arch/x86/pti.rst

1 .. SPDX-License-Identifier: GPL-2.0
14 To mitigate this class of attacks, we create an independent set of
27 This approach helps to ensure that side-channel attacks leveraging
30 time.  Once enabled at compile-time, it can be disabled at boot with
31 the 'nopti' or 'pti=' kernel parameters (see kernel-parameters.txt).
37 The first set is very similar to the single set which is present in
43 that any missed kernel->user CR3 switch will immediately crash
49 each CPU's copy of the area a compile-time-fixed virtual address.
58 layers of the page tables.  This leaves a single, shared set of
59 userspace page tables to manage.  One PTE to lock, one set of
65 Protection against side-channel attacks is important.  But,
70   a. Each process now needs an order-1 PGD instead of order-0.
84   b. Percpu TSS is mapped into the user page tables to allow SYSCALL64 path
104      are created by copying top-level (PGD) entries into each
109   f. In addition to the fork()-time copying, there must also
110      be an update to the userspace PGD any time a set_pgd() is done
117   h. INVPCID is a TLB-flushing instruction which allows flushing
118      of TLB entries for non-current PCIDs.  Some systems support
122      single kernel address flush will require a TLB-flushing CR3
129 2. Allow PTI to be enabled/disabled at runtime in addition to the
130    boot-time switching.
138 1. Set CONFIG_DEBUG_ENTRY=y
145    frequent performance monitoring non-maskable interrupts (see "NMI"
148    interrupted, including nested NMIs.  Using "-c" boosts the rate of
149    NMIs, and using two -c with separate counters encourages nested NMIs
153 	while true; do perf record -c 10000 -e instructions,cycles -a sleep 10; done
156 5. Run 32-bit binaries on systems supporting the SYSCALL instruction.
157    This has been a lightly-tested code path and needs extra scrutiny.
184    faults upon page faults.  Caused by touching non-pti-mapped
186    CR3 before calling into C functions which are not pti-mapped.