Address-space isolation may well be, as Brendan Jackman said at the beginning of his memory-management-track session at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit, "some security bullshit". But it also holds the potential to protect the kernel from a wide range of vulnerabilities, both known and unknown, while reducing the impact of existing mitigations. Implementing address-space isolation with reasonable performance, though, is going to require some significant changes. Jackman was there to get feedback from the memory-management community on how those changes should be implemented.
如Brendan Jackman在2025年Linux存储、文件系统、内存管理与BPF峰会(LSFMM+BPF)内存管理分会开场时所戏称的,“地址空间隔离也许是某种安全废话(some security bullshit)”。但它也确实有潜力保护内核免受各种已知或未知的漏洞影响,同时减轻现有缓解措施所带来的性能开销。然而,要以合理性能实现地址空间隔离,将需要进行一系列重要的改动。Jackman此行的目的就是向内存管理社区征求关于这些改动应如何实现的反馈。
The core idea behind address-space isolation (last covered here in March), he began, is to run as much kernel code as possible in an address space where sensitive data is unmapped, and thus invisible to speculative-execution vulnerabilities. It is like the kernel page-table isolation that was introduced in response to the Meltdown hardware vulnerability, but with a higher degree of protection. Kernel page-table isolation created a new address space with most of the kernel removed; the new work adds a restricted address-space that has holes in it where only the sensitive data has been removed.
他首先介绍了地址空间隔离的核心理念(上一次讨论是在今年三月):尽可能让内核代码运行在一个未映射敏感数据的地址空间中,从而让这些数据对推测执行类漏洞不可见。这类似于为应对 Meltdown 硬件漏洞而引入的内核页表隔离(KPTI),但保护级别更高。KPTI 创建了一个几乎移除了整个内核的新地址空间,而新的地址空间隔离机制则更为精细,仅在其中“打孔”移除了敏感数据。
The address-space isolation patches are deployed on a significant subset of Google's fleet, he said. Their current (public) form can be seen in this patch set posted in January. This version adds protection from bare-metal attackers, while previous versions had only protected the kernel from virtual m