Hacker Read

Valmar · 2018-01-10 03:46:00+00:00

Page Table Isolation has been backported to 4.14.12, so no need to test with the rc.

uniformlyrandom | karma 751 | avg karma 3.25 · | 2018-01-03 18:44:43

From the merge commit:

  +#ifdef CONFIG_PAGE_TABLE_ISOLATION
  +# define DISABLE_PTI		0
  +#else
  +# define DISABLE_PTI		(1 << (X86_FEATURE_PTI & 31))
  +#endif

PS - MSFT has not published relnotes, so we do not know yet. We'll find out soon enough.

blattimwind | karma 8132 | avg karma 3.26 · | 2018-01-06 17:00:00+00:00

$ dmesg | grep isolation

[ 0.000000] Kernel/User page tables isolation: enabled

reply

weinzierl | karma 23117 | avg karma 5.55 · | 2018-01-06 19:10:03+00:00

Interestingly I get:

    dmesg -H | grep 'page tables isolation'
    [  +0.000000] Kernel/User page tables isolation: enabled

    grep cpu_insecure /proc/cpuinfo && echo "Patched" || echo "Unpatched!"
    Unpatched!

    cat /proc/cpuinfo | grep pti
    fpu_exception	: yes

    uname -a
    Linux host 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux

So page tables isolation seems to be enabled but neither the pti flag nor the cpu_insecure bug is in cpuinfo.

EDIT: Maybe this is because it is Xen guest. Do I need pti on a XEN guest if the host is fully patched?

reply

irdc | karma 778 | avg karma 3.8 · | 2023-11-09 10:02:54

Yes, but execute disable is not the same as execute only. AFAIK there's no way to prevent executable pages from being readable using only the i386/amd64 page table.

scprodigy | karma 138 | avg karma 2.23 · | 2016-02-10 17:17:43+00:00

What about execution isolation? Any info?

egeozcan | karma 5220 | avg karma 2.65 · | 2014-04-30 11:03:17

Didn't know about this Physical Isolation feature[0] before. Does anyone have any idea how reliable this is?

[0]: https://www.whonix.org/wiki/Dev/Build_Documentation/Physical...

reply

fulafel | karma 12262 | avg karma 1.65 · | 2024-03-14 05:59:01

Are there writeups about this isolation feature? I was left wondering if it's a security boundary, like sandboxing, or a packaging system feature.

marcosdumay | karma 27273 | avg karma 1.67 · | 2022-08-26 11:17:18

Somebody posted the documentation of stack isolation in another thread.

If you want exactly that, and only that, my conclusion is that the best way is to use `isolation: isolate`.

reply

staticassertion | karma 12534 | avg karma 3.12 · | 2018-07-14 15:58:49+00:00

So what?

Site isolation is a huge win.

reply

msbarnett | karma 12236 | avg karma 5.89 · | 2021-06-22 22:17:26

No. Isolation has always been a security feature, not a reliability feature.

Consider that local privilege escalations are generally (and I'd say correctly) treated as critical severity issues. Any general purpose process memory read-isolation leak is a quick route to a local privilege escalation, so how could isolation be anything other than a security feature? In its absence, you might as well run everything as root and there would be no point whatsoever to caring about privilege escalations.

reply

bravetraveler | karma | avg karma · | 2022-02-11 22:01:43

Forgive me, I'm new to this - but wouldn't the mitigation status also depend on the distribution?

It doesn't paint AMD in any better of a light, but it may not be so dire.

The distributions at the top don't usually run a mainstream [vanilla] kernel. Consequently, neither do their children/derivatives.

For example, the kernel configs for my distribution (Fedora 35) show it as enabled - unless I'm missing some further step:

    $ zgrep CONFIG_PAGE_TABLE_ISO /boot/config-`uname -r`
    CONFIG_PAGE_TABLE_ISOLATION=y

I ask and remain somewhat curious partly because I don't see the messages in the ring buffer I'd expect

(based on some cursory research)

reply

ajross | karma 32824 | avg karma 3.42 · | 2018-08-08 18:08:00

It's not. They're just using the term as a synonym for "rewrite". There's no documentation of any actual IP isolation in the linked article. They just want people to know it's new and not based on the existing LLVM or Linux runtimes.

jojo1 | karma -11 | avg karma -0.55 · | 2011-04-24 04:22:31

No.

See: http://theinvisiblethings.blogspot.com/2011/04/linux-securit...

reply

Macha | karma 17779 | avg karma 3.43 · | 2020-10-21 17:32:05+00:00

This is effectively first party isolation. It's buried in about:config as it breaks too many sites apparently

aomix | karma 141 | avg karma 1.72 · | 2019-06-06 00:56:18+00:00

The PROT_WRITE tweak is interesting. Being able to enforce a bit of Write XOR Execute behavior in Write OR Execute arenas is nifty. It took this change for me to read into W^X and exactly what it entailed because my naive understanding was that the new no-syscall-from-writeable-page behavior would be almost identical in effect to the strict W^X behavior.

ajvs | karma 967 | avg karma 2.49 · | 2020-10-21 17:25:05+00:00

If you enable the First-Party Isolation preference in about:config then this is more effective site isolation and is automatic for all sites.

unixhero | karma 4535 | avg karma 1.33 · | 2021-09-19 02:15:36

It would be useful to dostinguish how this different or improves on other oses using isolation.

Santosh83 | karma 9527 | avg karma 6.97 · | 2021-01-26 16:29:59+00:00

I believe the 'First-party isolation' feature does this, but you need to enable it from about:config, and even then, I'm not sure if it is complete or bug-free.

tscs37 | karma 1408 | avg karma 1.79 · | 2018-01-21 18:31:32+00:00

There is (most likely) no perfect isolation.

If given no alternatives, a kernel should burn down rather than permitting a privilege escalation. Ideally there is no privilege escalation either.

Given bad input the kernel should not fault but sometimes it must.

reply