Kernel page-table isolation

Vorlage:Redirect Vorlage:Update Kernel page-table isolation (KPTI, previously called KAISER) is a hardening technique in the Linux kernel to workaround the Meltdown hardware security-related bug in modern Intel x86 CPUs by better isolating user-space and kernel-space memory.^[1][2] KPTI was merged into Linux kernel version 4.15,^[3][4] to be released in early 2018, and backported into Linux Kernel 4.14.11^[5]. Microsoft Windows implemented an identical feature in Windows 10 build 17035 (RS4)^[6]. Apple's macOS was similarly updated with KPTI in the 10.13.2 update.^[7]

Prior to KPTI, whenever executing user-space code (applications), Linux would also keep its entire kernel memory mapped in page tables, although protected from access. The advantage is that when the application makes a system call into the kernel or an interrupt is received, kernel page tables are always present, so most context switching-related overheads (TLB flush, page-table swapping, etc) can be avoided.^[1]

In 2005, the Linux kernel adopted address space layout randomization (ASLR), and in 2014 kernel address space layout randomization (KASLR), which makes it more difficult to exploit kernel vulnerabilities,^[8][9] which relies on kernel addresses remaining hidden from user space. Despite prohibiting access to these kernel mappings, it turns out that there are several side-channel attacks in current Intel x86 processors (as of December 2017) that can leak the location of this memory, making it possible to work around KASLR.^{[2][10][11][12]} AMD x86 processors are not affected by these attacks and don't need KPTI to mitigate them.^[13][14][15]Vorlage:Third-party inline

KPTI fixes these leaks by separating user-space and kernel-space page tables entirely. On recent x86 processorsVorlage:What, a TLB flush can be avoided using the process context identifiers (PCID) feature, but even then it comes at a significant performance cost, particularly in syscall-heavy and interrupt-heavy workloads. The overheadVorlage:What was measured to be 0.28% according to KAISER's original authors,^[2] but roughly 5% for most workloads by a Linux developer.^[1]

KPTI can partially be disabled with the "pti=off" kernel boot option. Also provisions were created to disable KPTI if newer processors fix the information leaks.^[3]

• Pentium FDIV bug
• Pentium F00F bug

Vorlage:Reflist

• KPTI documentation patch

1. ↑ ^{a b c} Jonathan Corbet: KAISER: hiding the kernel from user space In: LWN.net, 15 November 2017 
2. ↑ ^{a b c} Daniel Gruss, Moritz Lipp, Michael Lipp, Richard Fellner, Clémentine Maurice, Stefan Mangard: KASLR is Dead: Long Live KASLR. Engineering Secure Software and Systems 2017. 24. Juni 2017 (gruss.cc [PDF]). Fehler bei Vorlage * Pflichtparameter fehlt (Vorlage:Cite conference): language
3. ↑ ^{a b} Jonathan Corbet: Kernel page-table isolation merged In: LWN.net, 20 December 2017 
4. ↑ Michael Larabel: KAISER Getting Ready To Better Protect The Linux Kernel In: Phoronix, 27 November 2017 
5. ↑ Greg Kroah-Hartman: Linux 4.14.11 Changelog. In: kernel.org. Abgerufen im 1. Januar 1 Fehler bei Vorlage * Parametername unbekannt (Vorlage:Cite web): "dead-url"
6. ↑ Vorlage:Cite tweet
7. ↑ Apple has already partially implemented fix in macOS for 'KPTI' Intel CPU security flaw. In: AppleInsider. Abgerufen am 3. Januar 2018 (amerikanisches Englisch). 
8. ↑ Alan Dang: The NX Bit And ASLR - Behind Pwn2Own: Exclusive Interview With Charlie Miller In: Tom's Hardware, 25 March 2009. Abgerufen am 29. Dezember 2017 (englisch). 
9. ↑ Abhishek Bhattacharjee, Daniel Lustig: Architectural and Operating System Support for Virtual Memory. Morgan & Claypool Publishers, 2017, ISBN 978-1-62705-933-6, S. 56 (englisch, google.com). 
10. ↑ Yeongjin Jang, Sangho Lee, Taesoo Kim: Breaking Kernel Address Space Layout Randomization with Intel TSX. In: 2016 ACM SIGSAC Conference on Computer and Communications Security (= CCS '16). ACM, New York, NY, USA 2016, S. 380–392, doi:10.1145/2976749.2978321 (oregonstate.edu [PDF]). Fehler bei Vorlage * Parametername unbekannt (Vorlage:Cite journal): "isbn" Fehler beim Aufruf der Vorlage:Cite journal: Evtl. falsche Vorlage mit Parameter 'isbn' eingebunden, evtl. ändern auf Cite book.
11. ↑ Daniel Gruss, Clémentine Maurice, Anders Fogh, Moritz Lipp, Stefan Mangard: Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR. In: 2016 ACM SIGSAC Conference on Computer and Communications Security (= CCS '16). ACM, New York, NY, USA 2016, S. 368–379, doi:10.1145/2976749.2978356 (gruss.cc [PDF]). Fehler bei Vorlage * Parametername unbekannt (Vorlage:Cite journal): "isbn" Fehler beim Aufruf der Vorlage:Cite journal: Evtl. falsche Vorlage mit Parameter 'isbn' eingebunden, evtl. ändern auf Cite book.
12. ↑ R. Hund, C. Willems, T. Holz: Practical Timing Side Channel Attacks against Kernel Space ASLR. In: 2013 IEEE Symposium on Security and Privacy. Mai 2013, S. 191–205, doi:10.1109/sp.2013.23 (ieee-security.org [PDF]). 
13. ↑ Tom Lendacky: Do not enable PTI on AMD processors, 26 December 2017 
14. ↑ Thomas Gleixner: x86/cpu, x86/pti: Do not enable PTI on AMD processors, 3 January 2018 
15. ↑ An Update on AMD Processor Security, 4 January 2018