From patchwork Wed Jan 3 18:56:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxwell Bland X-Patchwork-Id: 13510520 Received: from mx0b-00823401.pphosted.com (mx0b-00823401.pphosted.com [148.163.152.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD3341DA23 for ; Wed, 3 Jan 2024 21:55:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=motorola.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=motorola.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=motorola.com header.i=@motorola.com header.b="5+Pqed04" Received: from pps.filterd (m0355091.ppops.net [127.0.0.1]) by mx0b-00823401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 403C8S2K026707; Wed, 3 Jan 2024 18:56:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h= from:to:cc:subject:date:message-id:content-type :content-transfer-encoding:mime-version; s=DKIM202306; bh=vqzjzW jZu9rO3aGKW/yPR1jTOaAjWmgnnc3WiG+zlHU=; b=5+Pqed04wX5LqCDmV08h9U COTbGk3JuS2xolqMjKO6xT5Cd2ckAU8IGCCoZpwgKTA5rmj1wJat+p/jESUcUz1d cvWNG56dNf8eoCku0PtafUZWNj5ToEKZzG3Ip37QLwTG4MISbXnOf80wTXOxKjnJ 6puATOUUSxKcfK34NSeSb9vnRuCbgX7pfsja7HZRf9YvvZIdmrWRuKFHw9g1oStR edyH2sWXodXUNmzvhuqeEUBwXPpULa/4Yk+tORTk6vlp87W7x5bNi/7H3uYfkvxx JtvZYeAiM2w5ITTNMp2H6dlWhT06KRigDrzNg25Wjagtj7h++uNwnlxNXuaQ0xag == Received: from apc01-psa-obe.outbound.protection.outlook.com (mail-psaapc01lp2040.outbound.protection.outlook.com [104.47.26.40]) by mx0b-00823401.pphosted.com (PPS) with ESMTPS id 3vd7aw0nc0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Jan 2024 18:56:05 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QtVEsTMjXLVPvrq5qZ6FGMEczOCgKFX3dLO7pbXP/BOp7WT5Y3B+R+cbYp70mxRug3HAOoGMMwZ2gz7Bs12q4F1yfINmXkE91OVBr+Y3BkDlFwH2vYfmgq+uXu6YmBw4XPTfGzyREd1jzLC08aGmwYo/mtfZPU/AFJZ1aPPBcD4OvVC4tJat7AYqDc49xkIugV0jpe28WEsS3fVGLmcBKvCIU3WfeBNKq6KHEzsyXQvpVzSZmU10AD/bXeQUa2lr7KHIC7RZVFsfE7sJtQms3asHiUTfyuKrUZv71gXKYxFO6WBeIV9kUhWrjK99KVtDGJesXmHDOguuvOr7VKcXkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vqzjzWjZu9rO3aGKW/yPR1jTOaAjWmgnnc3WiG+zlHU=; b=SkfXegjURMAV42f5H1NkRLzfPZrmlQcvF5h9J+UyQmOvgvtnwPzTVA8PMJU3XJTp8AahwWO2CW+Qf7bBHWEHNsab6K9PEsJpueykjGe+NLOF820cA9+pS8+oa86F/UAeIpOMYZdjeiOIMe2iUr3svEyxP5Q9BR3z4enap/CYVpyX5aPgmoSdbqXH5LcdO5oo24mRtvBPBFeXCJJB7lXNQhS6AUxdPjC8hplbNovY/hL0GkFf85uxWlED2qmK+iGSWxb+JGPvY8AhGFYM5e40q8POeIvAn4g0+vHD9fqQyCz1YuPhdztfV9SYU8goaYpKmJl7uOVwzsvHh2qIey0BLQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=motorola.com; dmarc=pass action=none header.from=motorola.com; dkim=pass header.d=motorola.com; arc=none Received: from SEZPR03MB6786.apcprd03.prod.outlook.com (2603:1096:101:66::5) by KL1PR0302MB5412.apcprd03.prod.outlook.com (2603:1096:820:36::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.13; Wed, 3 Jan 2024 18:56:01 +0000 Received: from SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6]) by SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6%6]) with mapi id 15.20.7159.013; Wed, 3 Jan 2024 18:56:01 +0000 From: Maxwell Bland To: "bpf@vger.kernel.org" CC: Andrew Wheeler , =?utf-8?b?U2FtbXkgQlMyIFF1ZSB8?= =?utf-8?b?IOmYmeaWjOeUnw==?