Re: [RFC PATCH v2 13/15] arm64: mm: Guard page table writes with kpkeys

Hi Kevin, On 2025/1/8 18:32, Kevin Brodsky wrote: When CONFIG_KPKEYS_HARDENED_PGTABLES is enabled, page tables (both user and kernel) are mapped with a privileged pkey in the linear mapping. As a result, they can only be written under the kpkeys_hardened_pgtables guard, which sets POR_EL1 approp

[linus:master] [fortify] 239d87327d: vm-scalability.throughput 17.3% improvement

Hello, kernel test robot noticed a 17.3% improvement of vm-scalability.throughput on: commit: 239d87327dcd361b0098038995f8908f3296864f ("fortify: Hide run-time copy size from value range tracking") https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master testcase: vm-scalabi

Re: [PATCH] pstore/blk: trivial typo fixes

On Wed, 01 Jan 2025 13:19:21 +0200, Eugen Hristev wrote: > Fix trivial typos in comments. > > Applied to for-next/pstore, thanks! [1/1] pstore/blk: trivial typo fixes https://git.kernel.org/kees/c/542243af7182 Take care, -- Kees Cook

Re: [PATCH] hardening: Document INIT_STACK_ALL_PATTERN behavior with GCC

On Tue, 07 Jan 2025 09:38:57 +0100, Geert Uytterhoeven wrote: > The help text for INIT_STACK_ALL_PATTERN documents the patterns used by > Clang, but lacks documentation for GCC. > > Applied to for-next/hardening, thanks! [1/1] hardening: Document INIT_STACK_ALL_PATTERN behavior with GCC h

Re: [PATCH] fortify: turn strlen() into an inline function using __builtin_constant_p()

On Wed, Jan 08, 2025 at 11:27:51PM +0900, Vincent Mailhol wrote: > The strlen(p) function-like macro uses: > > __is_constexpr(__builtin_strlen(p)) > > in which GCC would only yield true if the argument p is a string > literal. Otherwise, GCC would return false even if p is a const > string. >

[PATCH] fortify: turn strlen() into an inline function using __builtin_constant_p()

The strlen(p) function-like macro uses: __is_constexpr(__builtin_strlen(p)) in which GCC would only yield true if the argument p is a string literal. Otherwise, GCC would return false even if p is a const string. In contrary, by using: __builtin_constant_p(__builtin_strlen(p)) then GCC can

[RFC PATCH v2 14/15] arm64: Enable kpkeys_hardened_pgtables support

kpkeys_hardened_pgtables should be enabled as early as possible (if selected). It does however require kpkeys being available, which means on arm64 POE being detected and enabled. POE is a boot feature, so calling kpkeys_hardened_pgtables_enable() just after setup_boot_cpu_features() in smp_prepare

[RFC PATCH v2 15/15] mm: Add basic tests for kpkeys_hardened_pgtables

Add basic tests for the kpkeys_hardened_pgtables feature: try to perform a direct write to some kernel and user page table entry and ensure it fails. Signed-off-by: Kevin Brodsky --- mm/Makefile| 1 + mm/kpkeys_hardened_pgtables_test.c | 72 ++

[RFC PATCH v2 13/15] arm64: mm: Guard page table writes with kpkeys

When CONFIG_KPKEYS_HARDENED_PGTABLES is enabled, page tables (both user and kernel) are mapped with a privileged pkey in the linear mapping. As a result, they can only be written under the kpkeys_hardened_pgtables guard, which sets POR_EL1 appropriately to allow such writes. Use this guard whereve

[RFC PATCH v2 12/15] arm64: kpkeys: Support KPKEYS_LVL_PGTABLES

Enable RW access to KPKEYS_PKEY_PGTABLES (used to map page table pages) if switching to KPKEYS_LVL_PGTABLES, otherwise only grant RO access. Signed-off-by: Kevin Brodsky --- arch/arm64/include/asm/kpkeys.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/include/asm/kpkeys.h b/ar

[RFC PATCH v2 11/15] mm: Map page tables with privileged pkey

If CONFIG_KPKEYS_HARDENED_PGTABLES is enabled, map allocated page table pages using a privileged pkey (KPKEYS_PKEY_PGTABLES), so that page tables can only be written under guard(kpkeys_hardened_pgtables). This patch is a no-op if CONFIG_KPKEYS_HARDENED_PGTABLES is disabled (default). Signed-off-b

