Kernel page-table isolation

Vorlage:Redirect Vorlage:Update Kernel page-table isolation (KPTI, previously called KAISER) is a hardening technique in the Linux kernel to workaround the Meltdown hardware security-related bug in modern Intel x86 CPUs by better isolating user space and kernel space memory.^[1][2] KPTI was merged into Linux kernel version 4.15,^[3][4] to be released in early 2018, and backported into Linux Kernel 4.14.11^[5]. Microsoft Windows implemented an identical feature in Windows 10 build 17035 (RS4)^[6]. Apple's macOS was similarly updated with KPTI in the 10.13.2 update.^[7]

Prior to KPTI, whenever executing user space code (applications), Linux would also keep its entire kernel memory mapped in page tables, although protected from access. The advantage is that when the application makes a system call into the kernel or an interrupt is received, kernel page tables are always present, so most context switching-related overheads (TLB flush, page table swapping, etc) can be avoided.^[1]

In 2005, the Linux kernel adopted address space layout randomization (ASLR), and in 2014 kernel address space layout randomization (KASLR), which makes it more difficult to exploit kernel vulnerabilities,^[8][9] which relies on kernel addresses remaining hidden from user space. Despite prohibiting access to these kernel mappings, it turns out there are several side-channel attacks in current Intel x86 processors (as of December 2017) that can leak the location of this memory, making it possible to work around KASLR.^{[2][10][11][12]} AMD x86 processors are not affected by these attacks and don't need KPTI to mitigate them.^[13][14][15]Vorlage:Third-party inline

KPTI fixes these leaks by separating user space and kernel space page tables entirely. On recent x86 processorsVorlage:What, a TLB flush can be avoided using the process context identifiers (PCID) feature, but even then it comes at a significant performance cost particularly in syscall-heavy and interrupt-heavy workloads. The overheadVorlage:What was measured to be 0.28% according to KAISER's original authors,^[2] but roughly 5% for most workloads by a Linux developer.^[1]

KPTI can partially be disabled with the "pti=off" kernel boot option. Also provisions were created to disable KPTI if newer processors fix the information leaks.^[3]

• Pentium FDIV bug
• Pentium F00F bug

Vorlage:Reflist

• KPTI documentation patch

1. ↑ ^{a b c} Jonathan Corbet: KAISER: hiding the kernel from user space In: LWN.net, 15 November 2017 
2. ↑ ^{a b c} Daniel Gruss, Moritz Lipp, Michael Lipp, Richard Fellner, Clémentine Maurice, Stefan Mangard: KASLR is Dead: Long Live KASLR. Engineering Secure Software and Systems 2017. 24. Juni 2017 (gruss.cc [PDF]). Fehler bei Vorlage * Pflichtparameter fehlt (Vorlage:Cite conference): language
3. ↑ ^{a b} Jonathan Corbet: Kernel page-table isolation merged In: LWN.net, 20 December 2017 
4. ↑ Michael Larabel: KAISER Getting Ready To Better Protect The Linux Kernel In: Phoronix, 27 November 2017 
5. ↑ Greg Kroah-Hartman: Linux 4.14.11 Changelog. In: kernel.org. Abgerufen im 1. Januar 1 Fehler bei Vorlage * Parametername unbekannt (Vorlage:Cite web): "dead-url"
6. ↑ Vorlage:Cite tweet
7. ↑ Apple has already partially implemented fix in macOS for 'KPTI' Intel CPU security flaw. In: AppleInsider. Abgerufen am 3. Januar 2018 (amerikanisches Englisch). 
8. ↑ Alan Dang: The NX Bit And ASLR - Behind Pwn2Own: Exclusive Interview With Charlie Miller In: Tom's Hardware, 25 March 2009. Abgerufen am 29. Dezember 2017 (englisch). 
9. ↑ Abhishek Bhattacharjee, Daniel Lustig: Architectural and Operating System Support for Virtual Memory. Morgan & Claypool Publishers, 2017, ISBN 978-1-62705-933-6, S. 56 (englisch, google.com). 
10. ↑ Yeongjin Jang, Sangho Lee, Taesoo Kim: Breaking Kernel Address Space Layout Randomization with Intel TSX. In: 2016 ACM SIGSAC Conference on Computer and Communications Security (= CCS '16). ACM, New York, NY, USA 2016, S. 380–392, doi:10.1145/2976749.2978321 (oregonstate.edu [PDF]). Fehler bei Vorlage * Parametername unbekannt (Vorlage:Cite journal): "isbn" Fehler beim Aufruf der Vorlage:Cite journal: Evtl. falsche Vorlage mit Parameter 'isbn' eingebunden, evtl. ändern auf Cite book.
11. ↑ Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard: Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In: 2016 ACM SIGSAC Conference on Computer and Communications Security (= CCS '16). ACM, New York, NY, USA 2016, S. 368–379, doi:10.1145/2976749.2978356 (gruss.cc [PDF]). Fehler bei Vorlage * Parametername unbekannt (Vorlage:Cite journal): "isbn" Fehler beim Aufruf der Vorlage:Cite journal: Evtl. falsche Vorlage mit Parameter 'isbn' eingebunden, evtl. ändern auf Cite book.
12. ↑ R. Hund, C. Willems, T. Holz: Practical Timing Side Channel Attacks against Kernel Space ASLR. In: 2013 IEEE Symposium on Security and Privacy. Mai 2013, S. 191–205, doi:10.1109/sp.2013.23 (ieee-security.org [PDF]). 
13. ↑ Tom Lendacky: Do not enable PTI on AMD processors, 26 December 2017 
14. ↑ Thomas Gleixner: x86/cpu, x86/pti: Do not enable PTI on AMD processors, 3 January 2018 
15. ↑ An Update on AMD Processor Security, 4 January 2018