Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching

[PATCH v1 0/8] Enable STRICT_KERNEL_RWX · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
[PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · kbuild test robot <hidden> · 2017-05-25
Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · christophe leroy <hidden> · 2017-05-28
Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · Balbir Singh <bsingharora@gmail.com> · 2017-05-28
Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · Christophe LEROY <hidden> · 2017-05-29
Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · christophe leroy <hidden> · 2017-05-28
Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · Balbir Singh <bsingharora@gmail.com> · 2017-05-28
Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · Christophe LEROY <hidden> · 2017-05-29
Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · christophe leroy <hidden> · 2017-05-28
Re: [PATCH v1 1/8] powerpc/lib/code-patching: Enhance code patching · Balbir Singh <bsingharora@gmail.com> · 2017-05-28
[PATCH v1 2/8] powerpc/kprobes: Move kprobes over to patch_instruction · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
Re: [PATCH v1 2/8] powerpc/kprobes: Move kprobes over to patch_instruction · Christophe LEROY <hidden> · 2017-05-29
Re: [PATCH v1 2/8] powerpc/kprobes: Move kprobes over to patch_instruction · Balbir Singh <bsingharora@gmail.com> · 2017-05-29
[PATCH v1 3/8] powerpc/xmon: Add patch_instruction supporf for xmon · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
[PATCH v1 4/8] powerpc/vmlinux.lds: Align __init_begin to 16M · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
[PATCH v1 5/8] powerpc/platform/pseries/lpar: Fix updatepp and updateboltedpp · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
[PATCH v1 6/8] powerpc/mm/hash: Implement mark_rodata_ro() for hash · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
[PATCH v1 7/8] powerpc/Kconfig: Enable STRICT_KERNEL_RWX · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
Re: [PATCH v1 7/8] powerpc/Kconfig: Enable STRICT_KERNEL_RWX · kbuild test robot <hidden> · 2017-05-25
Re: [PATCH v1 7/8] powerpc/Kconfig: Enable STRICT_KERNEL_RWX · Christophe LEROY <hidden> · 2017-05-29
Re: [PATCH v1 7/8] powerpc/Kconfig: Enable STRICT_KERNEL_RWX · Balbir Singh <bsingharora@gmail.com> · 2017-06-03
Re: [PATCH v1 7/8] powerpc/Kconfig: Enable STRICT_KERNEL_RWX · Michael Ellerman <mpe@ellerman.id.au> · 2017-06-05
[PATCH v1 8/8] powerpc/mm/ptdump: Dump the first entry of the linear mapping as well · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
Re: [v1, 8/8] powerpc/mm/ptdump: Dump the first entry of the linear mapping as well · Michael Ellerman <hidden> · 2017-06-05
Re: [PATCH v1 0/8] Enable STRICT_KERNEL_RWX · Balbir Singh <bsingharora@gmail.com> · 2017-05-25
Re: [PATCH v1 0/8] Enable STRICT_KERNEL_RWX · Naveen N. Rao <hidden> · 2017-05-30

From: Balbir Singh <bsingharora@gmail.com>
Date: 2017-05-28 22:51:26

On Sun, 2017-05-28 at 17:59 +0200, christophe leroy wrote:

Le 25/05/2017 à 05:36, Balbir Singh a écrit :

quoted

Today our patching happens via direct copy and
patch_instruction. The patching code is well
contained in the sense that copying bits are limited.

While considering implementation of CONFIG_STRICT_RWX,
the first requirement is to a create another mapping
that will allow for patching. We create the window using
text_poke_area, allocated via get_vm_area(), which might
be an overkill. We can do per-cpu stuff as well. The
downside of these patches that patch_instruction is
now synchornized using a lock. Other arches do similar
things, but use fixmaps. The reason for not using
fixmaps is to make use of any randomization in the
future. The code also relies on set_pte_at and pte_clear
to do the appropriate tlb flushing.

Isn't it overkill to remap the text in another area ?

Among the 6 arches implementing CONFIG_STRICT_KERNEL_RWX (arm, arm64, 
parisc, s390, x86/32, x86/64):
- arm, x86/32 and x86/64 set text RW during the modification

x86 uses set_fixmap() in text_poke(), am I missing something?

- s390 seems to uses a special instruction which bypassed write protection
- parisc doesn't seem to implement any function which modifies kernel text.

Therefore it seems only arm64 does it via another mapping.
Wouldn't it be lighter to just unprotect memory during the modification 
as done on arm and x86 ?

I am not sure if the trade-off is quite that simple, for security I thought

1. It would be better to randomize text_poke_area(), which is why I dynamically
allocated it. If we start randomizing get_vm_area(), we get the benefit
2. text_poke_aread() is RW and the normal text is RX, for any attack
to succeed, it would need to find text_poke_area() at the time of patching,
patch the kernel in that small window and use the normal mapping for
execution

Generally patch_instruction() is not fast path except for ftrace, tracing.
In my tests I did not find the slow down noticable

Or another alternative could be to disable DMMU and do the write at 
physical address ?

This would be worse off, I think, but we were discussing doing something
like that xmon. But for other cases, I think  it opens up a bigger window.

Christophe

Balbir Singh

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help