Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935479AbeAHRFi (ORCPT + 1 other); Mon, 8 Jan 2018 12:05:38 -0500 Received: from mail-wm0-f68.google.com ([74.125.82.68]:38769 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934431AbeAHRFg (ORCPT ); Mon, 8 Jan 2018 12:05:36 -0500 X-Google-Smtp-Source: ACJfBovDE/GU4dN9993rJYpcXQT40vbFMszl+C/z82iLew2cBefYSRNn0jkTF+2WUgLFwf0gnvkCyw== Date: Mon, 8 Jan 2018 18:05:31 +0100 From: Ingo Molnar To: Willy Tarreau Cc: linux-kernel@vger.kernel.org, x86@kernel.org, tglx@linutronix.de, gnomes@lxorguk.ukuu.org.uk, torvalds@linux-foundation.org, Peter Zijlstra , Borislav Petkov , Josh Poimboeuf , Andy Lutomirski , Dave Hansen Subject: Re: [PATCH RFC 2/4] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI Message-ID: <20180108170531.um2sb5wm6u4dc3rb@gmail.com> References: <1515427939-10999-1-git-send-email-w@1wt.eu> <1515427939-10999-3-git-send-email-w@1wt.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1515427939-10999-3-git-send-email-w@1wt.eu> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: (Expanded the Cc: list.) * Willy Tarreau wrote: > This allows to report the current state of the PTI protection and to > enable or disable it for the current task. > > Signed-off-by: Willy Tarreau > --- > arch/x86/include/uapi/asm/prctl.h | 3 +++ > arch/x86/kernel/process_64.c | 24 ++++++++++++++++++++++++ > 2 files changed, 27 insertions(+) > > diff --git a/arch/x86/include/uapi/asm/prctl.h b/arch/x86/include/uapi/asm/prctl.h > index 5a6aac9..1f1b5bc 100644 > --- a/arch/x86/include/uapi/asm/prctl.h > +++ b/arch/x86/include/uapi/asm/prctl.h > @@ -10,6 +10,9 @@ > #define ARCH_GET_CPUID 0x1011 > #define ARCH_SET_CPUID 0x1012 > > +#define ARCH_GET_NOPTI 0x1021 > +#define ARCH_SET_NOPTI 0x1022 > + > #define ARCH_MAP_VDSO_X32 0x2001 > #define ARCH_MAP_VDSO_32 0x2002 > #define ARCH_MAP_VDSO_64 0x2003 > diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c > index c754662..1686d3d 100644 > --- a/arch/x86/kernel/process_64.c > +++ b/arch/x86/kernel/process_64.c > @@ -654,6 +654,30 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2) > ret = put_user(base, (unsigned long __user *)arg2); > break; > } > + case ARCH_GET_NOPTI: { > + unsigned long flag; > + > + printk(KERN_DEBUG "get1: task=%p ti=%p fl=%16lx\n", task, task_thread_info(task), task_thread_info(task)->flags); > + flag = !!(task_thread_info(task)->flags & _TIF_NOPTI); > + ret = put_user(flag, (unsigned long __user *)arg2); > + break; > + } > + > + case ARCH_SET_NOPTI: > + if (!capable(CAP_SYS_RAWIO)) > + return -EPERM; > + > + printk(KERN_DEBUG "set1: task=%p ti=%p fl=%16lx doit=%d arg2=%ld\n", task, task_thread_info(task), task_thread_info(task)->flags, doit, arg2); > + > + if (doit) { > + if (arg2) > + task_thread_info(task)->flags |= _TIF_NOPTI; > + else > + task_thread_info(task)->flags &= ~_TIF_NOPTI; > + > + printk(KERN_DEBUG "set2: task=%p ti=%p fl=%16lx\n", task, task_thread_info(task), task_thread_info(task)->flags); > + } > + break; Btw., we could enforce the CAP_SYS_RAWIO permission check only if it's _clearing_ the PTI flag. I.e. this would allow apps and runtime environments to opt into PTI, without having to rely on external security frameworks getting it right. Note that there is somewhat of a fuzzy detail regarding AMD CPUs which are marked as 'Meltdown safe': should an explicit request to turn on PTI be honored by the kernel? Should that be some sort of separate 'force PTI on' attribute? Thanks, Ingo