Re: [PATCH RFC v2 04/29] mm: asi: Add infrastructure for boot-time enablement

On Wed Mar 19, 2025 at 6:47 PM UTC, Yosry Ahmed wrote: > On Wed, Mar 19, 2025 at 06:29:35PM +0100, Borislav Petkov wrote: > > On Fri, Jan 10, 2025 at 06:40:30PM +, Brendan Jackman wrote: > > > Add a boot time parameter to control the newly added X86_FEATURE_ASI. > > >

Re: [PATCH RFC v2 02/29] x86: Create CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION

On Sat, Mar 01, 2025 at 09:23:51AM +0200, Mike Rapoport wrote: > Hi Brendan, > > On Fri, Jan 10, 2025 at 06:40:28PM +, Brendan Jackman wrote: > > Currently a nop config. Keeping as a separate commit for easy review of > > the boring bits. Later commits will use and e

Re: [PATCH RFC v2 03/29] mm: asi: Introduce ASI core API

Argh, sorry, GMail switched back to HTML mode somehow. Maybe I have to get a proper mail client after all. Here's the clean version. On Wed, 19 Feb 2025 at 11:57, Borislav Petkov wrote: > > > + * Runtime usage: > > + * > > + * 1. Call asi_enter() to switch to the restricted address space. This

Re: [PATCH RFC v2 16/29] mm: asi: Map kernel text and static data as nonsensitive

On Fri, 10 Jan 2025 at 19:41, Brendan Jackman wrote: > + asi_clone_pgd(asi_global_nonsensitive_pgd, init_mm.pgd, > VMEMMAP_START); > + asi_clone_pgd(asi_global_nonsensitive_pgd, init_mm.pgd, > + VMEMMAP_START + (1UL << PGDIR_SHIFT)); There'

Re: [PATCH RFC v2 01/29] mm: asi: Make some utility functions noinstr compatible

On Thu, 16 Jan 2025 at 01:21, Borislav Petkov wrote: > > Unfortunately Thomas pointed out this will prevent the function from > > being inlined at call sites in .text. > > > > So far I haven't been able[1] to find a formulation that lets us : > > 1. avoid calls from .noinstr.text -> .text, > > 2.

[PATCH RFC v2 11/29] mm: asi: Functions to map/unmap a memory range into ASI page tables

gnore=MACRO_ARG_UNUSED Signed-off-by: Junaid Shahid Signed-off-by: Brendan Jackman Signed-off-by: Kevin Cheng --- arch/x86/include/asm/asi.h | 5 + arch/x86/mm/asi.c | 236 - arch/x86/mm/tlb.c | 5 + include/asm-generic/asi.h

[PATCH RFC v2 13/29] mm: Add __PAGEFLAG_FALSE

__PAGEFLAG_FALSE is a non-atomic equivalent of PAGEFLAG_FALSE. Checkpatch-args: --ignore=COMPLEX_MACRO Signed-off-by: Brendan Jackman --- include/linux/page-flags.h | 7 +++ 1 file changed, 7 insertions(+) diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h index

[PATCH RFC v2 10/29] mm: asi: asi_exit() on PF, skip handling if address is accessible

ut of this patch. Checkpatch-args: --ignore=VSPRINTF_SPECIFIER_PX Signed-off-by: Ofir Weisse Signed-off-by: Brendan Jackman --- arch/x86/mm/fault.c | 118 +--- 1 file changed, 103 insertions(+), 15 deletions(-) diff --git a/arch/x86/mm/fault.c b/arc

[PATCH RFC v2 14/29] mm: asi: Map non-user buddy allocations as nonsensitive

locator API, we could always just provide an API like __alloc_pages_sensitive or something, implemented with ALLOC_ flags internally. Checkpatch-args: --ignore=SPACING,MACRO_ARG_UNUSED,COMPLEX_MACRO Signed-off-by: Brendan Jackman --- arch/x86/mm/asi.c | 33 +- include/linux

[PATCH RFC v2 16/29] mm: asi: Map kernel text and static data as nonsensitive

ap area is not under this single PGD, it has its own 2-PGD area, so we still use asi_clone_pgd for that one. Signed-off-by: Brendan Jackman --- arch/x86/mm/asi.c | 105 +- include/asm-generic/vmlinux.lds.h | 11 2 files changed, 115

[PATCH RFC v2 17/29] mm: asi: Map vmalloc/vmap data as nonsensitive

nsitivity, this commit just adds the infrastructure. We'll have to decide how to expose this to allocation sites as we implement more denylist logic. vmap does already allow configuring vm flags. Signed-off-by: Brendan Jackman --- mm/vmalloc.c | 21 + 1 file changed,

[PATCH TEMP WORKAROUND RFC v2 15/29] mm: asi: Workaround missing partial-unmap support

partial unmaps will be needed. Signed-off-by: Brendan Jackman --- mm/page_alloc.c | 40 ++-- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 3e98fdfbadddb1f7d71e9e050

