amd64 kernel W^X

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

amd64 kernel W^X

Theo de Raadt
Mike Larkin has been slow at informing the world, despite my prodding.
Probably started working on something else cool...

So.. I am going to take it upon myself to sing praise to him, and
hopefully he'll let me off lightly!

Over the last two months Mike modified the amd64 kernel to follow the
W^X principles.  It started as a humble exercise to fix the .rodata
segment, and kind of went crazy.  As a result, no part of the kernel
address space is writeable and executable simultaneously.  At least
that is the idea, modulo mistakes.  Final attention to detail (which
some of you experienced in buggy drafts in snapshots) was to make the
MP and ACPI trampolines follow W^X, furthermore they are unmapped when
not required.

Some further amd64-specific page attribute improvements snuck in.  Too
complicated to describe simply.

I followed along for the ride and improved the situation on other
architectures, mostly MI improvements so the right requests would be
made to the MD layers.  Final picture is many architectures were
improved, but amd64 and sparc64 look the best due to MMU features
available to service the W^X model.  The entire safety model is also
improved by a limited form of kernel ASLR (the code segment does not
move around yet, but data and page table ASLR is fairly good.  There
are some known pages, but hopefully fewer in the future).

Reply | Threaded
Open this post in threaded view
|

Re: amd64 kernel W^X

Loganaden Velvindron-2
On Jan 14, 2015 7:57 AM, "Theo de Raadt" <[hidden email]> wrote:

>
> Mike Larkin has been slow at informing the world, despite my prodding.
> Probably started working on something else cool...
>
> So.. I am going to take it upon myself to sing praise to him, and
> hopefully he'll let me off lightly!
>
> Over the last two months Mike modified the amd64 kernel to follow the
> W^X principles.  It started as a humble exercise to fix the .rodata
> segment, and kind of went crazy.  As a result, no part of the kernel
> address space is writeable and executable simultaneously.  At least
> that is the idea, modulo mistakes.  Final attention to detail (which
> some of you experienced in buggy drafts in snapshots) was to make the
> MP and ACPI trampolines follow W^X, furthermore they are unmapped when
> not required.
>
> Some further amd64-specific page attribute improvements snuck in.  Too
> complicated to describe simply.
>
> I followed along for the ride and improved the situation on other
> architectures, mostly MI improvements so the right requests would be
> made to the MD layers.  Final picture is many architectures were
> improved, but amd64 and sparc64 look the best due to MMU features
> available to service the W^X model.  The entire safety model is also
> improved by a limited form of kernel ASLR (the code segment does not
> move around yet, but data and page table ASLR is fairly good.  There
> are some known pages, but hopefully fewer in the future).
>

That's an amazing feat ! Well done Mike !!
Reply | Threaded
Open this post in threaded view
|

Re: amd64 kernel W^X

Mike Larkin
In reply to this post by Theo de Raadt
On Tue, Jan 13, 2015 at 08:57:09PM -0700, Theo de Raadt wrote:

> Mike Larkin has been slow at informing the world, despite my prodding.
> Probably started working on something else cool...
>
> So.. I am going to take it upon myself to sing praise to him, and
> hopefully he'll let me off lightly!
>
> Over the last two months Mike modified the amd64 kernel to follow the
> W^X principles.  It started as a humble exercise to fix the .rodata
> segment, and kind of went crazy.  As a result, no part of the kernel
> address space is writeable and executable simultaneously.  At least
> that is the idea, modulo mistakes.  Final attention to detail (which
> some of you experienced in buggy drafts in snapshots) was to make the
> MP and ACPI trampolines follow W^X, furthermore they are unmapped when
> not required.
>
> Some further amd64-specific page attribute improvements snuck in.  Too
> complicated to describe simply.
>
> I followed along for the ride and improved the situation on other
> architectures, mostly MI improvements so the right requests would be
> made to the MD layers.  Final picture is many architectures were
> improved, but amd64 and sparc64 look the best due to MMU features
> available to service the W^X model.  The entire safety model is also
> improved by a limited form of kernel ASLR (the code segment does not
> move around yet, but data and page table ASLR is fairly good.  There
> are some known pages, but hopefully fewer in the future).
>

Thanks Theo for the encouragement along the way.

