Re: [RFC] x86: Avoid CR3 load on compatibility mode with PTI

From: Nadav Amit
Date: Mon Jan 15 2018 - 15:09:51 EST

Next message: Eric W. Biederman: "Re: [PATCH 08/11] signal/arm: Document conflicts with SI_USER and SIGFPE"
Previous message: Kees Cook: "Re: [PATCH] arm64: Stop printing the virtual memory layout"
In reply to: Willy Tarreau: "Re: [RFC] x86: Avoid CR3 load on compatibility mode with PTI"
Next in thread: Ingo Molnar: "Re: [RFC] x86: Avoid CR3 load on compatibility mode with PTI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> wrote:

> On 01/14/2018 12:13 PM, Nadav Amit wrote:
>> Currently, when page-table isolation is on to prevent the Meltdown bug
>> (CVE-2017-5754), CR3 is always loaded on system-call and interrupt.
>
> I think of PTI as being a defense against bad stuff that happens from
> the kernel being mapped into the user address space, with Meltdown being
> the most obvious "bad" thing.
>
> What you're saying here is that since a 32-bit program can't address the
> kernel sitting at a >32-bit address, it does not need to unmap the
> kernel. As Andy pointed out, there are a few holes with that assumption.

I think that Andy pointed out that my RFC may break existing programs, but
it should be relatively easy to fix. I donât think there is any problem with
the assumption.

> IMNHO, any PTI-disabling mechanisms better be rock-solid, and easy to
> convince ourselves that they do the right thing. For instance, the
> per-process PTI stuff is going to make the decision quite close to a
> capability check, which makes it fairly easy to get right.

Per-process PTI stuff is an easy solution, but it just pushes the decision
to the user, who is likely to disable PTI without thinking twice, especially
since he got no other option.

> If we start disabling PTI willy nilly at points _away_ from the
> capability checks (like for 32-bit binaries, say), then it gets really
> hard to decide if we are doing the right things.

Eventually it comes down to the question: what does the CPU do? I was
assuming that Intel can figure it out. If it is just about being âparanoidâ,
I presume some paranoid knob should control this behavior.

> Also, what's the end goal here? Run old 32-bit binaries better? You
> want to weaken the security of the whole implementation to do that?
> Sounds like a bad tradeoff to me.

As Willy noted in this thread, I think that some users may be interested in
running 32-bit Apache/Nginx/Redis to get the performance back without
sacrificing security.

Next message: Eric W. Biederman: "Re: [PATCH 08/11] signal/arm: Document conflicts with SI_USER and SIGFPE"
Previous message: Kees Cook: "Re: [PATCH] arm64: Stop printing the virtual memory layout"
In reply to: Willy Tarreau: "Re: [RFC] x86: Avoid CR3 load on compatibility mode with PTI"
Next in thread: Ingo Molnar: "Re: [RFC] x86: Avoid CR3 load on compatibility mode with PTI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]