|
Message-ID: <CAGXu5j+RA+fepUEXoqXEBmyhBokQxv0csO=VuzFpHd4Fk4dH4A@mail.gmail.com> Date: Thu, 11 Aug 2016 15:16:50 -0700 From: Kees Cook <keescook@...omium.org> To: Arnd Bergmann <arnd@...db.de> Cc: Russell King - ARM Linux <linux@...linux.org.uk>, "linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, linux-arch <linux-arch@...r.kernel.org>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, "x86@...nel.org" <x86@...nel.org>, LKML <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Andrew Morton <akpm@...ux-foundation.org>, Mathias Krause <minipli@...glemail.com> Subject: Re: [PATCH 2/2] arm: apply more __ro_after_init On Thu, Aug 11, 2016 at 8:54 AM, Arnd Bergmann <arnd@...db.de> wrote: > On Thursday, August 11, 2016 12:06:45 AM CEST Russell King - ARM Linux wrote: >> On Wed, Aug 10, 2016 at 09:41:23PM +0200, Arnd Bergmann wrote: >> > It might be better to start by making the fixed mapping readonly, >> > as KASLR doesn't protect that one at all, and change the TLS >> > code accordingly. >> >> I think that's impossible, because we gave userspace permission to >> read 0xffff0ff0 directly without using __kuser_get_tls. You're >> talking about potentially breaking userspace. >> >> If you disable kuser helpers, then the page becomes read-only and >> invisible to userspace anyway. So, everything is being done there >> which can be done - if you have kuser helpers enabled, then you >> lose some opportunities for these security improvements. > > What I meant was writing to the page through the linear mapping > rather than the virtual mapping at 0xffff0000 so we can leave that > one read-only (I did not consider whether that might cause cache > aliasing problems when reading from the other address). > > Your other point is more important though: if one really cares > about optimizing security here, they probably should disable > kuser helpers completely anyway. > > Kees, is that something you have on your radar already? It wasn't no. I will add it. :) -Kees -- Kees Cook Nexus Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.