Re: [patch 28/60] x86/mm/kpti: Disable global pages if KERNEL_PAGE_TABLE_ISOLATION=y
From: Borislav Petkov
Date: Tue Dec 05 2017 - 09:35:14 EST
On Mon, Dec 04, 2017 at 03:07:34PM +0100, Thomas Gleixner wrote:
> From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
>
> Global pages stay in the TLB across context switches. Since all contexts
> share the same kernel mapping, these mappings are marked as global pages
> so kernel entries in the TLB are not flushed out on a context switch.
>
> But, even having these entries in the TLB opens up something that an
> attacker can use, such as the double-page-fault attack:
>
> http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf
>
> That means that even when KERNEL_PAGE_TABLE_ISOLATION switches page tables
> on return to user space the global pages would stay in the TLB cache.
>
> Disable global pages so that kernel TLB entries can be flushed before
> returning to user space. This way, all accesses to kernel addresses from
> userspace result in a TLB miss independent of the existence of a kernel
> mapping.
>
> Supress global pages via the __supported_pte_mask. The user space
"Suppress"
Otherwise
Reviewed-by: Borislav Petkov <bp@xxxxxxx>
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix ImendÃrffer, Jane Smithard, Graham Norton, HRB 21284 (AG NÃrnberg)
--