Data exfiltration attacks via speculative execution and
return-oriented-programming attacks rely on the ability to infer the
location of sensitive data objects. The kernel page allocator, has
predictable first-in-first-out behavior for physical pages. Pages are
freed in physical address order when first onlined. There are also
mechanisms like CMA that can free large contiguous areas at once
increasing the predictability of allocations in physical memory.
In addition to the security implications this randomization also
stabilizes the average performance of direct-mapped memory-side caches.
This includes memory-side caches like the one on the Knights Landing
processor and those generally described by the ACPI HMAT (Heterogeneous
Memory Attributes Table [1]). Cache conflicts are spread over a random
distribution rather than localized.
Given the performance sensitivity of the page allocator this
randomization is only performed for MAX_ORDER (4MB by default) pages. A
kernel parameter, page_alloc.shuffle_page_order, is included to change
the page size where randomization occurs.
[1]: See ACPI 6.2 Section 5.2.27.5 Memory Side Cache Information Structure
---
Dan Williams (3):
mm: Shuffle initial free memory
mm: Move buddy list manipulations into helpers
mm: Maintain randomization of page free lists
include/linux/list.h | 17 +++
include/linux/mm.h | 5 -
include/linux/mm_types.h | 3 +
include/linux/mmzone.h | 57 ++++++++++
mm/bootmem.c | 9 +-
mm/compaction.c | 4 -
mm/nobootmem.c | 7 +
mm/page_alloc.c | 267 +++++++++++++++++++++++++++++++++++++++-------
8 files changed, 317 insertions(+), 52 deletions(-)
