projects / platform / kernel / linux-rpi.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b16c42c) | patch
list: Introduce CONFIG_LIST_HARDENED
authorMarco Elver <elver@google.com>
Fri, 11 Aug 2023 15:18:40 +0000 (17:18 +0200)
committerKees Cook <keescook@chromium.org>
Tue, 15 Aug 2023 21:57:25 +0000 (14:57 -0700)
commitaebc7b0d8d91bbc69e976909963046bc48bca4fd
treed9a2b25f46793d9bfd8e64cc5dd8570e4cc5f27dtree | snapshot
parentb16c42c8fde808b4f047d94f1f2aeda93487670dcommit | diff
list: Introduce CONFIG_LIST_HARDENED

Numerous production kernel configs (see [1, 2]) are choosing to enable
CONFIG_DEBUG_LIST, which is also being recommended by KSPP for hardened
configs [3]. The motivation behind this is that the option can be used
as a security hardening feature (e.g. CVE-2019-2215 and CVE-2019-2025
are mitigated by the option [4]).

The feature has never been designed with performance in mind, yet common
list manipulation is happening across hot paths all over the kernel.

Introduce CONFIG_LIST_HARDENED, which performs list pointer checking
inline, and only upon list corruption calls the reporting slow path.

To generate optimal machine code with CONFIG_LIST_HARDENED:

  1. Elide checking for pointer values which upon dereference would
     result in an immediate access fault (i.e. minimal hardening
     checks).  The trade-off is lower-quality error reports.

  2. Use the __preserve_most function attribute (available with Clang,
     but not yet with GCC) to minimize the code footprint for calling
     the reporting slow path. As a result, function size of callers is
     reduced by avoiding saving registers before calling the rarely
     called reporting slow path.

     Note that all TUs in lib/Makefile already disable function tracing,
     including list_debug.c, and __preserve_most's implied notrace has
     no effect in this case.

  3. Because the inline checks are a subset of the full set of checks in
     __list_*_valid_or_report(), always return false if the inline
     checks failed.  This avoids redundant compare and conditional
     branch right after return from the slow path.

As a side-effect of the checks being inline, if the compiler can prove
some condition to always be true, it can completely elide some checks.

Since DEBUG_LIST is functionally a superset of LIST_HARDENED, the
Kconfig variables are changed to reflect that: DEBUG_LIST selects
LIST_HARDENED, whereas LIST_HARDENED itself has no dependency on
DEBUG_LIST.

Running netperf with CONFIG_LIST_HARDENED (using a Clang compiler with
"preserve_most") shows throughput improvements, in my case of ~7% on
average (up to 20-30% on some test cases).

Link: https://r.android.com/1266735
Link: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/main/config
Link: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
Link: https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
Signed-off-by: Marco Elver <elver@google.com>
Link: https://lore.kernel.org/r/20230811151847.1594958-3-elver@google.com
Signed-off-by: Kees Cook <keescook@chromium.org>
arch/arm64/kvm/hyp/nvhe/Makefile diff | blob | history
arch/arm64/kvm/hyp/nvhe/list_debug.c diff | blob | history
drivers/misc/lkdtm/bugs.c diff | blob | history
include/linux/list.h diff | blob | history
lib/Kconfig.debug diff | blob | history
lib/Makefile diff | blob | history
lib/list_debug.c diff | blob | history
security/Kconfig.hardening diff | blob | history
Domain: System / Kernel;