Re: [patch 0/5] Support for sanitization flag in low-level pageallocator

From: Peter Zijlstra
Date: Thu May 28 2009 - 15:36:37 EST

Next message: Christoph Hellwig: "Re: [PATCH 0/11] Per-bdi writeback flusher threads v8"
Previous message: Paul Mundt: "Re: [PATCH] sched: Support current clocksource handling in fallback sched_clock()."
In reply to: Larry H.: "Re: [patch 0/5] Support for sanitization flag in low-level pageallocator"
Next in thread: Arjan van de Ven: "Re: [patch 0/5] Support for sanitization flag in low-level pageallocator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 2009-05-23 at 08:56 -0700, Arjan van de Ven wrote:
> On Sat, 23 May 2009 09:09:10 +0100
> Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote:
>
> > > Enabling SLAB poisoning by default will be a bad idea
> >
> > Why ?
> >
> > > I looked for unused/re-usable flags too, but found none. It's
> > > interesting to see SLUB and SLOB have their own page flags. Did
> > > anybody oppose those when they were proposed?
> >
> > Certainly they were looked at - but the memory allocator is right at
> > the core of the system rather than an add on.
> >
> > > > Ditto - which is why I'm coming from the position of an "if we
> > > > free it clear it" option. If you need that kind of security the
> > > > cost should be more than acceptable - especially with modern
> > > > processors that can do cache bypass on the clears.
> > >
> > > Are you proposing that we should simply remove the confidential
> > > flags and just stick to the unconditional sanitization when the
> > > boot option is enabled? If positive, it will make things more
> > > simple and definitely is better than nothing. I would have (still)
> > > preferred the other old approach to be merged, but whatever works
> > > at this point.
> >
> > I am because
> > - its easy to merge
> > - its non controversial
> > - it meets the security good practice and means we don't miss any
> > alloc/free cases
> > - it avoid providing flags to help a trojan identify "interesting"
> > data to acquire
> > - modern cpu memory clearing can be very cheap
>
> ... and if we zero on free, we don't need to zero on allocate.
> While this is a little controversial, it does mean that at least part of
> the cost is just time-shifted, which means it'll not be TOO bad
> hopefully...

zero on allocate has the advantage of cache hotness, we're going to use
the memory, why else allocate it.

zero on free only causes extra cache evictions for no gain.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Hellwig: "Re: [PATCH 0/11] Per-bdi writeback flusher threads v8"
Previous message: Paul Mundt: "Re: [PATCH] sched: Support current clocksource handling in fallback sched_clock()."
In reply to: Larry H.: "Re: [patch 0/5] Support for sanitization flag in low-level pageallocator"
Next in thread: Arjan van de Ven: "Re: [patch 0/5] Support for sanitization flag in low-level pageallocator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]