[PATCH RFC v2 05/29] mm: asi: ASI support in interrupts/exceptions

could lead to a bug if the order of interrupter counter modifications and ASI transition logic gets flipped around somehow. checkpatch.pl SPACING is false positive. AVOID_BUG ignored for RFC. Checkpatch-args: --ignore=SPACING,AVOID_BUG Signed-off-by: Junaid Shahid Signed-off-by: Brendan Jackman

[PATCH RFC v2 09/29] mm: asi: ASI page table allocation functions

: Junaid Shahid Signed-off-by: Brendan Jackman --- arch/x86/mm/asi.c | 59 +++ 1 file changed, 59 insertions(+) diff --git a/arch/x86/mm/asi.c b/arch/x86/mm/asi.c index 8d060c633be68b508847e2c1c111761df1da92af

[PATCH RFC v2 01/29] mm: asi: Make some utility functions noinstr compatible

r, they will be out-of-line calls. [1] https://lore.kernel.org/lkml/ca+i-1c1z35m8wa_4awmq7--c1ogjnolgtkn4+td5gkg7qqa...@mail.gmail.com/ Checkpatch-args: --ignore=COMMIT_LOG_LONG_LINE Signed-off-by: Brendan Jackman --- arch/x86/include/asm/processor.h | 2 +- arch/x86/include/asm/specia

[PATCH RFC v2 08/29] mm: asi: Avoid warning from NMI userspace accesses in ASI context

nmi_uaccess_okay() emits a warning if current CR3 != mm->pgd. Limit the warning to only when ASI is not active. Co-developed-by: Junaid Shahid Signed-off-by: Junaid Shahid Co-developed-by: Yosry Ahmed Signed-off-by: Yosry Ahmed Signed-off-by: Brendan Jackman --- arch/x86/mm/tlb.c |

[PATCH RFC v2 06/29] mm: asi: Use separate PCIDs for restricted address spaces

NOFLUSH bit. That will be done by later patches. Co-developed-by: Junaid Shahid Signed-off-by: Junaid Shahid Signed-off-by: Yosry Ahmed Signed-off-by: Brendan Jackman --- arch/x86/include/asm/asi.h | 4 +-- arch/x86/include/asm/processor-flags.h | 24 + arch/x86

[PATCH RFC v2 04/29] mm: asi: Add infrastructure for boot-time enablement

osry Ahmed Signed-off-by: Brendan Jackman --- arch/x86/Kconfig | 9 + arch/x86/include/asm/asi.h | 19 -- arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/disabled-features.h | 8 - arch/x86/mm/asi.c

[PATCH RFC v2 03/29] mm: asi: Introduce ASI core API

unaid Shahid Signed-off-by: Junaid Shahid Signed-off-by: Brendan Jackman --- arch/x86/include/asm/asi.h | 208 +++ arch/x86/include/asm/processor.h | 8 + arch/x86/mm/Makefile | 1 + arch/x86/mm/asi.c

[PATCH RFC v2 02/29] x86: Create CONFIG_MITIGATION_ADDRESS_SPACE_ISOLATION

!PARAVIRT and !KASAN which are explained in the Kconfig file. Co-developed-by: Junaid Shahid Signed-off-by: Junaid Shahid Signed-off-by: Brendan Jackman --- arch/alpha/include/asm/Kbuild | 1 + arch/arc/include/asm/Kbuild| 1 + arch/arm/include/asm/Kbuild| 1 + arch

[PATCH RFC v2 00/29] Address Space Isolation (ASI)

.kernel.org/linux-mm/20240712-asi-rfc-24-v1-0-144b319a4...@google.com/ [1] LPC session: https://lpc.events/event/18/contributions/1761/ [2] Junaid’s RFC: https://lore.kernel.org/all/20220223052223.1202152-1-juna...@google.com/ [3] GitHub branch: https://github.com/googleprodkern

[PATCH RFC v2 23/29] mm: asi: exit ASI before suspend-like operations

ot;). Signed-off-by: Yosry Ahmed Signed-off-by: Brendan Jackman --- arch/x86/mm/asi.c | 31 +++ 1 file changed, 31 insertions(+) diff --git a/arch/x86/mm/asi.c b/arch/x86/mm/asi.c index a9f9bfbf85eb47d16ef8d0bfbc7713f07052d3ed..c5073af1a82ded1c6fc467cd7a5d29a39d676bb

[PATCH RFC v2 20/29] mm: asi: Make TLB flushing correct under ASI

we switch into them. Note that there is currently a pointless write of cpu_tlbstate.invalidate_other in the case of KPTI and !PCID. We've added another case of that (ASI, !KPTI and !PCID). I think that's preferable to expanding the conditional in flush_tlb_one_kernel. Signed-off-by: Brend

