[SRU][PATCH 0/4] Backport mseal to ubuntu 24.04 LTS kernel 6.8.y

Jeff Xu jeffxu at chromium.org
Wed Jan 22 17:09:53 UTC 2025 

Hi Juerg

On Wed, Jan 22, 2025 at 7:20 AM Juerg Haefliger
<juerg.haefliger at canonical.com> wrote:
>
> Hi Jeff,
>
>
> > From: Jeff Xu <jeffxu at chromium.org>
> >
> > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2089711
> >
> > [ Impact ]
> >
> > My name is Jeff Xu, I work with Stephen Röttger on hardening the chrome
> > browser. I'm reaching out to explore the possibility of backporting memory
> > sealing into the 22.04 LTS kernel.
> >
> > For context, it is worth noting that the Kernel introduces mseal support in
> > version 6.10 [1]. The Chrome V8 engine will utilize the memory sealing
> > function to protect its JIT compiler from memory corruption vulnerabilities.
> > The change is merged in Chrome, and we believe that Ubuntu users would benefit
> > from using this safer version of Chrome. In addition, Chrome uses Ubuntu LTS
> > extensively for testing, which makes ubuntu one of the first systems to have
> > this enhenced security of Chrome.
> >
> > glibc’s dynamic linker is adding mseal to seal RO mapping such
> > as .text, .rodata, .relco [2], the integration test is completed.
> >
> > The backport work includes 4 commits, and is based on 6.8.12 kernel.
> >
> > ChromeOS and Android GKI both have the mseal backported to
> > the 6.6 kernel [3] [4] [5] [6]
> >
> > Thank you for your time and consideration.
> > Best regards,
> > Jeff
> >
> > [1] https://docs.kernel.org/userspace-api/mseal.html
> > [2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html
> > [3] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595211/4
> > [4] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595853/4
> > [5] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5742931
> > [6] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5802772
> >
> > [ Test Plan ]
> > The test is performed by running selftest (mseal_test) on 6.8 kernel with the backport.
> > I didn't include selftest as part of backport because there are many revisions of the tests
> > I believe it is unnecessary to backport those.
> >
> > [ Where problems could occur ]
> > This is not bug, backporting this will enable chrome browser's security enhencement.
> >
> > [ Other Info ]
> > None.
>
> Thanks for this. I'm not sure though. glibc in Noble is too old so only
> chrome would benefit, correct? Given that the 6.11 HWE kernel should have
> mseal support, I'm hesitant to entertain a backport to 6.8. We typically
> don't backport new features. I haven't looked at how intrusive this backport
> even is. We're having an internal discussion.
>
When will the next ubuntu LTE version be released ? Is that based on 6.11 ?

Thanks
-Jeff


> ...Juerg
>
>
> >
> >
> > Jeff Xu (3):
> >   mseal: wire up mseal syscall
> >   mseal: add mseal syscall
> >   /proc/pid/smaps: add mseal info for vma
> >
> > Pedro Falcato (1):
> >   mseal: fix is_madv_discard()
> >
> >  Documentation/filesystems/proc.rst          |   1 +
> >  arch/alpha/kernel/syscalls/syscall.tbl      |   1 +
> >  arch/arm/tools/syscall.tbl                  |   1 +
> >  arch/arm64/include/asm/unistd.h             |   2 +-
> >  arch/arm64/include/asm/unistd32.h           |   2 +
> >  arch/m68k/kernel/syscalls/syscall.tbl       |   1 +
> >  arch/microblaze/kernel/syscalls/syscall.tbl |   1 +
> >  arch/mips/kernel/syscalls/syscall_n32.tbl   |   1 +
> >  arch/mips/kernel/syscalls/syscall_n64.tbl   |   1 +
> >  arch/mips/kernel/syscalls/syscall_o32.tbl   |   1 +
> >  arch/parisc/kernel/syscalls/syscall.tbl     |   1 +
> >  arch/powerpc/kernel/syscalls/syscall.tbl    |   1 +
> >  arch/s390/kernel/syscalls/syscall.tbl       |   1 +
> >  arch/sh/kernel/syscalls/syscall.tbl         |   1 +
> >  arch/sparc/kernel/syscalls/syscall.tbl      |   1 +
> >  arch/x86/entry/syscalls/syscall_32.tbl      |   1 +
> >  arch/x86/entry/syscalls/syscall_64.tbl      |   1 +
> >  arch/xtensa/kernel/syscalls/syscall.tbl     |   1 +
> >  fs/proc/task_mmu.c                          |   3 +
> >  include/linux/mm.h                          |   5 +
> >  include/linux/syscalls.h                    |   1 +
> >  include/uapi/asm-generic/unistd.h           |   5 +-
> >  kernel/sys_ni.c                             |   1 +
> >  mm/Makefile                                 |   4 +
> >  mm/internal.h                               |  32 ++
> >  mm/madvise.c                                |  12 +
> >  mm/mmap.c                                   |  31 +-
> >  mm/mprotect.c                               |  10 +
> >  mm/mremap.c                                 |  31 ++
> >  mm/mseal.c                                  | 315 ++++++++++++++++++++
> >  30 files changed, 467 insertions(+), 3 deletions(-)
> >  create mode 100644 mm/mseal.c
> >
>

More information about the kernel-team mailing list