Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 Aug 2017 08:15:30 -0400
From: Jordan Glover <Golden_Miller83@...tonmail.ch>
To: Ingo Molnar <mingo@...nel.org>
Cc: Thomas Garnier <thgarnie@...gle.com>, Herbert Xu <herbert@...dor.apana.org.au>, Peter Zijlstra <peterz@...radead.org>, Arnd Bergmann <arnd@...db.de>, Tom Lendacky <thomas.lendacky@....com>, Andy Lutomirski <luto@...nel.org>, Len Brown <len.brown@...el.com>, Pavel Machek <pavel@....cz>, Tejun Heo <tj@...nel.org>, Christoph Lameter <cl@...ux.com>, Chris Metcalf <cmetcalf@...lanox.com>, Markus Trippelsdorf <markus@...ppelsdorf.de>, Kees Cook <keescook@...omium.org>, Rik van Riel <riel@...hat.com>, David Howells <dhowells@...hat.com>, Waiman Long <longman@...hat.com>, Peter Foley <pefoley2@...oley.com>, Tim Chen <tim.c.chen@...ux.intel.com>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, Michal Hocko <mhocko@...e.com>, "H . J . Lu" <hjl.tools@...il.com>, Daniel Micay <danielmicay@...il.com>, LKML <linux-kernel@...r.kernel.org>, Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: Re: x86: PIE support and option to extend KASLR randomization

Hello,
I write to put different perspective into the topic. I'm glad that kernel developers care about performance optimizations and I see how 10% overhead can be a problem for some. On the other hand last ten years gave us 1000% faster hardware which trumps anything software can do. For many users like us performance isn't a problem, we have plenty of it and if we haven't we can buy it. It can be money problem, not software engineering problem.

For security it's not that easy for us. We can't buy more of it as it's impossible to buy something that doesn't exist. All new proposed kernel security features are either disabled by default or have option to disable them. Users who prioritizes performance can disable every costly security feature that exist in kernel, they simply doesn't matter for them. Users who prioritize security can enable those security options but they can't enable those which aren't available at all which means they're often left with nothing.

I hope you see that those two kind of users and their priorities are treated very unequally in current kernel development. On the one hand kernel developers for years made many painstaking optimizations, on the other hand security related work of other developers which is same as hard get constant opposition and it's often completely rejected.

I believe there is room for both performance and security in kernel as long as they have optionality built in . My point is that kernel developers shouldn't "a priori" decide what's more important as there are more different usecases and needs they can imagine.

