[RFC][PATCH 10/10] x86/pti: clear _PAGE_GLOBAL for kernel image

[Dave Hansen]

From: Dave Hansen 

The kernel page tables are inherited from head_64.S which rudely marks
them as _PAGE_GLOBAL.  For PTI, we have been relying on the grace of
$DEITY and some insane behavior in pageattr.c.  Now we do it properly.

First, stop filtering out "unsupported" bits from being cleared in the
pageattr code.  It's fine to filter out *setting* these bits but it
is insane to keep us from clearing them.

Then, *explicitly* go clear _PAGE_GLOBAL from the kernel identity map.
Do not rely on pageattr to do it magically.

After this patch, we can see that "GLB" shows up in each copy of the
page tables, that we have the same number of global entries in each
and that they are the *same* entries.

# grep -c GLB /sys/kernel/debug/page_tables/*
/sys/kernel/debug/page_tables/current_kernel:11
/sys/kernel/debug/page_tables/current_user:11
/sys/kernel/debug/page_tables/kernel:11

# for f in `ls /sys/kernel/debug/page_tables/`; do grep GLB 
/sys/kernel/debug/page_tables/$f > $f.GLB; done
# md5sum *.GLB
9caae8ad6a1fb53aca2407ec037f612d  current_kernel.GLB
9caae8ad6a1fb53aca2407ec037f612d  current_user.GLB
9caae8ad6a1fb53aca2407ec037f612d  kernel.GLB

A quick visual audit also shows that all the entries make sense.
0xfe00 is the cpu_entry_area and 0x81c0
is the entry/exit text:

# grep -c GLB /sys/kernel/debug/page_tables/current_user
0xfe00-0xfe002000   8K ro GLB 
NX pte
0xfe002000-0xfe003000   4K RW GLB 
NX pte
0xfe003000-0xfe006000  12K ro GLB 
NX pte
0xfe006000-0xfe007000   4K ro GLB x 
 pte
0xfe007000-0xfe00d000  24K RW GLB 
NX pte
0xfe02d000-0xfe02e000   4K ro GLB 
NX pte
0xfe02e000-0xfe02f000   4K RW GLB 
NX pte
0xfe02f000-0xfe032000  12K ro GLB 
NX pte
0xfe032000-0xfe033000   4K ro GLB x 
 pte
0xfe033000-0xfe039000  24K RW GLB 
NX pte
0x81c0-0x81e0   2M ro PSE GLB x 
 pmd

Signed-off-by: Dave Hansen 
Cc: Andrea Arcangeli 
Cc: Andy Lutomirski 
Cc: Linus Torvalds 
Cc: Kees Cook 
Cc: Hugh Dickins 
Cc: Juergen Gross 
Cc: x...@kernel.org
Cc: Nadav Amit 
---

 b/arch/x86/mm/init.c |8 +---
 b/arch/x86/mm/pageattr.c |   12 +---
 b/arch/x86/mm/pti.c  |   26 ++
 3 files changed, 36 insertions(+), 10 deletions(-)

diff -puN arch/x86/mm/init.c~clear-global-for-pti arch/x86/mm/init.c
--- a/arch/x86/mm/init.c~clear-global-for-pti   2018-02-22 12:36:22.627036544 
-0800
+++ b/arch/x86/mm/init.c2018-02-22 12:36:22.634036544 -0800
@@ -161,12 +161,6 @@ struct map_range {
 
 static int page_size_mask;
 
-static void enable_global_pages(void)
-{
-   if (!static_cpu_has(X86_FEATURE_PTI))
-   __supported_pte_mask |= _PAGE_GLOBAL;
-}
-
 static void __init probe_page_size_mask(void)
 {
/*
@@ -187,7 +181,7 @@ static void __init probe_page_size_mask(
__supported_pte_mask &= ~_PAGE_GLOBAL;
if (boot_cpu_has(X86_FEATURE_PGE)) {
cr4_set_bits_and_update_boot(X86_CR4_PGE);
-   enable_global_pages();
+   __supported_pte_mask |= _PAGE_GLOBAL;
}
 
/* By the default is everything supported: */
diff -puN arch/x86/mm/pageattr.c~clear-global-for-pti arch/x86/mm/pageattr.c
--- a/arch/x86/mm/pageattr.c~clear-global-for-pti   2018-02-22 
12:36:22.629036544 -0800
+++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:22.635036544 -0800
@@ -1411,11 +1411,11 @@ static int change_page_attr_set_clr(unsi
memset(, 0, sizeof(cpa));
 
/*
-* Check, if we are requested to change a not supported
-* feature:
+* Check, if we are requested to set a not supported
+* feature.  Clearing non-supported features is OK.
 */
mask_set = canon_pgprot(mask_set);
-   mask_clr = canon_pgprot(mask_clr);
+
if (!pgprot_val(mask_set) && !pgprot_val(mask_clr) && !force_split)
return 0;
 
@@ -1758,6 +1758,12 @@ int set_memory_4k(unsigned long addr, in
__pgprot(0), 1, 0, NULL);
 }
 
+int set_memory_nonglobal(unsigned long addr, int numpages)
+{
+   return change_page_attr_clear(, numpages,
+ __pgprot(_PAGE_GLOBAL), 0);
+}
+
 static int __set_memory_enc_dec(unsigned long addr, int numpages, bool enc)
 {
struct cpa_data cpa;
diff -puN 

[RFC][PATCH 10/10] x86/pti: clear _PAGE_GLOBAL for kernel image

[Dave Hansen]

From: Dave Hansen 

The kernel page tables are inherited from head_64.S which rudely marks
them as _PAGE_GLOBAL.  For PTI, we have been relying on the grace of
$DEITY and some insane behavior in pageattr.c.  Now we do it properly.

