amd64: implement KPTI for gvisor

Actually, gvisor has KPTI (Kernel PageTable Isolation) between gr0 and gr3. But the upper half of the userCR3 contains the whole sentry kernel which makes the kernel vulnerable to gr3 APP through CPU bugs. This patch implement full KPTI functionality for gvisor. It doesn't map the whole kernel in the upper. It maps only the text section of the binary and the entry area required by the ISA. The entry area contains the global idt, the percpu gdt/tss etc. The entry area packs all these together which is less than 350k for 512 vCPUs. The text section is normally nonsensitive. It is possible to map only the entry functions (interrupt handler etc.) only. But it requires some hacks. Signed-off-by: Lai Jiangshan <jiangshan.ljs@antfin.com> Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
author: Lai Jiangshan <jiangshan.ljs@antfin.com> 2020-03-26 09:23:23 +0000
committer: Lai Jiangshan <laijs@linux.alibaba.com> 2020-08-06 21:31:51 +0800
commit: 9cae407b270b20ff78370d33602191d37ddf5530 (patch)
tree: 10eab7c5ead6e54bc2a5bc50bd40e581ec1bcb94 /pkg/sentry/platform/ring0/x86.go
parent: 6ce10c3c2ff516aabdef8b4d198690e7e7a87ca4 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/sentry/platform/ring0/x86.go b/pkg/sentry/platform/ring0/x86.go
index 9da0ea685..e99da0b35 100644
--- a/pkg/sentry/platform/ring0/x86.go
+++ b/pkg/sentry/platform/ring0/x86.go
@@ -104,7 +104,7 @@ const (
 	VirtualizationException
 	SecurityException = 0x1e
 	SyscallInt80      = 0x80
-	_NR_INTERRUPTS    = SyscallInt80 + 1
+	_NR_INTERRUPTS    = 0x100
 )
 
 // System call vectors.
author	Lai Jiangshan <jiangshan.ljs@antfin.com>	2020-03-26 09:23:23 +0000
committer	Lai Jiangshan <laijs@linux.alibaba.com>	2020-08-06 21:31:51 +0800
commit	9cae407b270b20ff78370d33602191d37ddf5530 (patch)
tree	10eab7c5ead6e54bc2a5bc50bd40e581ec1bcb94 /pkg/sentry/platform/ring0/x86.go
parent	6ce10c3c2ff516aabdef8b4d198690e7e7a87ca4 (diff)