> -------- Original Message --------
> Subject: [kernel-hardening] Re: x86: PIE support and option to extend KASLR randomization
> Local Time: August 15, 2017 7:56 AM
> UTC Time: August 15, 2017 7:56 AM
> From: mingo@...nel.org
> To: Thomas Garnier <thgarnie@...gle.com>
> Herbert Xu <herbert@...dor.apana.org.au>, David S . Miller <davem@...emloft.net>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, H . Peter Anvin <hpa@...or.com>, Peter Zijlstra <peterz@...radead.org>, Josh Poimboeuf <jpoimboe@...hat.com>, Arnd Bergmann <arnd@...db.de>, Matthias Kaehlcke <mka@...omium.org>, Boris Ostrovsky <boris.ostrovsky@...cle.com>, Juergen Gross <jgross@...e.com>, Paolo Bonzini <pbonzini@...hat.com>, Radim Krčmář <rkrcmar@...hat.com>, Joerg Roedel <joro@...tes.org>, Tom Lendacky <thomas.lendacky@....com>, Andy Lutomirski <luto@...nel.org>, Borislav Petkov <bp@...e.de>, Brian Gerst <brgerst@...il.com>, Kirill A . Shutemov <kirill.shutemov@...ux.intel.com>, Rafael J . Wysocki <rjw@...ysocki.net>, Len Brown <len.brown@...el.com>, Pavel Machek <pavel@....cz>, Tejun Heo <tj@...nel.org>, Christoph Lameter <cl@...ux.com>, Paul Gortmaker <paul.gortmaker@...driver.com>, Chris Metcalf <cmetcalf@...lanox.com>, Andrew Morton <akpm@...ux-foundation.org>, Paul E . McKenney <paulmck@...ux.vnet.ibm.com>, Nicolas Pitre <nicolas.pitre@...aro.org>, Christopher Li <sparse@...isli.org>, Rafael J . Wysocki <rafael.j.wysocki@...el.com>, Lukas Wunner <lukas@...ner.de>, Mika Westerberg <mika.westerberg@...ux.intel.com>, Dou Liyang <douly.fnst@...fujitsu.com>, Daniel Borkmann <daniel@...earbox.net>, Alexei Starovoitov <ast@...nel.org>, Masahiro Yamada <yamada.masahiro@...ionext.com>, Markus Trippelsdorf <markus@...ppelsdorf.de>, Steven Rostedt <rostedt@...dmis.org>, Kees Cook <keescook@...omium.org>, Rik van Riel <riel@...hat.com>, David Howells <dhowells@...hat.com>, Waiman Long <longman@...hat.com>, Kyle Huey <me@...ehuey.com>, Peter Foley <pefoley2@...oley.com>, Tim Chen <tim.c.chen@...ux.intel.com>, Catalin Marinas <catalin.marinas@....com>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, Michal Hocko <mhocko@...e.com>, Matthew Wilcox <mawilcox@...rosoft.com>, H . J . Lu <hjl.tools@...il.com>, Paul Bolle <pebolle@...cali.nl>, Rob Landley <rob@...dley.net>, Baoquan He <bhe@...hat.com>, Daniel Micay <danielmicay@...il.com>, the arch/x86 maintainers <x86@...nel.org>, linux-crypto@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>, xen-devel@...ts.xenproject.org, kvm list <kvm@...r.kernel.org>, Linux PM list <linux-pm@...r.kernel.org>, linux-arch <linux-arch@...r.kernel.org>, linux-sparse@...r.kernel.org, Kernel Hardening <kernel-hardening@...ts.openwall.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Borislav Petkov <bp@...en8.de>
>
> * Thomas Garnier <thgarnie@...gle.com> wrote:
>
>> > Do these changes get us closer to being able to build the kernel as truly
>> > position independent, i.e. to place it anywhere in the valid x86-64 address
>> > space? Or any other advantages?
>>
>> Yes, PIE allows us to put the kernel anywhere in memory. It will allow us to
>> have a full randomized address space where position and order of sections are
>> completely random. There is still some work to get there but being able to build
>> a PIE kernel is a significant step.
>
> So I _really_ dislike the whole PIE approach, because of the huge slowdown:
>
> +config RANDOMIZE_BASE_LARGE
> + bool "Increase the randomization range of the kernel image"
> + depends on X86_64 && RANDOMIZE_BASE
> + select X86_PIE
> + select X86_MODULE_PLTS if MODULES
> + default n
> + ---help---
> + Build the kernel as a Position Independent Executable (PIE) and
> + increase the available randomization range from 1GB to 3GB.
> +
> + This option impacts performance on kernel CPU intensive workloads up
> + to 10% due to PIE generated code. Impact on user-mode processes and
> + typical usage would be significantly less (0.50% when you build the
> + kernel).
> +
> + The kernel and modules will generate slightly more assembly (1 to 2%
> + increase on the .text sections). The vmlinux binary will be
> + significantly smaller due to less relocations.
>
> To put 10% kernel overhead into perspective: enabling this option wipes out about
> 5-10 years worth of painstaking optimizations we"ve done to keep the kernel fast
> ... (!!)
>
> I think the fundamental flaw is the assumption that we need a PIE executable to
> have a freely relocatable kernel on 64-bit CPUs.
>
> Have you considered a kernel with -mcmodel=small (or medium) instead of -fpie
> -mcmodel=large? We can pick a random 2GB window in the (non-kernel) canonical
> x86-64 address space to randomize the location of kernel text. The location of
> modules can be further randomized within that 2GB window.
>
> It should have far less performance impact than the register-losing and
> overhead-inducing -fpie / -mcmodel=large (for modules) execution models.
>
> My quick guess is tha the performance impact might be close to zero in fact.
>
> Thanks,
>
> Ingo
Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.