| Pasha Tatashin | df4e817 | 2022-01-14 14:06:37 -0800 | [diff] [blame] | 1 | .. SPDX-License-Identifier: GPL-2.0 |
| 2 | |
| 3 | .. _page_table_check: |
| 4 | |
| 5 | ================ |
| 6 | Page Table Check |
| 7 | ================ |
| 8 | |
| 9 | Introduction |
| 10 | ============ |
| 11 | |
| Paul Menzel | 854d098 | 2022-01-17 12:13:37 +0100 | [diff] [blame] | 12 | Page table check allows to harden the kernel by ensuring that some types of |
| Pasha Tatashin | df4e817 | 2022-01-14 14:06:37 -0800 | [diff] [blame] | 13 | the memory corruptions are prevented. |
| 14 | |
| 15 | Page table check performs extra verifications at the time when new pages become |
| 16 | accessible from the userspace by getting their page table entries (PTEs PMDs |
| 17 | etc.) added into the table. |
| 18 | |
| 19 | In case of detected corruption, the kernel is crashed. There is a small |
| 20 | performance and memory overhead associated with the page table check. Therefore, |
| 21 | it is disabled by default, but can be optionally enabled on systems where the |
| 22 | extra hardening outweighs the performance costs. Also, because page table check |
| 23 | is synchronous, it can help with debugging double map memory corruption issues, |
| 24 | by crashing kernel at the time wrong mapping occurs instead of later which is |
| 25 | often the case with memory corruptions bugs. |
| 26 | |
| 27 | Double mapping detection logic |
| 28 | ============================== |
| 29 | |
| 30 | +-------------------+-------------------+-------------------+------------------+ |
| 31 | | Current Mapping | New mapping | Permissions | Rule | |
| 32 | +===================+===================+===================+==================+ |
| 33 | | Anonymous | Anonymous | Read | Allow | |
| 34 | +-------------------+-------------------+-------------------+------------------+ |
| 35 | | Anonymous | Anonymous | Read / Write | Prohibit | |
| 36 | +-------------------+-------------------+-------------------+------------------+ |
| 37 | | Anonymous | Named | Any | Prohibit | |
| 38 | +-------------------+-------------------+-------------------+------------------+ |
| 39 | | Named | Anonymous | Any | Prohibit | |
| 40 | +-------------------+-------------------+-------------------+------------------+ |
| 41 | | Named | Named | Any | Allow | |
| 42 | +-------------------+-------------------+-------------------+------------------+ |
| 43 | |
| 44 | Enabling Page Table Check |
| 45 | ========================= |
| 46 | |
| 47 | Build kernel with: |
| 48 | |
| 49 | - PAGE_TABLE_CHECK=y |
| 50 | Note, it can only be enabled on platforms where ARCH_SUPPORTS_PAGE_TABLE_CHECK |
| 51 | is available. |
| 52 | |
| 53 | - Boot with 'page_table_check=on' kernel parameter. |
| 54 | |
| 55 | Optionally, build kernel with PAGE_TABLE_CHECK_ENFORCED in order to have page |
| 56 | table support without extra kernel parameter. |