A new set of vulnerabilities were disclosed recently. As part of mitigating “meltdown”, the kernel introduced a new feature called Kernel Page Table Isolation (KPTI). This was a big change to come in late in the typical kernel development cycle but it provides important protection with some performance penalty. Updated kernels for supported versions of Fedora contain the KPTI patches. This article a high level overview of how KPTI works.
Modern processors for desktop computers offer different security levels to run code. The kernel runs at the most privileged level (“kernel space”) since it needs to access all parts of the hardware. Almost all other applications run at a lower privilege level (“user space”) and make system calls into the kernel to access privileged data.
Modern processors for desktop computers also support virtual memory. The kernel sets up page tables to control the mapping between a virtual address and physical address. Access between kernel and userspace is also controlled by page tables. A page that is mapped for the kernel is not accessible by userspace although the kernel can typically access user space.
Translating these mappings can be expensive so the hardware has a translation lookaside buffer (TLB) to store mappings. Sometimes it’s necessary to remove the old mappings (“flush the TLB”) but doing so is costly and code is written to minimize such calls. One trick here is to always have the kernel page tables mapped when user processes are running. The page table permissions prevent userspace from accessing the kernel mappings but the kernel can access the mappings immediately when a system call is made.
Meltdown exploit and how KPTI mitigates it
The meltdown exploit demonstrated that having the kernel mapping available in userspace can be risky. Modern processors prefetch data from all mappings to run as fast as possible. What data gets prefetched depends on the CPU implementation. When a running userspace program accesses a kernel mapping, it will take a fault and typically crash the program. The CPU however, may prefetch kernel data without causing any change to the running program. Prefetching is not usually a security risk because there are still permission checks on the addresses so userpace programs cannot access kernel data. What the meltdown researchers discovered was it was possible to measure how long data accesses took on prefetched data to gain information about the system. This is what’s referred to as a side-channel attack. The KPTI patches reworked how page tables are set up so that the kernel is no longer mapped in userspace. This means that userspace cannot prefetch any kernel data and thus the exploit is mitigated.
Actually writing an attack to collect useful data from this exploit can take weeks or months to develop for a single system. Still, in the interests of security the KPTI patches were merged to close this hole. The side effect of not having the kernel page tables always mapped means that the TLBs must be flushed more often, causing a performance penalty. By default, Fedora has KPTI enabled to provide security for users. KPTI can be turned off by passing “nopti” on the command line if users don’t want the performance hit.