[RFC PATCH v2 07/15] arm64: Enable kpkeys

This is the final step to enable kpkeys on arm64. We enable POE at EL1 by setting TCR2_EL1.POE, and initialise POR_EL1 so that it enables access to the default pkey/POIndex (default kpkeys level). An ISB is added so that POE restrictions are enforced immediately. Having done this, we can now selec

[RFC PATCH v2 10/15] mm: Allow __pagetable_ctor() to fail

In preparation for adding construction hooks (that may fail) to __pagetable_ctor(), make __pagetable_ctor() return a bool, propagate it to pagetable_*_ctor() and handle failure in the generic {pud,p4d,pgd}_alloc. Signed-off-by: Kevin Brodsky --- include/asm-generic/pgalloc.h | 15 ---

[RFC PATCH v2 09/15] mm: Introduce kpkeys_hardened_pgtables

kpkeys_hardened_pgtables is a hardening feature based on kpkeys. It aims to prevent the corruption of page tables by: 1. mapping all page table pages, both kernel and user, with a privileged pkey (KPKEYS_PKEY_PGTABLES), and 2. granting write access to that pkey only when running at a higher kpkeys

[RFC PATCH v2 08/15] mm: Introduce kernel_pgtables_set_pkey()

kernel_pgtables_set_pkey() allows setting the pkey of all page table pages in swapper_pg_dir, recursively. This will be needed by kpkeys_hardened_pgtables, as it relies on all PTPs being mapped with a non-default pkey. Those initial kernel page tables cannot practically be assigned a non-default pk

[RFC PATCH v2 06/15] arm64: set_memory: Implement set_memory_pkey()

Implement set_memory_pkey() using POE if supported. Signed-off-by: Kevin Brodsky --- arch/arm64/include/asm/set_memory.h | 4 arch/arm64/mm/pageattr.c| 21 + 2 files changed, 25 insertions(+) diff --git a/arch/arm64/include/asm/set_memory.h b/arch/arm64/in

[RFC PATCH v2 05/15] arm64: Implement asm/kpkeys.h using POE

Implement the kpkeys interface if CONFIG_ARM64_POE is enabled. The permissions for KPKEYS_PKEY_DEFAULT (pkey 0) are set to RWX as this pkey is also used for code mappings. Signed-off-by: Kevin Brodsky --- arch/arm64/include/asm/kpkeys.h | 43 + 1 file changed, 43

[RFC PATCH v2 04/15] arm64: Introduce por_set_pkey_perms() helper

Introduce a helper that sets the permissions of a given pkey (POIndex) in the POR_ELx format, and make use of it in arch_set_user_pkey_access(). Also ensure that is included in asm/por.h to provide the POE_* definitions. Signed-off-by: Kevin Brodsky --- arch/arm64/include/asm/por.h | 9 ++

[RFC PATCH v2 02/15] set_memory: Introduce set_memory_pkey() stub

Introduce a new function, set_memory_pkey(), which sets the protection key (pkey) of pages in the specified linear mapping range. Architectures implementing kernel pkeys (kpkeys) must provide a suitable implementation; an empty stub is added as fallback. Signed-off-by: Kevin Brodsky --- include/

[RFC PATCH v2 03/15] arm64: mm: Enable overlays for all EL1 indirect permissions

In preparation of using POE inside the kernel, enable "Overlay applied" for all stage 1 base permissions in PIR_EL1. This ensures that the permissions set in POR_EL1 affect all kernel mappings. Signed-off-by: Kevin Brodsky --- arch/arm64/include/asm/pgtable-prot.h | 16 1 file c

[RFC PATCH v2 01/15] mm: Introduce kpkeys

kpkeys is a simple framework to enable the use of protection keys (pkeys) to harden the kernel itself. This patch introduces the basic API in : a couple of functions to set and restore the pkey register and a macro to define guard objects. kpkeys introduces a new concept on top of pkeys: the kpkey

[RFC PATCH v2 00/15] pkeys-based page table hardening

This is a proposal to leverage protection keys (pkeys) to harden critical kernel data, by making it mostly read-only. The series includes a simple framework called "kpkeys" to manipulate pkeys for in-kernel use, as well as a page table hardening feature based on that framework (kpkeys_hardened_pgta