Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754067AbbGISde (ORCPT ); Thu, 9 Jul 2015 14:33:34 -0400 Received: from mail-la0-f42.google.com ([209.85.215.42]:36479 "EHLO mail-la0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753979AbbGISd0 (ORCPT ); Thu, 9 Jul 2015 14:33:26 -0400 MIME-Version: 1.0 In-Reply-To: <20150709055917.GA30478@gmail.com> References: <23d4709cee2fe92c32d41b99c7a3c1823725925a.1436312944.git.luto@kernel.org> <559C8BFE.6050604@linux.intel.com> <20150709055225.GA29556@gmail.com> <20150709055917.GA30478@gmail.com> From: Andy Lutomirski Date: Thu, 9 Jul 2015 11:33:05 -0700 Message-ID: Subject: Re: [PATCH] x86/kconfig/32: Mark CONFIG_VM86 as BROKEN To: Ingo Molnar , Paolo Bonzini Cc: Brian Gerst , Linus Torvalds , Arjan van de Ven , Andy Lutomirski , "the arch/x86 maintainers" , Linux Kernel Mailing List , Oleg Nesterov , Kees Cook , Peter Zijlstra , Borislav Petkov Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3065 Lines: 64 On Wed, Jul 8, 2015 at 10:59 PM, Ingo Molnar wrote: > > * Ingo Molnar wrote: > >> > Without something like that, we'll be in the awkward position of having some >> > of the selectors (DS, ES, FS, and GS) in both the normal pt_regs slot and in >> > the extended hardware frame during execution of normal vm86-unaware kernel >> > code. If, on the other hand, we copied the selectors across in >> > enter_from_user_mode and prepare_return_from_usermode, then pt_regs would work >> > normally even for tasks that are running in v8086 mode. >> > >> > regs->flags & X86_EFLAGS_VM will be true regardless, so all of the asm that >> > decides to invoke those helpers should work fine. >> >> Btw., has anyone considered an entirely different approach: using KVM's >> instruction emulator to emulate vm86 16-bit code execution? Basically the vm86 >> system call would be kept compatible, but fully emulated, the CPU never enters >> true 16-bit mode, just iterates pt_regs as if it had. >> >> This approach has four main advantages: >> >> - we could remove the fragile vm86 code from the entry code >> >> - it might even be faster for certain workloads than faulting in and out all >> the time and using ancient, fragile hardware mode of the CPU. (For example it >> could detect the VGA screen write patterns and accelerate them.) >> >> - it could be made to work on 64-bit as well, FWIIW >> >> - it would provide another angle of testing for the KVM emulator > > So there's a fifth advantage as well that I think needs to be stressed: > > - it's an _obviously_ much more secure design, as we only iterate user-space > pt_regs and never truly touch any security relevant CPU state. The whole > nested pt_regs and different hw frame entry complications would go away > entirely. All CPU semantics would not be just assumed implicitly, but would > be very much present in the CPU emulator and would be reviewable. > Hmm. If we did this, I think I'd prefer a slightly more general approach. First teach KVM to support a mode in which it's purely an emulator (Paolo: how hard is this? It would also make testing the emulator much easier). Then re-implement vm86 on top of that. The big downside of that, or of writing a more ad-hoc emulator, is understanding what the semantics of all the weird vm86plus stuff is supposed to be in the first place. It's completely undocumented and it's not at all obvious what it's all supposed to do. This sounds like a fairly large project. I think I'd rather get all the distros to turn vm86 off and let it slowly die in a dark corner. After all, dosemu and vbetool both already contain emulators that seem to work, and dosbox (which is, by all reports, better than dosemu) never used vm86 in the first place. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/