Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 24 Oct 2018 16:30:42 +0530
From: Khalid Aziz <khalid.aziz@...cle.com>
To: "Stecklina, Julian" <jsteckli@...zon.de>
Cc: "juerg.haefliger@....com" <juerg.haefliger@....com>,
        "deepa.srinivasan@...cle.com" <deepa.srinivasan@...cle.com>,
        "jmattson@...gle.com" <jmattson@...gle.com>,
        "andrew.cooper3@...rix.com" <andrew.cooper3@...rix.com>,
        "Woodhouse, David" <dwmw@...zon.co.uk>,
        "torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "boris.ostrovsky@...cle.com" <boris.ostrovsky@...cle.com>,
        "pradeep.vincent@...cle.com" <pradeep.vincent@...cle.com>,
        "konrad.wilk@...cle.com" <konrad.wilk@...cle.com>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "kanth.ghatraju@...cle.com" <kanth.ghatraju@...cle.com>,
        "joao.m.martins@...cle.com" <joao.m.martins@...cle.com>,
        "liran.alon@...cle.com" <liran.alon@...cle.com>,
        "ak@...ux.intel.com" <ak@...ux.intel.com>,
        "keescook@...gle.com" <keescook@...gle.com>,
        "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
        "chris.hyser@...cle.com" <chris.hyser@...cle.com>,
        "tyhicks@...onical.com" <tyhicks@...onical.com>,
        "john.haxby@...cle.com" <john.haxby@...cle.com>,
        "jcm@...hat.com" <jcm@...hat.com>
Subject: Re: Redoing eXclusive Page Frame Ownership (XPFO) with isolated CPUs
 in mind (for KVM to isolate its guests per CPU)

On 10/15/2018 01:37 PM, Khalid Aziz wrote:
> On 09/24/2018 08:45 AM, Stecklina, Julian wrote:
>> I didn't test the version with TLB flushes, because it's clear that the
>> overhead is so bad that no one wants to use this.
> 
> I don't think we can ignore the vulnerability caused by not flushing 
> stale TLB entries. On a mostly idle system, TLB entries hang around long 
> enough to make it fairly easy to exploit this. I was able to use the 
> additional test in lkdtm module added by this patch series to 
> successfully read pages unmapped from physmap by just waiting for system 
> to become idle. A rogue program can simply monitor system load and mount 
> its attack using ret2dir exploit when system is mostly idle. This brings 
> us back to the prohibitive cost of TLB flushes. If we are unmapping a 
> page from physmap every time the page is allocated to userspace, we are 
> forced to incur the cost of TLB flushes in some way. Work Tycho was 
> doing to implement Dave's suggestion can help here. Once Tycho has 
> something working, I can measure overhead on my test machine. Tycho, I 
> can help with your implementation if you need.

I looked at Tycho's last patch with batch update from 
<https://lkml.org/lkml/2017/11/9/951>. I ported it on top of Julian's 
patches and got it working well enough to gather performance numbers. 
Here is what I see for system times on a machine with dual Xeon E5-2630 
and 256GB of memory when running "make -j30 all" on 4.18.6 kernel 
(percentages are relative to base 4.19-rc8 kernel without xpfo):


Base 4.19-rc8				913.84s
4.19-rc8 + xpfo, no TLB flush		1027.985s (+12.5%)
4.19-rc8 + batch update, no TLB flush	970.39s (+6.2%)
4.19-rc8 + xpfo, TLB flush		8458.449s (+825.6%)
4.19-rc8 + batch update, TLB flush	4665.659s (+410.6%)

Batch update is significant improvement but we are starting so far 
behind baseline, it is still a huge slow down.

--
Khalid

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.