diff mbox series

[v3,02/13] arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry

Message ID 1515432758-26440-3-git-send-email-will.deacon@arm.com
State Accepted
Commit 0617052ddde355ee663b2f048e67dd381e5ebd6a
Headers show
Series arm64 kpti hardening and variant 2 workarounds | expand

Commit Message

Will Deacon Jan. 8, 2018, 5:32 p.m. UTC
Although CONFIG_UNMAP_KERNEL_AT_EL0 does make KASLR more robust, it's
actually more useful as a mitigation against speculation attacks that
can leak arbitrary kernel data to userspace through speculation.

Reword the Kconfig help message to reflect this, and make the option
depend on EXPERT so that it is on by default for the majority of users.

Signed-off-by: Will Deacon <will.deacon@arm.com>

---
 arch/arm64/Kconfig | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

-- 
2.1.4

Comments

'Christoph Hellwig' Jan. 9, 2018, 5:17 p.m. UTC | #1
On Mon, Jan 08, 2018 at 05:32:27PM +0000, Will Deacon wrote:
> Although CONFIG_UNMAP_KERNEL_AT_EL0 does make KASLR more robust, it's

> actually more useful as a mitigation against speculation attacks that

> can leak arbitrary kernel data to userspace through speculation.

> 

> Reword the Kconfig help message to reflect this, and make the option

> depend on EXPERT so that it is on by default for the majority of users.


I still haven't heard an anwer on why this isn't using
CONFIG_PAGE_TABLE_ISOLATION but instead reinvents its own symbol.
Will Deacon Jan. 10, 2018, 7:26 p.m. UTC | #2
On Tue, Jan 09, 2018 at 09:17:00AM -0800, Christoph Hellwig wrote:
> On Mon, Jan 08, 2018 at 05:32:27PM +0000, Will Deacon wrote:

> > Although CONFIG_UNMAP_KERNEL_AT_EL0 does make KASLR more robust, it's

> > actually more useful as a mitigation against speculation attacks that

> > can leak arbitrary kernel data to userspace through speculation.

> > 

> > Reword the Kconfig help message to reflect this, and make the option

> > depend on EXPERT so that it is on by default for the majority of users.

> 

> I still haven't heard an anwer on why this isn't using

> CONFIG_PAGE_TABLE_ISOLATION but instead reinvents its own symbol.


Mainly because this code was written before CONFIG_PAGE_TABLE_ISOLATION had
been proposed and I wanted to avoid confusion with the ongoing backports
just to align on the naming for an arch-specific config option. We could
CONFIG_PAGE_TABLE_ISOLATION and make it select CONFIG_UNMAP_KERNEL_AT_EL) if
you like, but worth noting that this is default 'y' anyway and depends on
EXPERT.

Will
diff mbox series

Patch

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 3af1657fcac3..efaaa3a66b95 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -834,15 +834,14 @@  config FORCE_MAX_ZONEORDER
 	  4M allocations matching the default size used by generic code.
 
 config UNMAP_KERNEL_AT_EL0
-	bool "Unmap kernel when running in userspace (aka \"KAISER\")"
+	bool "Unmap kernel when running in userspace (aka \"KAISER\")" if EXPERT
 	default y
 	help
-	  Some attacks against KASLR make use of the timing difference between
-	  a permission fault which could arise from a page table entry that is
-	  present in the TLB, and a translation fault which always requires a
-	  page table walk. This option defends against these attacks by unmapping
-	  the kernel whilst running in userspace, therefore forcing translation
-	  faults for all of kernel space.
+	  Speculation attacks against some high-performance processors can
+	  be used to bypass MMU permission checks and leak kernel data to
+	  userspace. This can be defended against by unmapping the kernel
+	  when running in userspace, mapping it back in on exception entry
+	  via a trampoline page in the vector table.
 
 	  If unsure, say Y.