[PATCH] arm64: kpti: Update arm64_kernel_use_ng_mappings() when forced on

Will Deacon will.deacon at arm.com
Fri Mar 1 03:45:15 PST 2019


On Fri, Mar 01, 2019 at 12:43:01PM +0100, Ard Biesheuvel wrote:
> On Fri, 1 Mar 2019 at 12:35, Will Deacon <will.deacon at arm.com> wrote:
> >
> > On Fri, Mar 01, 2019 at 11:18:21AM +0000, John Garry wrote:
> > > On 16/01/2019 09:38, John Garry wrote:
> > > > On 15/01/2019 18:49, James Morse wrote:
> > > > > Since commit b89d82ef01b3 ("arm64: kpti: Avoid rewriting early page
> > > >
> > > > About b89d82ef01b3, I got an *unconfirmed* (emphasis on this, I don't
> > > > want to cry wolf) report yesterday that the symptom I saw (boot delay)
> > > > has been seen on 5.0-rc2 on our D06 board. I could not see it.
> > > >
> > > > Please note that this would be same board which we saw this on:
> > > > https://lkml.org/lkml/2018/6/20/589
> > > >
> > > > I only witnessed the issue on the predecessor A72-based D05 board.
> > > >
> > > > The reporter is very busy, but we'll keep tabs on it.
> > > >
> > >
> > > FYI, this just came in this morning:
> >
> > This isn't completely surprising, because the kernel doesn't know about
> > the CPU in D06:
> >
> > > [    0.000000] Booting Linux on physical CPU 0x0000010000 [0x480fd010]
> >
> > [...]
> >
> > > [    0.000000] CPU features: detected: Kernel page table isolation (KPTI)
> >
> > If the CPU is not affected by meltdown, you can add the MIDR above to the
> > kpti_safe_list[] table. If it *is* affected by meltdown, then I'm afraid
> > that you're stuck with the delay at boot for !KASLR kernels (which is an
> > awful lot better than getting pwned by userspace :)
> >
> > I think D06 is 8.2, so I would've hoped that you'd implemented
> > AA64PFR0_EL1.CSV3, which would make this MIDR-based whitelisting
> > unnecessary.
> >
> 
> Note that this is also still tied to the new rodata handling. The new
> default is rodata=full, and reverting back to rodata=on (which used to
> be the default in prior releases) or rodata=off (not recommended)
> should get around this as well.

Or, somewhat perversely, enabling CONFIG_RANDOMIZE_BASE and passing a
valid kaslr seed. Performance /and/ security!

Will



More information about the linux-arm-kernel mailing list