On Mon, Dec 04, 2017 at 03:07:34PM +0100, Thomas Gleixner wrote: > From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > > Global pages stay in the TLB across context switches. Since all contexts > share the same kernel mapping, these mappings are marked as global pages > so kernel entries in the TLB are not flushed out on a context switch. > > But, even having these entries in the TLB opens up something that an > attacker can use, such as the double-page-fault attack: > > http://www.ieee-security.org/TC/SP2013/papers/4977a191.pdf > > That means that even when KERNEL_PAGE_TABLE_ISOLATION switches page tables > on return to user space the global pages would stay in the TLB cache. > > Disable global pages so that kernel TLB entries can be flushed before > returning to user space. This way, all accesses to kernel addresses from > userspace result in a TLB miss independent of the existence of a kernel > mapping. > > Supress global pages via the __supported_pte_mask. The user space "Suppress" Otherwise Reviewed-by: Borislav Petkov <bp@xxxxxxx> -- Regards/Gruss, Boris. SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
