[SRU][PATCH 0/4] Backport mseal to ubuntu 24.04 LTS kernel 6.8.y
Juerg Haefliger
juerg.haefliger at canonical.com
Fri Feb 14 09:40:24 UTC 2025
On Fri, 24 Jan 2025 14:12:06 -0800
Jeff Xu <jeffxu at chromium.org> wrote:
> On Wed, Jan 22, 2025 at 9:09 AM Jeff Xu <jeffxu at chromium.org> wrote:
> >
> > Hi Juerg
> >
> > On Wed, Jan 22, 2025 at 7:20 AM Juerg Haefliger
> > <juerg.haefliger at canonical.com> wrote:
> > >
> > > Hi Jeff,
> > >
> > >
> > > > From: Jeff Xu <jeffxu at chromium.org>
> > > >
> > > > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2089711
> > > >
> > > > [ Impact ]
> > > >
> > > > My name is Jeff Xu, I work with Stephen Röttger on hardening the chrome
> > > > browser. I'm reaching out to explore the possibility of backporting memory
> > > > sealing into the 22.04 LTS kernel.
> > > >
> > > > For context, it is worth noting that the Kernel introduces mseal support in
> > > > version 6.10 [1]. The Chrome V8 engine will utilize the memory sealing
> > > > function to protect its JIT compiler from memory corruption vulnerabilities.
> > > > The change is merged in Chrome, and we believe that Ubuntu users would benefit
> > > > from using this safer version of Chrome. In addition, Chrome uses Ubuntu LTS
> > > > extensively for testing, which makes ubuntu one of the first systems to have
> > > > this enhenced security of Chrome.
> > > >
> > > > glibc’s dynamic linker is adding mseal to seal RO mapping such
> > > > as .text, .rodata, .relco [2], the integration test is completed.
> > > >
> > > > The backport work includes 4 commits, and is based on 6.8.12 kernel.
> > > >
> > > > ChromeOS and Android GKI both have the mseal backported to
> > > > the 6.6 kernel [3] [4] [5] [6]
> > > >
> > > > Thank you for your time and consideration.
> > > > Best regards,
> > > > Jeff
> > > >
> > > > [1] https://docs.kernel.org/userspace-api/mseal.html
> > > > [2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html
> > > > [3] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595211/4
> > > > [4] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595853/4
> > > > [5] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5742931
> > > > [6] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5802772
> > > >
> > > > [ Test Plan ]
> > > > The test is performed by running selftest (mseal_test) on 6.8 kernel with the backport.
> > > > I didn't include selftest as part of backport because there are many revisions of the tests
> > > > I believe it is unnecessary to backport those.
> > > >
> > > > [ Where problems could occur ]
> > > > This is not bug, backporting this will enable chrome browser's security enhencement.
> > > >
> > > > [ Other Info ]
> > > > None.
> > >
> > > Thanks for this. I'm not sure though. glibc in Noble is too old so only
> > > chrome would benefit, correct? Given that the 6.11 HWE kernel should have
> > > mseal support, I'm hesitant to entertain a backport to 6.8. We typically
> > > don't backport new features. I haven't looked at how intrusive this backport
> > > even is. We're having an internal discussion.
> > >
> > When will the next ubuntu LTE version be released ? Is that based on 6.11 ?
> >
> IIUC, Chrome will be happy with any LTE version that has 6.6 kernel or
> higher, (Stephen Röttger can clarify in case I'm wrong), if there is
> an Ubuntu LTE version that meets this soon, the backport is not
> needed.
Noble .2 point release next week will come with an HWE 6.11 kernel.
...Juerg
> > Thanks
> > -Jeff
> >
> >
> > > ...Juerg
> > >
> > >
> > > >
> > > >
> > > > Jeff Xu (3):
> > > > mseal: wire up mseal syscall
> > > > mseal: add mseal syscall
> > > > /proc/pid/smaps: add mseal info for vma
> > > >
> > > > Pedro Falcato (1):
> > > > mseal: fix is_madv_discard()
> > > >
> > > > Documentation/filesystems/proc.rst | 1 +
> > > > arch/alpha/kernel/syscalls/syscall.tbl | 1 +
> > > > arch/arm/tools/syscall.tbl | 1 +
> > > > arch/arm64/include/asm/unistd.h | 2 +-
> > > > arch/arm64/include/asm/unistd32.h | 2 +
> > > > arch/m68k/kernel/syscalls/syscall.tbl | 1 +
> > > > arch/microblaze/kernel/syscalls/syscall.tbl | 1 +
> > > > arch/mips/kernel/syscalls/syscall_n32.tbl | 1 +
> > > > arch/mips/kernel/syscalls/syscall_n64.tbl | 1 +
> > > > arch/mips/kernel/syscalls/syscall_o32.tbl | 1 +
> > > > arch/parisc/kernel/syscalls/syscall.tbl | 1 +
> > > > arch/powerpc/kernel/syscalls/syscall.tbl | 1 +
> > > > arch/s390/kernel/syscalls/syscall.tbl | 1 +
> > > > arch/sh/kernel/syscalls/syscall.tbl | 1 +
> > > > arch/sparc/kernel/syscalls/syscall.tbl | 1 +
> > > > arch/x86/entry/syscalls/syscall_32.tbl | 1 +
> > > > arch/x86/entry/syscalls/syscall_64.tbl | 1 +
> > > > arch/xtensa/kernel/syscalls/syscall.tbl | 1 +
> > > > fs/proc/task_mmu.c | 3 +
> > > > include/linux/mm.h | 5 +
> > > > include/linux/syscalls.h | 1 +
> > > > include/uapi/asm-generic/unistd.h | 5 +-
> > > > kernel/sys_ni.c | 1 +
> > > > mm/Makefile | 4 +
> > > > mm/internal.h | 32 ++
> > > > mm/madvise.c | 12 +
> > > > mm/mmap.c | 31 +-
> > > > mm/mprotect.c | 10 +
> > > > mm/mremap.c | 31 ++
> > > > mm/mseal.c | 315 ++++++++++++++++++++
> > > > 30 files changed, 467 insertions(+), 3 deletions(-)
> > > > create mode 100644 mm/mseal.c
> > > >
> > >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250214/31559503/attachment.sig>
More information about the kernel-team
mailing list