[0/3] Allow default HARDENED_USERCOPY to be set at compile time

Message ID	20250117130337.4716-1-mgorman@techsingularity.net (mailing list archive)
Headers	show Received: from mail19.out.titan.email (mail19.out.titan.email [3.64.226.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 634791FF7C1 for <linux-hardening@vger.kernel.org>; Fri, 17 Jan 2025 13:09:23 +0000 (UTC) Feedback-ID: :mgorman@techsingularity.net:techsingularity.net:flockmailId From: Mel Gorman <mgorman@techsingularity.net> To: Kees Cook <kees@kernel.org> Cc: Daniel Micay <danielmicay@gmail.com>, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, Mel Gorman <mgorman@techsingularity.net> Subject: [PATCH 0/3] Allow default HARDENED_USERCOPY to be set at compile time Date: Fri, 17 Jan 2025 13:03:34 +0000 Message-ID: <20250117130337.4716-1-mgorman@techsingularity.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Allow default HARDENED_USERCOPY to be set at compile time \| expand [0/3] Allow default HARDENED_USERCOPY to be set at compile time [1/3] mm: security: Move hardened usercopy under 'Kernel hardening options' [2/3] mm: security: Allow default HARDENED_USERCOPY to be set at compile time [3/3] fortify: Move FORTIFY_SOURCE under 'Kernel hardening options'

Message ID

20250117130337.4716-1-mgorman@techsingularity.net (mailing list archive)

Headers

Feedback-ID: :mgorman@techsingularity.net:techsingularity.net:flockmailId
From: Mel Gorman <mgorman@techsingularity.net>
To: Kees Cook <kees@kernel.org>
Cc: Daniel Micay <danielmicay@gmail.com>,
	linux-hardening@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Mel Gorman <mgorman@techsingularity.net>
Subject: [PATCH 0/3] Allow default HARDENED_USERCOPY to be set at compile time
Date: Fri, 17 Jan 2025 13:03:34 +0000
Message-ID: <20250117130337.4716-1-mgorman@techsingularity.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Allow default HARDENED_USERCOPY to be set at compile time | expand

Message

Mel Gorman Jan. 17, 2025, 1:03 p.m. UTC

Some hardening options like HARDENED_USERCOPY can be set at boot time
and have negligible cost when disabled. The default for options like
init_on_alloc= can be set at compile time but hardened usercopy is
enabled by default if built in. This incurs overhead when a kernel
wishes to provide optional hardening but the user does not necessarily
care.

Hardening is desirable in some environments but ideally they would be opt-in
by kernel command line as hardening is typically a deliberate decision
whereas the performance overhead is not always obvious to all users.
Patches 1 and 2 move HARDENED_USERCOPY to the Kconfig.hardening and
default it to disabled. Patch 3 moves FORTIFY_SOURCE to hardening only
because the option is related to hardening and happened to be declared
near HARDENED_USERCOPY.

Building HARDENED_USERCOPY but disabled at runtime has neligible effect
within the noise. Enabling the option by default generally incurs 2-10%
of overhead depending on the workload with some extreme outliers depending
on the exact CPU. While the benchmarks are somewhat synthetic, the overhead
IO-intensive and network-intensive is easily detectable but the root cause
may not be obvious (e.g. 2-14% overhead for netperf TCP_STREAM running
over localhost with different ranges depending on the CPU).


 .../admin-guide/kernel-parameters.txt         |  4 ++-
 mm/usercopy.c                                 |  3 +-
 security/Kconfig                              | 21 ------------
 security/Kconfig.hardening                    | 33 +++++++++++++++++++
 4 files changed, 38 insertions(+), 23 deletions(-)

Comments

Kees Cook Jan. 20, 2025, 9:08 p.m. UTC | #1

On Fri, Jan 17, 2025 at 01:03:34PM +0000, Mel Gorman wrote:
> Some hardening options like HARDENED_USERCOPY can be set at boot time
> and have negligible cost when disabled. The default for options like
> init_on_alloc= can be set at compile time but hardened usercopy is
> enabled by default if built in. This incurs overhead when a kernel
> wishes to provide optional hardening but the user does not necessarily
> care.

Yeah! I like this. It's been somewhere on my TODO list for a while, so
thank you for doing it!

Nits/ideas in the patch replies...