arch/arm64/kernel/cpufeature.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
From: Liu Song <liusong@linux.alibaba.com>
If kaslr is enabled, kpti cannot be turned off even if "mitigations=off",
adjust the code order to ensure that kpti is off when "mitigations=off".
Signed-off-by: Liu Song <liusong@linux.alibaba.com>
---
arch/arm64/kernel/cpufeature.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 42ea2bd..27d4850 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -1616,6 +1616,11 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
__kpti_forced = -1;
}
+ if (cpu_mitigations_off() && !__kpti_forced) {
+ str = "mitigations=off";
+ __kpti_forced = -1;
+ }
+
/* Useful for KASLR robustness */
if (kaslr_requires_kpti()) {
if (!__kpti_forced) {
@@ -1624,11 +1629,6 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
}
}
- if (cpu_mitigations_off() && !__kpti_forced) {
- str = "mitigations=off";
- __kpti_forced = -1;
- }
-
if (!IS_ENABLED(CONFIG_UNMAP_KERNEL_AT_EL0)) {
pr_info_once("kernel page table isolation disabled by kernel configuration\n");
return false;
--
1.8.3.1On Thu, Jun 16, 2022 at 08:35:38PM +0800, Liu Song wrote:
> From: Liu Song <liusong@linux.alibaba.com>
>
> If kaslr is enabled, kpti cannot be turned off even if "mitigations=off",
> adjust the code order to ensure that kpti is off when "mitigations=off".
>
> Signed-off-by: Liu Song <liusong@linux.alibaba.com>
> ---
> arch/arm64/kernel/cpufeature.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
> index 42ea2bd..27d4850 100644
> --- a/arch/arm64/kernel/cpufeature.c
> +++ b/arch/arm64/kernel/cpufeature.c
> @@ -1616,6 +1616,11 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
> __kpti_forced = -1;
> }
>
> + if (cpu_mitigations_off() && !__kpti_forced) {
> + str = "mitigations=off";
> + __kpti_forced = -1;
> + }
> +
> /* Useful for KASLR robustness */
> if (kaslr_requires_kpti()) {
> if (!__kpti_forced) {
> @@ -1624,11 +1629,6 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
> }
> }
>
> - if (cpu_mitigations_off() && !__kpti_forced) {
> - str = "mitigations=off";
> - __kpti_forced = -1;
> - }
The current behaviour is intentional: KASLR is trivial to bypass when kpti
is disabled.
Will
>On Thu, Jun 16, 2022 at 08:35:38PM +0800, Liu Song wrote:
>> From: Liu Song <liusong@linux.alibaba.com>
>>
>> If kaslr is enabled, kpti cannot be turned off even if "mitigations=off",
>> adjust the code order to ensure that kpti is off when "mitigations=off".
>>
>> Signed-off-by: Liu Song <liusong@linux.alibaba.com>
>> ---
>> arch/arm64/kernel/cpufeature.c | 10 +++++-----
>> 1 file changed, 5 insertions(+), 5 deletions(-)
>>
>> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
>> index 42ea2bd..27d4850 100644
>> --- a/arch/arm64/kernel/cpufeature.c
>> +++ b/arch/arm64/kernel/cpufeature.c
>> @@ -1616,6 +1616,11 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
>> __kpti_forced = -1;
>> }
>>
>> + if (cpu_mitigations_off() && !__kpti_forced) {
>> + str = "mitigations=off";
>> + __kpti_forced = -1;
>> + }
>> +
>> /* Useful for KASLR robustness */
>> if (kaslr_requires_kpti()) {
>> if (!__kpti_forced) {
>> @@ -1624,11 +1629,6 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry,
>> }
>> }
>>
>> - if (cpu_mitigations_off() && !__kpti_forced) {
>> - str = "mitigations=off";
>> - __kpti_forced = -1;
>> - }
>
>The current behaviour is intentional: KASLR is trivial to bypass when kpti
>is disabled.
>
>Will
Hi
According to the description of mitigaions=off in kernel-parameters.txt,
it is equivalent to kpti=0 under ARM64, so the description here will mislead
users. I have proposed a patch to fix this.
Thanks
© 2016 - 2026 Red Hat, Inc.