Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys

From: One Thousand Gnomes
Date: Thu May 07 2015 - 16:11:37 EST

Next message: Paul Bolle: "Re: [PATCH v1 03/12] crypto: qat - address recursive dependency when fw signing is enabled"
Previous message: Jean Delvare: "Re: [RFC] i2c-tools: i2ctransfer: add new tool"
In reply to: Dave Hansen: "Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys"
Next in thread: Christian Borntraeger: "Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 7 May 2015 21:26:20 +0200
Ingo Molnar <mingo@xxxxxxxxxx> wrote:

>
> * One Thousand Gnomes <gnomes@xxxxxxxxxxxxxxxxxxx> wrote:
>
> > > We could keep heap metadata as R/O and only make it R/W inside of
> > > malloc() itself to catch corruption more quickly.
> >
> > If you implement multiple malloc pools you can chop up lots of
> > stuff.
>
> I'd say that a 64-bit address space is large enough to hide buffers in
> from accidental corruption, without any runtime page protection
> flipping overhead?

I'd say no. And from actual real world demand for PK the answer is also
no. It's already a problem with very large data sets. Worse still in many
cases its a problem that nobody is actually measuring or doing much about
(because mprotect on many gigabytes of data is expensive).

> > In library land it isn't just stuff like malloc, you can use it as a
> > debug weapon to protect library private data from naughty
> > application code.
> >
> > There are some other debug uses when catching faults - fast ways to
> > do range access breakpoints for example.
>
> I think libraries are happy enough to work without bugs - apps digging
> around in library data are in a "you keep all the broken pieces"
> situation, why would a library want to slow down every good citizen
> down with extra protection flipping/unflipping accesses?

For debugging, when the library maintained data is sensitive or
something you don't want corupted, or because the user puts security
first. Protection keys are an awful lot faster than mprotect. You've got
no synchronization and shootdowns to do just a CPU register to load to
indicate which mask of keys you are happy with. That really changes what
it is useful for, because it's cheap. It means you can happily do stuff
like

while(data_blocks) {
allow_key_and_source_access();
do_crypto_func();
revoke_key_and_source_access();
do_network_io(); /* Can't accidentally leak keys or
input */
}

> Also, will apps/libraries bother if it's not a standard API and if it
> only runs on very fresh CPUs?

In time I think yes.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul Bolle: "Re: [PATCH v1 03/12] crypto: qat - address recursive dependency when fw signing is enabled"
Previous message: Jean Delvare: "Re: [RFC] i2c-tools: i2ctransfer: add new tool"
In reply to: Dave Hansen: "Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys"
Next in thread: Christian Borntraeger: "Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]