[PATCH RFC v2 22/29] mm: asi: exit ASI before accessing CR3 from C code where appropriate

efault. Signed-off-by: Yosry Ahmed Signed-off-by: Brendan Jackman --- arch/x86/Kconfig| 2 +- arch/x86/boot/compressed/ident_map_64.c | 10 arch/x86/boot/compressed/pgtable_64.c | 11 + arch/x86/include/asm/processor.h| 5 arch/x86/

[PATCH RFC v2 25/29] mm: asi: Restricted execution fore bare-metal processes

one caller. For RFC code this seems good enough though. Signed-off-by: Brendan Jackman --- arch/x86/include/asm/asi.h | 8 ++-- arch/x86/mm/asi.c| 49 include/asm-generic/asi.h| 9 +++- include/linux/entry-common.h | 11 +

[PATCH RFC v2 26/29] x86: Create library for flushing L1D for L1TF

ill be used only by VMX and ASI, and has an annoying "only sometimes works" doc-comment. Users of the library can then infer from that comment whether they have flushed L1D. No functional change intended. Checkpatch-args: --ignore=COMMIT_LOG_LONG_LINE Signed-off-by: Brendan Jackman

[PATCH RFC v2 29/29] mm: asi: Stop ignoring asi=on cmdline flag

At this point the minimum requirements are in place for the kernel to operate correctly with ASI enabled. Signed-off-by: Brendan Jackman --- arch/x86/mm/asi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/mm/asi.c b/arch/x86/mm/asi.c index

[PATCH RFC v2 24/29] mm: asi: Add infrastructure for mapping userspace addresses

ss is still hard-coded not to map userspace addresses. Co-developed-by: Junaid Shahid Signed-off-by: Junaid Shahid Co-developed-by: Reiji Watanabe Signed-off-by: Reiji Watanabe Signed-off-by: Brendan Jackman --- arch/x86/include/asm/asi.h| 11 + arch/x86/include/asm/pgalloc.h

[PATCH RFC v2 21/29] KVM: x86: asi: Restricted address space for VM execution

n. We expect later iterations of ASI to drop that call as we gain the ability to context switch within the ASI domain. Signed-off-by: Brendan Jackman --- arch/x86/include/asm/kvm_host.h | 3 ++ arch/x86/kvm/svm/svm.c | 2 ++ arch/x86/kvm/vmx/vmx.c | 38 arc

[PATCH RFC v2 19/29] mm: asi: Stabilize CR3 in switch_mm_irqs_off()

which requires using a temporary mm. Signed-off-by: Brendan Jackman --- arch/x86/mm/tlb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c index c55733e144c7538ce7f97b74ea2b1b9c22497c32..ce5598f96ea7a84dc0e8623022ab5bfbba401b48 100644 --- a/arch/x

[PATCH RFC v2 27/29] mm: asi: Add some mitigations on address space transitions

known ones). Signed-off-by: Brendan Jackman --- arch/x86/include/asm/nospec-branch.h | 2 ++ arch/x86/kvm/vmx/vmx.c | 1 + arch/x86/lib/l1tf.c | 2 ++ arch/x86/lib/retpoline.S | 10 ++ arch/x86/mm/asi.c

[PATCH RFC v2 28/29] x86/pti: Disable PTI when ASI is on

ss.cc/files/prefetch.pdf and https://dl.acm.org/doi/pdf/10.1145/3623652.3623669 Signed-off-by: Brendan Jackman --- arch/x86/include/asm/pti.h | 6 -- arch/x86/mm/init.c | 2 +- arch/x86/mm/pti.c | 14 +- 3 files changed, 18 insertions(+), 4 deletions(-) diff

[PATCH RFC v2 18/29] mm: asi: Map dynamic percpu memory as nonsensitive

early boot via memblock allocator (these will be taken care by the following patch). We don't support sensitive percpu memory allocation yet. Co-developed-by: Junaid Shahid Signed-off-by: Junaid Shahid Signed-off-by: Reiji Watanabe Signed-off-by: Brendan Jackman WIP: Drop VM_SENSITIVE c

[PATCH RFC v2 07/29] mm: asi: Make __get_current_cr3_fast() ASI-aware

From: Junaid Shahid When ASI is active, __get_current_cr3_fast() adjusts the returned CR3 value accordingly to reflect the actual ASI CR3. Signed-off-by: Junaid Shahid Signed-off-by: Brendan Jackman --- arch/x86/mm/tlb.c | 37 +++-- 1 file changed, 31

[PATCH RFC v2 12/29] mm: asi: Add basic infrastructure for global non-sensitive mappings

-sensitive mappings are never freed. These page tables are shared between all domains and init_mm, so they don't need special synchronization. RFC note: A refactoring/prep commit should be split out of this patch. Signed-off-by: Junaid Shahid Signed-off-by: Brendan Jackman --- arch/x86/includ