From patchwork Wed Dec 19 21:33:26 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Igor Stoppa <igor.stoppa@gmail.com>
X-Patchwork-Id: 10738157
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 42AB61399
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Wed, 19 Dec 2018 21:34:09 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 35040286B2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Wed, 19 Dec 2018 21:34:09 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 282DF286B4; Wed, 19 Dec 2018 21:34:09 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE
	autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 95CC0286B3
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Wed, 19 Dec 2018 21:34:08 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A95BC8E0018; Wed, 19 Dec 2018 16:34:07 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A45DD8E0001; Wed, 19 Dec 2018 16:34:07 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 90D008E0018; Wed, 19 Dec 2018 16:34:07 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-lj1-f197.google.com (mail-lj1-f197.google.com
 [209.85.208.197])
	by kanga.kvack.org (Postfix) with ESMTP id 243248E0001
	for <linux-mm@kvack.org>; Wed, 19 Dec 2018 16:34:07 -0500 (EST)
Received: by mail-lj1-f197.google.com with SMTP id g92-v6so5808880ljg.23
        for <linux-mm@kvack.org>; Wed, 19 Dec 2018 13:34:07 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:dkim-signature:from:to:cc:subject:date
         :message-id:reply-to:mime-version:content-transfer-encoding;
        bh=gao6Paz78Wv+S9Y48uFekujRhjWOk2WMhVie8VXtSvs=;
        b=Cch4UqTK+Z6uyXkhTQEmahpEN2Mirzt/mql+BORbEoti/1bcoxzolF3I0TGrEBh3x1
         85qqNEBBbu/SA48LPFiMcz5ixSlGqqQmVlqv59ThrKUOE8aZ/QAyh9yRQVoY6rEFbPYS
         nl+nHXl8+qWHCQ6VmZavvaGCDcFUEm07wlU6I6g7FKsPkefPtWVi/7AKOkH1P1Pc6e8z
         ejC2VxxnNX8KZOC9Bc4bIY8m06h74CwZnxT0oUB3NfK8iNUrXAexjijwUB/SMPqiILRN
         0GEjWdQftVzlzyg68zTZ4fSjgo8HdqX/2+VZMQ2BLNgkkK8i3XDqynFbFBfRFH51jDZr
         tZJQ==
X-Gm-Message-State: AA+aEWZLyDaMtEhvJTO5kZH0NHgtM8FNfFh17w5QulZcVXTun6RsEctm
	+GOnqJ4oMunFVjRVZuVns/SKoBZpai/VDgZZOmOAVQvTWP9AluQxC1JkVuzI2qfVCy7l7vwwOB0
	R7Kfh4jh0UyDeFM6i801yK9tKJodKQL6LBwZdt9fXnkmKV5u6JmhRfQboggmetNR7bi8wzrjYLw
	Z/Ow5N79y/4zJBuwxhtUktC+Jg8EAW9Mwe2naCuCCm3TG/xnn3pgcIByHkgJcBRbWdHIE1zHXPq
	JQfw/sRuuNUJ1ZhODGmaIjhab+T8VE8CFsOauSyuH/0NuOkGaSuHLT3R7ApYsfsL1mpUTjcX3Bj
	ocBwnx9tdq/34kL/8+ou6uHuVKgOAPM7efBg78bXOL+5f5lapigDzlr6E7CRsieIuecFZs4q5by
	p
X-Received: by 2002:a19:d04d:: with SMTP id h74mr13065918lfg.52.1545255246180;
        Wed, 19 Dec 2018 13:34:06 -0800 (PST)
X-Received: by 2002:a19:d04d:: with SMTP id h74mr13065883lfg.52.1545255244994;
        Wed, 19 Dec 2018 13:34:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1545255244; cv=none;
        d=google.com; s=arc-20160816;
        b=H/jTsYwwO1Z3vVyl7Mzu71A0VGM65WNrUt/0SZdDtiQP5EQlOualWpbs7xYeC29JNv
         sMj0FAGiCmGg9sAC9sv6Tau2w9Yr13Kp5n3rPVQjhJqY1ElcF08izbc6VyHBnne9cttD
         PIpp04KhW8golzKRy+k5He9aeGjF79bdul3KeyxCZUWxKHrqdWHrNlJw9GlixexdeNsW
         UdzfoZk7evrVgnrn+B7nwP81S8vsuO7fAm+hG9+Tmd2n1nkgrgob0Hwzf132o3ME/x8X
         acA3tSQU/iWbfdp6+b+Wuz67R0bSoPAra43kC5fLbDaSBpcP13hAAtKVch3aqMreHJQ9
         u05g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:reply-to:message-id:date
         :subject:cc:to:from:dkim-signature;
        bh=gao6Paz78Wv+S9Y48uFekujRhjWOk2WMhVie8VXtSvs=;
        b=IhoONgBqIUlQBY10iDCIrhrcJHI5++hzqoZ0nLjWzXy5O1qvZHdy6daoB8w5UIrgV+