= , "di_jin@brown.edu" , Greg KH , "vpk@cs.brown.edu" , "v.atlidakis@gmail.com" Subject: [PATCH 1/2] Adding BPF NX Thread-Topic: [PATCH 1/2] Adding BPF NX Thread-Index: Ado+dbT9jfWatuBPQB+UpA/3vxssOw== Date: Wed, 3 Jan 2024 18:56:00 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SEZPR03MB6786:EE_|KL1PR0302MB5412:EE_ x-ms-office365-filtering-correlation-id: add1d9ea-78bf-4132-0ea1-08dc0c8da0f7 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: S/6JiQdqqFD6ryfRZuKgrkKVTqtnWlhHaGs+7VBRwzFj+Ok2wMh8W8n5mH23z0DVc/nT/V0KdOdjyLaELOAmulnlrFx02T4k34X5+aEPPdc6Db6eXfHqywP0H7MzKy6jcuaQDwygZdgHmVwb/euUvgNl3q3exExLQ2Fa3yMK3v6oXNFZO6BYb6f12CJsqS4EHARd6PZa+1gSIbc2Q/9VRJMyv6tY08Z42P3dazyWwC5+ZGB9jgK/bvYHTMHTzTUcuB1PHZfPxWp9Gluia4RF3lBzB6+zMv4/M1aA86XF0bLV0Pl3jREnpVFHxnwg0OXXEJuFkfhMZuH+FOeJTOkFS0d+6SPaiJk2BCH9jAV0NWtHrC+k0AdDJwPFJzLwtaKS3y/J6B4nHk7vYX6bYxHQqqyVYesS6y5bVv0eA47E43rH1BY1VdRclf94mZr5ihMK14K8Y4T7Uju+uSx+6Egx/rINGXyuYiBHqwaiFOS6HQRxzQ5f+Wu9gQBgV350N+Dof6JKAlgQeuZd5hU1d7eLgoPyrr0BtAVIrtVOK3uHlveZxLQUyl0uP9Lhcebvvww5G2WZQGt9Us2iin4s1n3JHbPcsaXb8zyCpU1BdJbDp9UA0NEz26rJS1Coa7O6iChmkP1f3VexPSEHyLam/VeZcZSwYdXxf1fUBae7MECAnno= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6786.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(396003)(39860400002)(346002)(136003)(376002)(366004)(230922051799003)(64100799003)(451199024)(186009)(1800799012)(2906002)(52536014)(8936002)(4326008)(8676002)(5660300002)(54906003)(316002)(66446008)(66946007)(38070700009)(66476007)(64756008)(66556008)(76116006)(6916009)(82960400001)(86362001)(122000001)(38100700002)(26005)(9686003)(6506007)(478600001)(71200400001)(7696005)(33656002)(83380400001)(41300700001)(55016003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?Aq19f58WKRw94y0IGHBr1KJL3pw2?= =?utf-8?q?n0L5YDID9OvtUIpAbxuxss4GKxRDeR2duqilg0ar5Bnof/YaNZr5WF2ZbxznVBzr8?= =?utf-8?q?fKW9Y6DwcK9A7SvUag5bZSGOgT1AwpsKd9LmBnvynRYVSdZIvLwUI1/KEImyHKGoO?= =?utf-8?q?JmysENSnPj3uD+skGr5sfn9pVU3PT7eH5nOtZmggKMM0PR/72QtGp2jBBBkekBFJl?= =?utf-8?q?/sfB0afTftRRUXsjczTscvkmc+In4lbxjjNO5nS2A+x1CzazNS3++uWPmrz9Fufld?= =?utf-8?q?RnGCtfQgRbZslWjhDDEbdun6d8/iNQU+TBlzeK7xwIa531fzOoslLCGkCF37PYaT8?= =?utf-8?q?TQ/bExckKc0n5tlJjIYVEkPO+G/s+hHF/nC7qrfVnZhSMobpNuP0Yr2VRleI9Igu9?= =?utf-8?q?qmcq49BMVRilvky9IV+0EWQnBngqX5IZKahnTSrfofdxLjKykbWHVqky55A5zcKw5?= =?utf-8?q?uh79+MQT4qrq/kTFj0XZm7k80/fRUeZz0XTgl+WsoyDdTM59sDLsGJuQFDIzxalEm?= =?utf-8?q?FRWZB8074OWoQTen5VTOSUM2wx285Up+BgQPHH0rzedcEezp0CKX/1gjCXkSFIgEG?= =?utf-8?q?qkwnynDwb+X7LkzsVrW14/e1HEGoQkjG/tE5xVtHnvNCWk92f5TAlTYf9DQ5ZVX38?= =?utf-8?q?Uejqi2TmGC0TsPyHjKaAn8jKqVlJJRvIXLJ1/QS1w1vqwsY+QNdNXZCbtHdgD+HKx?= =?utf-8?q?gNJ7xOyAC47aqOv+Ao/351BB5AyfvjbdDcsUKc1G3KSsnvcrQcS87O2PQL5MU/fq1?= =?utf-8?q?Rdv4c6fgnEt0WZZ7bLAoW6ZJkaS3uoU6rPjhj7zgqPomTJTuFdQ5M/7nHUqAkF21b?= =?utf-8?q?M4KOLO0jQ6AE+uSdcW2eGhczaoGtjBfJwTUceROpMM7zSTxy9Q3AKE9F92ghmqqPP?= =?utf-8?q?cK8w/y3Gz1+njBSrp8z460DfD7F8SsEgT7qZyBMwDJfRbTLZERB5KnEfP7gLxHggk?= =?utf-8?q?EGQ+4Ixt8o9iTLbwm7Hssxpi1t75kIskZTHhR1cCefV5wgQ9CzZS+PdAGfIFGL8Gy?= =?utf-8?q?/eS/UcTUVOWHSYgtD/TFVRkTgGAKhJokcOWJJ6xWvv0poIdNDb8dc8mckJOufxmo5?= =?utf-8?q?DwL6noLSWItMYgIGhVw4g1Q73t3ImyOINQofBwQdgGqZZ3iYDQEyWHlaa8e52rKyK?= =?utf-8?q?6t8oVp56hO5IkffInw1VL1t2vQ82yBEK9aITcuof/3P3Fw9q2Ep2sh1REcbhILc1u?