It did indeed start with .rodata, but then we ended up fixing a ton more;
probably a dozen different places needed tightening up.

i386 is next, but that requires a PAE paging model and compatible CPU.
I've got the PAE mode booting but it's not ready for prime time yet.

-ml

Reply | Threaded
Open this post in threaded view
|

Re: amd64 kernel W^X

Philip Guenther-2
On Tue, Jan 13, 2015 at 11:38 PM, Mike Larkin <[hidden email]> wrote:
> i386 is next, but that requires a PAE paging model and compatible CPU.
> I've got the PAE mode booting but it's not ready for prime time yet.

Reply | Threaded
Open this post in threaded view
|

Re: amd64 kernel W^X

Philip Guenther-2
On Tue, Jan 13, 2015 at 11:36 PM, Philip Guenther <[hidden email]> wrote:
> On Tue, Jan 13, 2015 at 11:38 PM, Mike Larkin <[hidden email]> wrote:
>> i386 is next, but that requires a PAE paging model and compatible CPU.
>> I've got the PAE mode booting but it's not ready for prime time yet.

Hmm, once PAE is working well, maybe we can kill off non-PAE i386
support and reduce the set of non-W^X systems we monitor.  There's
some horrid code in ld.so that should be running in the fields behind
the barn...


Philip Guenther

Reply | Threaded
Open this post in threaded view
|

Re: amd64 kernel W^X

Jonathan Gray-11
On Tue, Jan 13, 2015 at 11:38:49PM -0800, Philip Guenther wrote:
> On Tue, Jan 13, 2015 at 11:36 PM, Philip Guenther <[hidden email]> wrote:
> > On Tue, Jan 13, 2015 at 11:38 PM, Mike Larkin <[hidden email]> wrote:
> >> i386 is next, but that requires a PAE paging model and compatible CPU.
> >> I've got the PAE mode booting but it's not ready for prime time yet.
>
> Hmm, once PAE is working well, maybe we can kill off non-PAE i386
> support and reduce the set of non-W^X systems we monitor.  There's
> some horrid code in ld.so that should be running in the fields behind
> the barn...

That means dropping support for all Geode based soekris/alix machines,
VIA C3 and at least some Pentium M machines among others.  Which is going
to upset more than a few people...

Reply | Threaded
Open this post in threaded view
|

Re: amd64 kernel W^X

Theo de Raadt
In reply to this post by Theo de Raadt
> On Tue, Jan 13, 2015 at 11:38:49PM -0800, Philip Guenther wrote:
> > On Tue, Jan 13, 2015 at 11:36 PM, Philip Guenther <[hidden email]> wrote:
> > > On Tue, Jan 13, 2015 at 11:38 PM, Mike Larkin <[hidden email]> wrote:
> > >> i386 is next, but that requires a PAE paging model and compatible CPU.
> > >> I've got the PAE mode booting but it's not ready for prime time yet.
> >
> > Hmm, once PAE is working well, maybe we can kill off non-PAE i386
> > support and reduce the set of non-W^X systems we monitor.  There's
> > some horrid code in ld.so that should be running in the fields behind
> > the barn...
>
> That means dropping support for all Geode based soekris/alix machines,
> VIA C3 and at least some Pentium M machines among others.  Which is going
> to upset more than a few people...

Maybe Philip's barn is full of replacement machines!

Reply | Threaded
Open this post in threaded view
|

Re: amd64 kernel W^X

Cameron Simpson
On 14Jan2015 01:05, Theo de Raadt <[hidden email]> wrote:

>> On Tue, Jan 13, 2015 at 11:38:49PM -0800, Philip Guenther wrote:
>> > On Tue, Jan 13, 2015 at 11:36 PM, Philip Guenther <[hidden email]> wrote:
>> > > On Tue, Jan 13, 2015 at 11:38 PM, Mike Larkin <[hidden email]> wrote:
>> > >> i386 is next, but that requires a PAE paging model and compatible CPU.
>> > >> I've got the PAE mode booting but it's not ready for prime time yet.
>> >
>> > Hmm, once PAE is working well, maybe we can kill off non-PAE i386
>> > support and reduce the set of non-W^X systems we monitor.  There's
>> > some horrid code in ld.so that should be running in the fields behind
>> > the barn...
>>
>> That means dropping support for all Geode based soekris/alix machines,
>> VIA C3 and at least some Pentium M machines among others.  Which is going
>> to upset more than a few people...
>
>Maybe Philip's barn is full of replacement machines!

