On Wed, Jun 03, 2026 at 10:57:49AM +0200, Ard Biesheuvel wrote: > (cc Marc) > > On Tue, 2 Jun 2026, at 22:34, Will Deacon wrote: > > On Fri, 29 May 2026 17:01:51 +0200, Ard Biesheuvel wrote: > >> One of the reasons the lack of randomization of the linear map on arm64 > >> is considered problematic is the fact that bootloaders adhering to the > >> original arm64 boot protocol (i.e., a substantial fraction of all > >> Android phones) may place the kernel at the base of DRAM, and therefore > >> at the base of the non-randomized linear map. This puts a writable alias > >> of the kernel's data and bss regions at a predictable location, removing > >> the need for an attacker to guess where KASLR mapped the kernel. > >> > >> [...] > > > > It would've been nice to hear from the ppc folks on patch 11, but I've > > picked it up on the assumption that they'll love the negative diff stat. > > Worst case, we can drop/revert stuff if they have late objections. > > > > Thanks. > > There is a de facto ack from Michael Ellerman in the Link:, which is why > I included it. > > Note that Sashiko found an issue with KVM+MTE, where a read-only mapping > of the zero page in the linear map may result in issues: > > """ > Does moving the zero page to .rodata (or unmapping/read-only mapping its > linear alias) expose a guest-to-host denial of service with KVM and MTE? > When an MTE-enabled KVM guest reads an unmapped memory address, KVM handles > the stage-2 fault by mapping the host's shared zero page. KVM will then > call sanitise_mte_tags() in arch/arm64/kvm/mmu.c. > Since the PG_mte_tagged flag is never set on the zero page, KVM's > try_page_mte_tagging() succeeds, and it calls mte_clear_page_tags(). > This executes the STGM instruction using the zero page's linear map alias. > If this alias is read-only or unmapped, won't the STGM instruction trigger > a synchronous permission fault or translation fault in EL1, causing a host > kernel panic? > """ > > Marc seems to think it is legit, so I came up with the following (I'll send > it out separately with another pair of tweaks):
Thanks, it also looks like we're getting some early WARN_ON()s firing in CI from split_kernel_leaf_mapping() after applying your changes: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/2571596185/test_aarch64/14662134813/artifacts/jobwatch/logs/recipes/21399931/tasks/219104268/results/1007729692/logs/journalctl.log Will