= =?utf-8?q?yNIYWGnX36/jOajGbDbq0gS0POESc0UpfK1TWYhBMSpqU6Gume4V2GrPKBGl4h76B?= =?utf-8?q?vRNHlCGfRx8N+JiJrPWrQvG1VlvTn3T49F/t1cry3ZkB+TPUBxd2in0oFtPK8dMlh?= =?utf-8?q?v0vlNKeD30+pPk4mk4fQOlgLBjY4ktNcD7sSCIjhnGalb/Q9hle6sjCjnWnVLJSDs?= =?utf-8?q?LSc6VdO/Ofxzn6JtKbPh1CtmKLlMQHwirOk6bar/px9W4ps9OMSr2dVKg3yjpYZDH?= =?utf-8?q?LP6TFJYyC/5Yv8O1UVwrtozoRY2VQZG5Bryut9p/XErB7OCRapXkBrrg=3D?= Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: motorola.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6786.apcprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: add1d9ea-78bf-4132-0ea1-08dc0c8da0f7 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2024 18:56:00.9838 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5c7d0b28-bdf8-410c-aa93-4df372b16203 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: LpH51uYDIVrgjwxS82hpx1UEj7gvhCINM1RrXosEGmJ6DI5tpqLsv6RvfgZWBUTNm3hKWJiDzgfT1jlqk39KWQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: KL1PR0302MB5412 X-Proofpoint-ORIG-GUID: AudrD0C79z3WOBLsxPdQZlu90KqBwBtT X-Proofpoint-GUID: AudrD0C79z3WOBLsxPdQZlu90KqBwBtT X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-02_01,2023-11-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 impostorscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 mlxlogscore=896 spamscore=0 clxscore=1011 priorityscore=1501 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401030153 From: Tenut Subject: [PATCH 1/2] Adding BPF NX Reserve a memory region for BPF program, and check for it in the interpreter. This simulate the effect of non-executable memory for BPF execution. Signed-off-by: Maxwell Bland --- arch/x86/include/asm/pgtable_64_types.h | 9 +++++++++ arch/x86/mm/fault.c | 6 +++++- kernel/bpf/Kconfig | 16 +++++++++++++++ kernel/bpf/core.c | 35 ++++++++++++++++++++++++++++++--- 4 files changed, 62 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h index 38b54b992f32..ad11651eb073 100644 --- a/arch/x86/include/asm/pgtable_64_types.h +++ b/arch/x86/include/asm/pgtable_64_types.h @@ -123,6 +123,9 @@ extern unsigned int ptrs_per_p4d; #define __VMALLOC_BASE_L4 0xffffc90000000000UL #define __VMALLOC_BASE_L5 0xffa0000000000000UL +#ifdef CONFIG_BPF_NX +#define __BPF_VBASE 0xffffeb0000000000UL +#endif #define VMALLOC_SIZE_TB_L4 32UL #define VMALLOC_SIZE_TB_L5 12800UL @@ -169,6 +172,12 @@ extern unsigned int ptrs_per_p4d; #define VMALLOC_QUARTER_SIZE ((VMALLOC_SIZE_TB << 40) >> 2) #define VMALLOC_END (VMALLOC_START + VMALLOC_QUARTER_SIZE - 1) +#ifdef CONFIG_BPF_NX +#define BPF_SIZE_GB 512UL +#define BPF_VSTART __BPF_VBASE +#define BPF_VEND (BPF_VSTART + _AC(BPF_SIZE_GB << 30, UL)) +#endif /* CONFIG_BPF_NX */ + /* * vmalloc metadata addresses are calculated by adding shadow/origin offsets * to vmalloc address. diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index ab778eac1952..cfb63ef72168 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -235,7 +235,11 @@ static noinline int vmalloc_fault(unsigned long address) pte_t *pte_k; /* Make sure we are in vmalloc area: */ - if (!(address >= VMALLOC_START && address < VMALLOC_END)) + if (!(address >= VMALLOC_START && address < VMALLOC_END) +#ifdef BPF_NX + && !