Will he ship them to me?
I speak as one totally dependent on my Soekris firewalls running OpenBSD.

I'm totally for this W^X work, but if it make it impossible to install OpenBSD
on my soekris machines I will be VERY unhappy.

Disclaimer: OpenBSD user, not OpenBSD hacker.

Cheers,
Cameron Simpson <[hidden email]>

Drink coffee. Do stupid things faster with more energy.
https://secure.flickr.com/photos/lantanaland/6224396556/

Reply | Threaded
Open this post in threaded view
|

Re: amd64 kernel W^X

Theo de Raadt
In reply to this post by Theo de Raadt
> On 14Jan2015 01:05, Theo de Raadt <[hidden email]> wrote:
> >> On Tue, Jan 13, 2015 at 11:38:49PM -0800, Philip Guenther wrote:
> >> > On Tue, Jan 13, 2015 at 11:36 PM, Philip Guenther <[hidden email]> wrote:
> >> > > On Tue, Jan 13, 2015 at 11:38 PM, Mike Larkin <[hidden email]> wrote:
> >> > >> i386 is next, but that requires a PAE paging model and compatible CPU.
> >> > >> I've got the PAE mode booting but it's not ready for prime time yet.
> >> >
> >> > Hmm, once PAE is working well, maybe we can kill off non-PAE i386
> >> > support and reduce the set of non-W^X systems we monitor.  There's
> >> > some horrid code in ld.so that should be running in the fields behind
> >> > the barn...
> >>
> >> That means dropping support for all Geode based soekris/alix machines,
> >> VIA C3 and at least some Pentium M machines among others.  Which is going
> >> to upset more than a few people...
> >
> >Maybe Philip's barn is full of replacement machines!
>
> Will he ship them to me?
> I speak as one totally dependent on my Soekris firewalls running OpenBSD.
>
> I'm totally for this W^X work, but if it make it impossible to install OpenBSD
> on my soekris machines I will be VERY unhappy.

Don't worry.  It won't happen the way Philip describes.  i386 will still
run on pre-PAE machines after those future changes.

Reply | Threaded
Open this post in threaded view
|

Re: amd64 kernel W^X

Cameron Simpson
On 14Jan2015 18:18, Theo de Raadt <[hidden email]> wrote:

>> On 14Jan2015 01:05, Theo de Raadt <[hidden email]> wrote:
>> >> On Tue, Jan 13, 2015 at 11:38:49PM -0800, Philip Guenther wrote:
>> >> > On Tue, Jan 13, 2015 at 11:36 PM, Philip Guenther <[hidden email]> wrote:
>> >> > > On Tue, Jan 13, 2015 at 11:38 PM, Mike Larkin <[hidden email]> wrote:
>> >> > >> i386 is next, but that requires a PAE paging model and compatible CPU.
>> >> > >> I've got the PAE mode booting but it's not ready for prime time yet.
>> >> >
>> >> > Hmm, once PAE is working well, maybe we can kill off non-PAE i386 [...]
>> >> That means dropping support for all Geode based soekris/alix machines,
>> >> VIA C3 and at least some Pentium M machines among others.  Which is going
>> >> to upset more than a few people...
>> >Maybe Philip's barn is full of replacement machines!
>>
>> Will he ship them to me?
>> I speak as one totally dependent on my Soekris firewalls running OpenBSD.
>>
>> I'm totally for this W^X work, but if it make it impossible to install OpenBSD
>> on my soekris machines I will be VERY unhappy.
>
>Don't worry.  It won't happen the way Philip describes.  i386 will still
>run on pre-PAE machines after those future changes.

Thank you!

Cheers,
Cameron Simpson <[hidden email]>

Ride to not crash. Dress to crash. Live to ride to not crash again.
        - Lawrence Smith, DoD#i, [hidden email]