Source-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: src/sys/arch/amd64

Module Name:    src
Committed By:   maxv
Date:           Sun Jan 21 11:21:40 UTC 2018

Modified Files:
        src/sys/arch/amd64/amd64: amd64_trap.S locore.S machdep.c vector.S
        src/sys/arch/amd64/conf: kern.ldscript kern.ldscript.kaslr
        src/sys/arch/amd64/include: frameasm.h

Log Message:
Unmap the kernel from userland in SVS, and leave only the needed
trampolines. As explained below, SVS should now completely mitigate
Meltdown on GENERIC kernels, even though it needs some more tweaking

Until now the kernel entry points looked like:

                pushq   $ERR
                pushq   $TRAPNO
                ... handle interrupt ...

With this change they are split and become:

                ... handle interrupt ...

                pushq   $ERR
                pushq   $TRAPNO
                jmp     handle

A new section is introduced, .text.user, that contains minimal kernel
entry/exit points. In order to choose what to put in this section, two
macros are introduced, TEXT_USER_BEGIN and TEXT_USER_END.

The section is mapped in userland with normal 4K pages.

In GENERIC, the section is 4K-page-aligned and embedded in .text, which
is mapped with large pages. That is to say, when an interrupt comes in,
the CPU has the user page tables loaded and executes the 'intr' functions
on 4K pages; after calling SVS_ENTER (in INTRENTRY) these 4K pages become
2MB large pages, and remain so when executing in kernel mode.

In GENERIC_KASLR, the section is 4K-page-aligned and independent from the
other kernel texts. The prekern just picks it up and maps it at a random

In GENERIC, SVS should now completely mitigate Meltdown: what we put in
.text.user is not secret.

In GENERIC_KASLR, SVS would have to be improved a bit more: the
'jmp handle' instruction is actually secret, since it leaks the address
of the section we are jumping into. By exploiting Meltdown on Intel, this
theoretically allows a local user to reconstruct the address of the first
text section. But given that our KASLR produces several texts, and that
each section is not correlated with the others, the level of protection
KASLR provides is still good.

To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/sys/arch/amd64/amd64/amd64_trap.S
cvs rdiff -u -r1.147 -r1.148 src/sys/arch/amd64/amd64/locore.S
cvs rdiff -u -r1.294 -r1.295 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.55 -r1.56 src/sys/arch/amd64/amd64/vector.S
cvs rdiff -u -r1.25 -r1.26 src/sys/arch/amd64/conf/kern.ldscript
cvs rdiff -u -r1.4 -r1.5 src/sys/arch/amd64/conf/kern.ldscript.kaslr
cvs rdiff -u -r1.30 -r1.31 src/sys/arch/amd64/include/frameasm.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Home | Main Index | Thread Index | Old Index