> From: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> > Sent: Wednesday, January 3, 2024 10:28 AM > To: Maxwell Bland <mbland@xxxxxxxxxxxx> > Cc: bpf@xxxxxxxxxxxxxxx > Subject: [External] Re: FW: BPF-NX+CFI is a good upstreaming candidate > > On Wed, Jan 03, 2024 at 04:06:32PM +0000, Maxwell Bland wrote: > > Forwarding to BPF mailing list as plaintext to match the mail server > restrictions. > > > > From what I understand, Linux security team is reactive rather than > > proactive, so maybe the below is a moot point, but I'd love to see > > BPF-NX+CFI if possible. > > security@xxxxxxxxxx is reactive, as that is it's requirement, but there are many > other groups that work on proactive security, see the linux-hardening project > for lots of work happening there that is adding loads of good stuff to the > kernel. > > > > > Originally sent to di_jin@xxxxxxxxx; v.atlidakis@xxxxxxxxx; > > vpk@xxxxxxxxxxxx; dborkman@xxxxxxxxxx; > > lsf-pc@xxxxxxxxxxxxxxxxxxxxxxxxxx; bpf@xxxxxxxxxxxxxxx; Andrew Wheeler > > <awheeler@xxxxxxxxxxxx>; Sammy BS2 Que | 阙斌生 > <quebs2@xxxxxxxxxxxx> > > > > Dear Jin et al. Daniel Borkman, and LSF/BPF mailing lists, > > > > Although a few months late, Jin et al.’s USENIX ATC’23 EPF publication here > (https://cs.bro/ > wn.edu%2F~vpk%2Fpapers%2Fepf.atc23.pdf&data=05%7C02%7Cmbland%40 > motorola.com%7C7eb467ee372346eb381d08dc0c78ec2f%7C5c7d0b28bdf841 > 0caa934df372b16203%7C0%7C0%7C638398960718071157%7CUnknown%7CT > WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ > XVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ly%2FwhXKC3bsBQyW0wwzTlxc > hfndEHq7T8YTxQhFV400%3D&reserved=0) is great. It was a relief to see the > efforts in > https://gitlab/. > com%2Fbrown-ssl%2Fepf%2F-%2Fblob%2Fmaster%2Flinux- > 5.10%2Fpatches%2F0003-Adding-BPF- > NX.patch%3Fref_type%3Dheads&data=05%7C02%7Cmbland%40motorola.co > m%7C7eb467ee372346eb381d08dc0c78ec2f%7C5c7d0b28bdf8410caa934df3 > 72b16203%7C0%7C0%7C638398960718071157%7CUnknown%7CTWFpbGZsb > 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0 > %3D%7C3000%7C%7C%7C&sdata=Hhwexyy13tcXzpebEU4PuXwNQoA%2FKJdL > Xcafq9E5BFM%3D&reserved=0 and related files. > > > > BPF-NX+CFI would/could/should be a great upstreaming candidate. I am not > sure how well BPF-NX+CFI generalizes to the full kernel ecosystem given the > approach requires a dedicated vmalloc memory region, but the idea PXN is no > longer be enforced at a PMD-level granularity because of eBPF is unfortunate. > > > > BPF-ISR is likely overkill performance-wise as a mechanism and can be > handled/refined via kprobes rather than direct patches. > > > > Jin et al., do you happen to have performance numbers for just NX+CFI, or > knowledge of how well this may apply to 6.*+ kernels? With your blessing, > and if the mailing list peers are supportive, we should discuss your work and > BPF security at > https://events/ > .linuxfoundation.org%2Flsfmmbpf%2Fprogram%2Fcfp%2F&data=05%7C02%7 > Cmbland%40motorola.com%7C7eb467ee372346eb381d08dc0c78ec2f%7C5c7 > d0b28bdf8410caa934df372b16203%7C0%7C0%7C638398960718071157%7CU > nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6 > Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=uskFzeDFSBUW9Sc9 > X5%2BB6gvt8LU34q91pokXsRwfSEI%3D&reserved=0. > > Are there working patches somewhere? 5.10.y is very old and obsolete. > > thanks, > > greg k-h Went ahead and applied the patches for NX and CFI to Torvalds v6.7-rc8 upstream. Sent to mailing lists as separate patch emails: "[PATCH 1/2] Adding BPF NX" and "[PATCH 2/2] Adding BPF CFI", but not tested. Should be OK. Not sure I 100% like the architecture-specific method of handling the vmalloc region or the KConfig dependence on x86. Would be better to agnostically set aside a segment of the vaddr space, but I am not sure how. Regards, Maxwell Bland