(address >= BPF_VSTART && address < BPF_VEND) +#endif + ) return -1; /* diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index 6a906ff93006..7160dcaaa58a 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -86,6 +86,22 @@ config BPF_UNPRIV_DEFAULT_OFF If you are unsure how to answer this question, answer Y. +config BPF_HARDENING + bool "Enable BPF interpreter hardening" + select BPF + depends on X86_64 && !RANDOMIZE_MEMORY && !BPF_JIT_ALWAYS_ON + default n + help + Enhance bpf interpreter's security + +config BPF_NX +bool "Enable bpf NX" + depends on BPF_HARDENING && !DYNAMIC_MEMORY_LAYOUT + default n + help + Allocate eBPF programs in seperate area and make sure the + interpreted programs are in the region. + source "kernel/bpf/preload/Kconfig" config BPF_LSM diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index fe254ae035fe..56d9e8d4a6de 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -88,6 +88,34 @@ void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, uns return NULL; } +#ifdef CONFIG_BPF_NX +#define BPF_MEMORY_ALIGN roundup_pow_of_two(sizeof(struct bpf_prog) + \ + BPF_MAXINSNS * sizeof(struct bpf_insn)) +static void *__bpf_vmalloc(unsigned long size, gfp_t gfp_mask) +{ + return __vmalloc_node_range(size, BPF_MEMORY_ALIGN, BPF_VSTART, BPF_VEND, + gfp_mask, PAGE_KERNEL, 0, NUMA_NO_NODE, + __builtin_return_address(0)); +} + +static void bpf_insn_check_range(const struct bpf_insn *insn) +{ + if ((unsigned long)insn < BPF_VSTART + || (unsigned long)insn >= BPF_VEND - sizeof(struct bpf_insn)) + BUG(); +} + +#else +static void *__bpf_vmalloc(unsigned long size, gfp_t gfp_mask) +{ + return __vmalloc(size, gfp_mask); +} + +static void bpf_insn_check_range(const struct bpf_insn *insn) +{ +} +#endif /* CONFIG_BPF_NX */ + struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags) { gfp_t gfp_flags = bpf_memcg_flags(GFP_KERNEL | __GFP_ZERO | gfp_extra_flags); @@ -95,7 +123,7 @@ struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flag struct bpf_prog *fp; size = round_up(size, PAGE_SIZE); - fp = __vmalloc(size, gfp_flags); + fp = __bpf_vmalloc(size, gfp_flags); if (fp == NULL) return NULL; @@ -246,7 +274,7 @@ struct bpf_prog *bpf_prog_realloc(struct bpf_prog *fp_old, unsigned int size, if (pages <= fp_old->pages) return fp_old; - fp = __vmalloc(size, gfp_flags); + fp = __bpf_vmalloc(size, gfp_flags); if (fp) { memcpy(fp, fp_old, fp_old->pages * PAGE_SIZE); fp->pages = pages; @@ -1380,7 +1408,7 @@ static struct bpf_prog *bpf_prog_clone_create(struct bpf_prog *fp_other, gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags; struct bpf_prog *fp; - fp = __vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags); + fp = __bpf_vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags); if (fp != NULL) { /* aux->prog still points to the fp_other one, so * when promoting the clone to the real program, @@ -1695,6 +1723,7 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) #define CONT_JMP ({ insn++; goto select_insn; }) select_insn: + bpf_insn_check_range(insn); goto *jumptable[insn->code]; /* Explicitly mask the register-based shift amounts with 63 or 31