         PfSC4fhxEdp9E9YT6AKYHwssLd/biI/keGkUXterJJYxmDiUSeISJH8K/sBE73tmrsgj
         B4wXbihdlQgvAExvVE9aS9H2amk/d50qUbBHIVgRAGgNRcDPEIXECs9y7v5SGYrNv3V4
         4lWm12VQqDFrz7BONdVVeqyVOpnTW4DmmZLw8cNuac0jJw7666C469joWx0UuLRgHvzv
         kWMsrZVoc69USt5+vLYWy0GjupC6X2HGO6roB+qdcdiFkmd4gjf4jUuIjmPvw6c/HurS
         Lq+g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=RqoruNp3;
       spf=pass (google.com: domain of igor.stoppa@gmail.com designates
 209.85.220.65 as permitted sender) smtp.mailfrom=igor.stoppa@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from mail-sor-f65.google.com (mail-sor-f65.google.com.
 [209.85.220.65])
        by mx.google.com with SMTPS id c82sor5419714lfg.7.2018.12.19.13.34.04
        for <linux-mm@kvack.org>
        (Google Transport Security);
        Wed, 19 Dec 2018 13:34:04 -0800 (PST)
Received-SPF: pass (google.com: domain of igor.stoppa@gmail.com designates
 209.85.220.65 as permitted sender) client-ip=209.85.220.65;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=RqoruNp3;
       spf=pass (google.com: domain of igor.stoppa@gmail.com designates
 209.85.220.65 as permitted sender) smtp.mailfrom=igor.stoppa@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:reply-to:mime-version
         :content-transfer-encoding;
        bh=gao6Paz78Wv+S9Y48uFekujRhjWOk2WMhVie8VXtSvs=;
        b=RqoruNp3Aj0t6Olz38BcPZUI2zTP1E3aLZSl4Kch+Ute9g4+3+9cUga3xAVw/dRDwa
         fVc3kx65CAJWYrGhq4NvLMlBNq4Yar6HcDKKaztPllm+UFtnD4Nta+pTUin7yMfk4gh+
         05BP+Em8ahLQvI4aYUrtuTZWX8f/y315R2JZEbkK7AqPcNSqMgrXOTjo15L+TVvg4EWL
         ORSmEnxPIjZ7Q58QfP8TSRyyScu3ucKAVkvFtyeaAsG5fpy7C5QkSyY2vZw3OaYOXedX
         5AVNKLiz/IlF8Dl7kl5hjJ+eXTs5Mc0tE8xdznnY/Jug1A6WIWsFOPRvkpz9TE6FJy4c
         XOhw==
X-Google-Smtp-Source: 
 AFSGD/U7kEXKUSbUtVkzDdx+CUSIjSN8XwOZn8JMB3LuNWtVD5/pHTGn0qTJ02elVdg7VFo1rt5ZeQ==
X-Received: by 2002:a19:f204:: with SMTP id q4mr14260365lfh.133.1545255244431;
        Wed, 19 Dec 2018 13:34:04 -0800 (PST)
Received: from localhost.localdomain
 (dmhwpt3bffxn8z3-j6k-4.rev.dnainternet.fi.
 [2001:14bb:51:a4c8:5c24:24d7:ca5f:e7d2])
        by smtp.gmail.com with ESMTPSA id
 v64sm3996867lfa.48.2018.12.19.13.34.02
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 19 Dec 2018 13:34:03 -0800 (PST)
From: Igor Stoppa <igor.stoppa@gmail.com>
X-Google-Original-From: Igor Stoppa <igor.stoppa@huawei.com>
To: Andy Lutomirski <luto@amacapital.net>,
	Matthew Wilcox <willy@infradead.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: igor.stoppa@huawei.com,
	Nadav Amit <nadav.amit@gmail.com>,
	Kees Cook <keescook@chromium.org>,
	linux-integrity@vger.kernel.org,
	kernel-hardening@lists.openwall.com,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org
Subject: [RFC v2 PATCH 0/12] hardening: statically allocated protected memory
Date: Wed, 19 Dec 2018 23:33:26 +0200
Message-Id: <20181219213338.26619-1-igor.stoppa@huawei.com>
X-Mailer: git-send-email 2.19.1
Reply-To: Igor Stoppa <igor.stoppa@gmail.com>
MIME-Version: 1.0
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Patch-set implementing write-rare memory protection for statically
allocated data.
Its purpose it to keep data write protected kernel data which is seldom
modified.
There is no read overhead, however writing requires special operations that
are probably unsitable for often-changing data.
The use is opt-in, by applying the modifier __wr_after_init to a variable
declaration.

