[SRU][PATCH 0/4] Backport mseal to ubuntu 24.04 LTS kernel 6.8.y

Jeff Xu jeffxu at chromium.org
Fri Jan 24 22:12:06 UTC 2025 

On Wed, Jan 22, 2025 at 9:09 AM Jeff Xu <jeffxu at chromium.org> wrote:
>
> Hi Juerg
>
> On Wed, Jan 22, 2025 at 7:20 AM Juerg Haefliger
> <juerg.haefliger at canonical.com> wrote:
> >
> > Hi Jeff,
> >
> >
> > > From: Jeff Xu <jeffxu at chromium.org>
> > >
> > > https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2089711
> > >
> > > [ Impact ]
> > >
> > > My name is Jeff Xu, I work with Stephen Röttger on hardening the chrome
> > > browser. I'm reaching out to explore the possibility of backporting memory
> > > sealing into the 22.04 LTS kernel.
> > >
> > > For context, it is worth noting that the Kernel introduces mseal support in
> > > version 6.10 [1]. The Chrome V8 engine will utilize the memory sealing
> > > function to protect its JIT compiler from memory corruption vulnerabilities.
> > > The change is merged in Chrome, and we believe that Ubuntu users would benefit
> > > from using this safer version of Chrome. In addition, Chrome uses Ubuntu LTS
> > > extensively for testing, which makes ubuntu one of the first systems to have
> > > this enhenced security of Chrome.
> > >
> > > glibc’s dynamic linker is adding mseal to seal RO mapping such
> > > as .text, .rodata, .relco [2], the integration test is completed.
> > >
> > > The backport work includes 4 commits, and is based on 6.8.12 kernel.
> > >
> > > ChromeOS and Android GKI both have the mseal backported to
> > > the 6.6 kernel [3] [4] [5] [6]
> > >
> > > Thank you for your time and consideration.
> > > Best regards,
> > > Jeff
> > >
> > > [1] https://docs.kernel.org/userspace-api/mseal.html
> > > [2] https://sourceware.org/pipermail/libc-alpha/2024-September/160291.html
> > > [3] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595211/4
> > > [4] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5595853/4
> > > [5] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5742931
> > > [6] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/5802772
> > >
> > > [ Test Plan ]
> > > The test is performed by running selftest (mseal_test) on 6.8 kernel with the backport.
> > > I didn't include selftest as part of backport because there are many revisions of the tests
> > > I believe it is unnecessary to backport those.
> > >
> > > [ Where problems could occur ]
> > > This is not bug, backporting this will enable chrome browser's security enhencement.
> > >
> > > [ Other Info ]
> > > None.
> >
> > Thanks for this. I'm not sure though. glibc in Noble is too old so only
> > chrome would benefit, correct? Given that the 6.11 HWE kernel should have
> > mseal support, I'm hesitant to entertain a backport to 6.8. We typically
> > don't backport new features. I haven't looked at how intrusive this backport
> > even is. We're having an internal discussion.
> >
> When will the next ubuntu LTE version be released ? Is that based on 6.11 ?
>
IIUC, Chrome will be happy with any LTE version that has 6.6 kernel or
higher, (Stephen Röttger can clarify in case I'm wrong),  if there is
an Ubuntu LTE version that meets this  soon,  the backport is not
needed.

> Thanks
> -Jeff
>
>
> > ...Juerg
> >
> >
> > >
> > >
> > > Jeff Xu (3):
> > >   mseal: wire up mseal syscall
> > >   mseal: add mseal syscall
> > >   /proc/pid/smaps: add mseal info for vma
> > >
> > > Pedro Falcato (1):
> > >   mseal: fix is_madv_discard()
> > >
> > >  Documentation/filesystems/proc.rst          |   1 +
> > >  arch/alpha/kernel/syscalls/syscall.tbl      |   1 +
> > >  arch/arm/tools/syscall.tbl                  |   1 +
> > >  arch/arm64/include/asm/unistd.h             |   2 +-
> > >  arch/arm64/include/asm/unistd32.h           |   2 +
> > >  arch/m68k/kernel/syscalls/syscall.tbl       |   1 +
> > >  arch/microblaze/kernel/syscalls/syscall.tbl |   1 +
> > >  arch/mips/kernel/syscalls/syscall_n32.tbl   |   1 +
> > >  arch/mips/kernel/syscalls/syscall_n64.tbl   |   1 +
> > >  arch/mips/kernel/syscalls/syscall_o32.tbl   |   1 +
> > >  arch/parisc/kernel/syscalls/syscall.tbl     |   1 +
> > >  arch/powerpc/kernel/syscalls/syscall.tbl    |   1 +
> > >  arch/s390/kernel/syscalls/syscall.tbl       |   1 +
> > >  arch/sh/kernel/syscalls/syscall.tbl         |   1 +
> > >  arch/sparc/kernel/syscalls/syscall.tbl      |   1 +
> > >  arch/x86/entry/syscalls/syscall_32.tbl      |   1 +
> > >  arch/x86/entry/syscalls/syscall_64.tbl      |   1 +
> > >  arch/xtensa/kernel/syscalls/syscall.tbl     |   1 +
> > >  fs/proc/task_mmu.c                          |   3 +
> > >  include/linux/mm.h                          |   5 +
> > >  include/linux/syscalls.h                    |   1 +
> > >  include/uapi/asm-generic/unistd.h           |   5 +-
> > >  kernel/sys_ni.c                             |   1 +
> > >  mm/Makefile                                 |   4 +
> > >  mm/internal.h                               |  32 ++
> > >  mm/madvise.c                                |  12 +
> > >  mm/mmap.c                                   |  31 +-
> > >  mm/mprotect.c                               |  10 +
> > >  mm/mremap.c                                 |  31 ++
> > >  mm/mseal.c                                  | 315 ++++++++++++++++++++
> > >  30 files changed, 467 insertions(+), 3 deletions(-)
> > >  create mode 100644 mm/mseal.c
> > >
> >

More information about the kernel-team mailing list