> I don't like this.
>
> I think the prctl() should apply to an entire process, not to a thread.
> If it applies to a process, you can unpoison the PGD. I even had code
> to do this in an earlier version of the (whole system) runtime PTI
> on/off stuff.
>
> Why are you even posting half-baked hacks like this now? Is there
> something super-pressing about this set that we need to lock in a new
> ABI now?
Arguably it was posted as an RFC patch-set, to get feedback early on.
The motivation is clear enough from the announcement I think: to speed up the
haproxy performance almost two-fold, without sacrificing the overall security
given by PTI against the Meltdown attack. haproxy does not require PTI, as it
never executes untrusted code.
Thanks,
Ingo