Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932949AbeAJHZO (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Wed, 10 Jan 2018 02:25:14 -0500
Received: from mail-wr0-f195.google.com ([209.85.128.195]:42399 "EHLO
        mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932618AbeAJHZM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 10 Jan 2018 02:25:12 -0500
X-Google-Smtp-Source: ACJfBouOYYHFgG/wy7jJguYKWuq9IxObmkmZV/QefFS9dFSWF2FSMfxuXkFJfMXy0Lv/2MfZoswOTQ==
Date: Wed, 10 Jan 2018 08:25:08 +0100
From: Ingo Molnar <mingo@kernel.org>
To: Borislav Petkov <bp@alien8.de>
Cc: Andy Lutomirski <luto@kernel.org>, Willy Tarreau <w@1wt.eu>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Brian Gerst <brgerst@gmail.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, Kees Cook <keescook@chromium.org>
Subject: Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and
 ARCH_SET_NOPTI to enable/disable PTI
Message-ID: <20180110072508.rhrhnwktbl7g5oxm@gmail.com>
References: <1515502580-12261-1-git-send-email-w@1wt.eu>
 <1515502580-12261-3-git-send-email-w@1wt.eu>
 <20180109141713.ngqrf6weyiy2q3in@pd.tnic>
 <20180109143653.GA12976@1wt.eu>
 <20180109145157.5ltqbz4o5sqkcggb@pd.tnic>
 <20180109145422.GD12976@1wt.eu>
 <CALCETrU_Qt+0k4GO2qp=9D7h5czp0QkY=D9Y4AUfs9yzpNHswQ@mail.gmail.com>
 <20180109212940.ffvqb6wmehmxre4i@pd.tnic>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180109212940.ffvqb6wmehmxre4i@pd.tnic>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>


* Borislav Petkov <bp@alien8.de> wrote:

> On Tue, Jan 09, 2018 at 01:26:57PM -0800, Andy Lutomirski wrote:
> > 2.Turning off PTI is, in general, a terrible idea.  It totally breaks
> > any semblance of a security model on a Meltdown-affected CPU.  So I
> > think we should require CAP_SYS_RAWIO *and* that the system is booted
> > with pti=allow_optout or something like that.
> 
> Uhh, I like that.
> 
> Maybe also taint the kernel ...

Tainting the kernel is really a bad idea: a CAP_SYS_RAWIO user _already_ has the 
privilege to directly write to the hardware. The binary makes use of that 
privilege to allow execution of ring 3 code that has the theoretical ability to 
_read_ kernel memory.

Unless we plan on tainting all uses of /dev/mem as well this is totally over the 
top.

We could taint the kernel and warn prominently in the syslog when PTI is disabled 
globally on the boot line though, if running on affected CPUs.

Something like:

 "x86/intel: Page Table Isolation (PTI) is disabled globally. This allows unprivileged, untrusted code to exploit the Meltdown CPU bug to read kernel data."

Thanks,

	Ingo