Module Name: src
Committed By: maxv
Date: Sun Jan 21 11:21:40 UTC 2018
Modified Files:
src/sys/arch/amd64/amd64: amd64_trap.S locore.S machdep.c vector.S
src/sys/arch/amd64/conf: kern.ldscript kern.ldscript.kaslr
src/sys/arch/amd64/include: frameasm.h
Log Message:
Unmap the kernel from userland in SVS, and leave only the needed
trampolines. As explained below, SVS should now completely mitigate
Meltdown on GENERIC kernels, even though it needs some more tweaking
for GENERIC_KASLR.
Until now the kernel entry points looked like:
FUNC(intr)
pushq $ERR
pushq $TRAPNO
INTRENTRY
... handle interrupt ...
INTRFASTEXIT
END(intr)
With this change they are split and become:
FUNC(handle)
... handle interrupt ...
INTRFASTEXIT
END(handle)
TEXT_USER_BEGIN
FUNC(intr)
pushq $ERR
pushq $TRAPNO
INTRENTRY
jmp handle
END(intr)
TEXT_USER_END
A new section is introduced, .text.user, that contains minimal kernel
entry/exit points. In order to choose what to put in this section, two
macros are introduced, TEXT_USER_BEGIN and TEXT_USER_END.
The section is mapped in userland with normal 4K pages.
In GENERIC, the section is 4K-page-aligned and embedded in .text, which
is mapped with large pages. That is to say, when an interrupt comes in,
the CPU has the user page tables loaded and executes the 'intr' functions
on 4K pages; after calling SVS_ENTER (in INTRENTRY) these 4K pages become
2MB large pages, and remain so when executing in kernel mode.
In GENERIC_KASLR, the section is 4K-page-aligned and independent from the
other kernel texts. The prekern just picks it up and maps it at a random
address.
In GENERIC, SVS should now completely mitigate Meltdown: what we put in
.text.user is not secret.
In GENERIC_KASLR, SVS would have to be improved a bit more: the
'jmp handle' instruction is actually secret, since it leaks the address
of the section we are jumping into. By exploiting Meltdown on Intel, this
theoretically allows a local user to reconstruct the address of the first
text section. But given that our KASLR produces several texts, and that
each section is not correlated with the others, the level of protection
KASLR provides is still good.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/sys/arch/amd64/amd64/amd64_trap.S
cvs rdiff -u -r1.147 -r1.148 src/sys/arch/amd64/amd64/locore.S
cvs rdiff -u -r1.294 -r1.295 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.55 -r1.56 src/sys/arch/amd64/amd64/vector.S
cvs rdiff -u -r1.25 -r1.26 src/sys/arch/amd64/conf/kern.ldscript
cvs rdiff -u -r1.4 -r1.5 src/sys/arch/amd64/conf/kern.ldscript.kaslr
cvs rdiff -u -r1.30 -r1.31 src/sys/arch/amd64/include/frameasm.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