First, stop filtering out "unsupported" bits from being cleared in the
pageattr code.  It's fine to filter out *setting* these bits but it
is insane to keep us from clearing them.

Then, *explicitly* go clear _PAGE_GLOBAL from the kernel identity map.
Do not rely on pageattr to do it magically.

After this patch, we can see that "GLB" shows up in each copy of the
page tables, that we have the same number of global entries in each
and that they are the *same* entries.

# grep -c GLB /sys/kernel/debug/page_tables/*
/sys/kernel/debug/page_tables/current_kernel:11
/sys/kernel/debug/page_tables/current_user:11
/sys/kernel/debug/page_tables/kernel:11

# for f in `ls /sys/kernel/debug/page_tables/`; do grep GLB 
/sys/kernel/debug/page_tables/$f > $f.GLB; done
# md5sum *.GLB
9caae8ad6a1fb53aca2407ec037f612d  current_kernel.GLB
9caae8ad6a1fb53aca2407ec037f612d  current_user.GLB
9caae8ad6a1fb53aca2407ec037f612d  kernel.GLB

A quick visual audit also shows that all the entries make sense.
0xfe00 is the cpu_entry_area and 0x81c0
is the entry/exit text:

# grep -c GLB /sys/kernel/debug/page_tables/current_user
0xfe00-0xfe002000   8K ro GLB 
NX pte
0xfe002000-0xfe003000   4K RW GLB 
NX pte
0xfe003000-0xfe006000  12K ro GLB 
NX pte
0xfe006000-0xfe007000   4K ro GLB x 
 pte
0xfe007000-0xfe00d000  24K RW GLB 
NX pte
0xfe02d000-0xfe02e000   4K ro GLB 
NX pte
0xfe02e000-0xfe02f000   4K RW GLB 
NX pte
0xfe02f000-0xfe032000  12K ro GLB 
NX pte
0xfe032000-0xfe033000   4K ro GLB x 
 pte
0xfe033000-0xfe039000  24K RW GLB 
NX pte
0x81c0-0x81e0   2M ro PSE GLB x 
 pmd

Signed-off-by: Dave Hansen 
Cc: Andrea Arcangeli 
Cc: Andy Lutomirski 
Cc: Linus Torvalds 
Cc: Kees Cook 
Cc: Hugh Dickins 
Cc: Juergen Gross 
Cc: x...@kernel.org
Cc: Nadav Amit 
---

 b/arch/x86/mm/init.c |8 +---
 b/arch/x86/mm/pageattr.c |   12 +---
 b/arch/x86/mm/pti.c  |   26 ++
 3 files changed, 36 insertions(+), 10 deletions(-)

diff -puN arch/x86/mm/init.c~clear-global-for-pti arch/x86/mm/init.c
--- a/arch/x86/mm/init.c~clear-global-for-pti   2018-02-22 12:36:22.627036544 
-0800
+++ b/arch/x86/mm/init.c2018-02-22 12:36:22.634036544 -0800
@@ -161,12 +161,6 @@ struct map_range {
 
 static int page_size_mask;
 
-static void enable_global_pages(void)
-{
-   if (!static_cpu_has(X86_FEATURE_PTI))
-   __supported_pte_mask |= _PAGE_GLOBAL;
-}
-
 static void __init probe_page_size_mask(void)
 {
/*
@@ -187,7 +181,7 @@ static void __init probe_page_size_mask(
__supported_pte_mask &= ~_PAGE_GLOBAL;
if (boot_cpu_has(X86_FEATURE_PGE)) {
cr4_set_bits_and_update_boot(X86_CR4_PGE);
-   enable_global_pages();
+   __supported_pte_mask |= _PAGE_GLOBAL;
}
 
/* By the default is everything supported: */
diff -puN arch/x86/mm/pageattr.c~clear-global-for-pti arch/x86/mm/pageattr.c
--- a/arch/x86/mm/pageattr.c~clear-global-for-pti   2018-02-22 
12:36:22.629036544 -0800
+++ b/arch/x86/mm/pageattr.c2018-02-22 12:36:22.635036544 -0800
@@ -1411,11 +1411,11 @@ static int change_page_attr_set_clr(unsi
memset(, 0, sizeof(cpa));
 
/*
-* Check, if we are requested to change a not supported
-* feature:
+* Check, if we are requested to set a not supported
+* feature.  Clearing non-supported features is OK.
 */
mask_set = canon_pgprot(mask_set);
-   mask_clr = canon_pgprot(mask_clr);
+
if (!pgprot_val(mask_set) && !pgprot_val(mask_clr) && !force_split)
return 0;
 
@@ -1758,6 +1758,12 @@ int set_memory_4k(unsigned long addr, in
__pgprot(0), 1, 0, NULL);
 }
 
+int set_memory_nonglobal(unsigned long addr, int numpages)
+{
+   return change_page_attr_clear(, numpages,
+ __pgprot(_PAGE_GLOBAL), 0);
+}
+
 static int __set_memory_enc_dec(unsigned long addr, int numpages, bool enc)
 {
struct cpa_data cpa;
diff -puN arch/x86/mm/pti.c~clear-global-for-pti arch/x86/mm/pti.c
--- a/arch/x86/mm/pti.c~clear-global-for-pti2018-02-22 12:36:22.631036544 
-0800
+++ b/arch/x86/mm/pti.c 2018-02-22 12:36:22.635036544 -0800
@@ -359,6 +359,28 @@