As the name implies, the write protection kicks in only after init() is
completed; before that moment, the data is modifiable in the usual way.

Current Limitations:
* supports only data which is allocated statically, at build time.
* supports only x86_64, other earchitectures need to provide own backend

Some notes:
- there is a part of generic code which is basically a NOP, but should
  allow using unconditionally the write protection. It will automatically
  default to non-protected functionality, if the specific architecture
  doesn't support write-rare
- to avoid the risk of weakening __ro_after_init, __wr_after_init data is
  in a separate set of pages, and any invocation will confirm that the
  memory affected falls within this range.
  rodata_test is modified accordingly, to check also this case.
- for now, the patchset addresses only x86_64, as each architecture seems
  to have own way of dealing with user space. Once a few are implemented,
  it should be more obvious what code can be refactored as common.
- the memset_user() assembly function seems to work, but I'm not too sure
  it's really ok
- I've added a simple example: the protection of ima_policy_flags
- the last patch is optional, but it seemed worth to do the refactoring

Changelog:

v1->v2

* introduce cleaner split between generic and arch code
* add x86_64 specific memset_user()
* replace kernel-space memset() memcopy() with userspace counterpart
* randomize the base address for the alternate map across the entire
  available address range from user space (128TB - 64TB)
* convert BUG() to WARN()
* turn verification of written data into debugging option
* wr_rcu_assign_pointer() as special case of wr_assign()
* example with protection of ima_policy_flags
* documentation

CC: Andy Lutomirski <luto@amacapital.net>
CC: Nadav Amit <nadav.amit@gmail.com>
CC: Matthew Wilcox <willy@infradead.org>
CC: Peter Zijlstra <peterz@infradead.org>
CC: Kees Cook <keescook@chromium.org>
CC: Dave Hansen <dave.hansen@linux.intel.com>
CC: Mimi Zohar <zohar@linux.vnet.ibm.com>
CC: linux-integrity@vger.kernel.org
CC: kernel-hardening@lists.openwall.com
CC: linux-mm@kvack.org
CC: linux-kernel@vger.kernel.org

Igor Stoppa (12):
	[PATCH 01/12] x86_64: memset_user()
	[PATCH 02/12] __wr_after_init: linker section and label
	[PATCH 03/12] __wr_after_init: generic header
	[PATCH 04/12] __wr_after_init: x86_64: __wr_op
	[PATCH 05/12] __wr_after_init: x86_64: debug writes
	[PATCH 06/12] __wr_after_init: Documentation: self-protection
	[PATCH 07/12] __wr_after_init: lkdtm test
	[PATCH 08/12] rodata_test: refactor tests
	[PATCH 09/12] rodata_test: add verification for __wr_after_init
	[PATCH 10/12] __wr_after_init: test write rare functionality
	[PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
	[PATCH 12/12] x86_64: __clear_user as case of __memset_user


Documentation/security/self-protection.rst |  14 ++-
arch/Kconfig                               |  15 +++
arch/x86/Kconfig                           |   1 +
arch/x86/include/asm/uaccess_64.h          |   6 +
arch/x86/lib/usercopy_64.c                 |  41 +++++--
arch/x86/mm/Makefile                       |   2 +
arch/x86/mm/prmem.c                        | 127 +++++++++++++++++++++
drivers/misc/lkdtm/core.c                  |   3 +
drivers/misc/lkdtm/lkdtm.h                 |   3 +
drivers/misc/lkdtm/perms.c                 |  29 +++++
include/asm-generic/vmlinux.lds.h          |  25 +++++
include/linux/cache.h                      |  21 ++++
include/linux/prmem.h                      | 142 ++++++++++++++++++++++++
init/main.c                                |   2 +
mm/Kconfig.debug                           |  16 +++
mm/Makefile                                |   1 +
mm/rodata_test.c                           |  69 ++++++++----
mm/test_write_rare.c                       | 135 ++++++++++++++++++++++
security/integrity/ima/ima.h               |   3 +-
security/integrity/ima/ima_init.c          |   5 +-
security/integrity/ima/ima_policy.c        |   9 +-
21 files changed, 629 insertions(+), 40 deletions(-)