Resending to include the kernel-hardening list. Sorry, I wasn't subscribed with the correct email address when I sent this the first time. ...Juerg On 09/14/2016 09:18 AM, Juerg Haefliger wrote: > Changes from: > v1 -> v2: > - Moved the code from arch/x86/mm/ to mm/ since it's (mostly) > arch-agnostic. > - Moved the config to the generic layer and added ARCH_SUPPORTS_XPFO > for x86. > - Use page_ext for the additional per-page data. > - Removed the clearing of pages. This can be accomplished by using > PAGE_POISONING. > - Split up the patch into multiple patches. > - Fixed additional issues identified by reviewers. > > This patch series adds support for XPFO which protects against 'ret2dir' > kernel attacks. The basic idea is to enforce exclusive ownership of page > frames by either the kernel or userspace, unless explicitly requested by > the kernel. Whenever a page destined for userspace is allocated, it is > unmapped from physmap (the kernel's page table). When such a page is > reclaimed from userspace, it is mapped back to physmap. > > Additional fields in the page_ext struct are used for XPFO housekeeping. > Specifically two flags to distinguish user vs. kernel pages and to tag > unmapped pages and a reference counter to balance kmap/kunmap operations > and a lock to serialize access to the XPFO fields. > > Known issues/limitations: > - Only supports x86-64 (for now) > - Only supports 4k pages (for now) > - There are most likely some legitimate uses cases where the kernel needs > to access userspace which need to be made XPFO-aware > - Performance penalty > > Reference paper by the original patch authors: > http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf > > Juerg Haefliger (3): > Add support for eXclusive Page Frame Ownership (XPFO) > xpfo: Only put previous userspace pages into the hot cache > block: Always use a bounce buffer when XPFO is enabled > > arch/x86/Kconfig | 3 +- > arch/x86/mm/init.c | 2 +- > block/blk-map.c | 2 +- > include/linux/highmem.h | 15 +++- > include/linux/page_ext.h | 7 ++ > include/linux/xpfo.h | 41 +++++++++ > lib/swiotlb.c | 3 +- > mm/Makefile | 1 + > mm/page_alloc.c | 10 ++- > mm/page_ext.c | 4 + > mm/xpfo.c | 213 +++++++++++++++++++++++++++++++++++++++++++++++ > security/Kconfig | 20 +++++ > 12 files changed, 314 insertions(+), 7 deletions(-) > create mode 100644 include/linux/xpfo.h > create mode 100644 mm/xpfo.c > -- Juerg Haefliger Hewlett Packard Enterprise
Attachment:
signature.asc
Description: OpenPGP digital signature
