MIME-Version: 1.0
In-Reply-To: <a8b043b5-84a9-af92-ffcc-4b9c68f6917d@linux.intel.com>
References: <20180110082207.GX29822@worktop.programming.kicks-ass.net>
 <20180110091102.GH14066@1wt.eu> <CALCETrXQFL2sJPJe_Z8XLEo11V_tLyZR0y4PTRxJzrhmpdsuJg@mail.gmail.com>
 <CA+55aFwfSKNAYEFWCwCe2vSxejA3X85FnX9t1EdnCRUwC1ou1Q@mail.gmail.com>
 <20180111064259.GC14920@1wt.eu> <0f08d89e-61e1-20e3-5c59-0b2f7b32bf0c@linux.intel.com>
 <20180111154412.GA15296@1wt.eu> <af80ba81-f8bc-156e-a286-0825aa47f134@linux.intel.com>
 <CALCETrUxk83Oys18-VW7HO2+mPx8RzJxpud7BkYVnD9G=-t3ZQ@mail.gmail.com>
 <20180111182147.masunghp5km6igjq@ast-mbp.dhcp.thefacebook.com>
 <20180111183207.dah7imbuvuhvrrk6@treble> <a8b043b5-84a9-af92-ffcc-4b9c68f6917d@linux.intel.com>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 11 Jan 2018 10:51:54 -0800
Message-ID: <CA+55aFyOnk1rd+iC_gvXpjzsv5JtJ_YXkFMukrn2WnZUS9mVmw@mail.gmail.com>
Subject: Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when
 pti_disable is set
To: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>,
        Alexei Starovoitov <alexei.starovoitov@gmail.com>,
        Andy Lutomirski <luto@kernel.org>, Willy Tarreau <w@1wt.eu>,
        Peter Zijlstra <peterz@infradead.org>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Brian Gerst <brgerst@gmail.com>,
        Ingo Molnar <mingo@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org

On Thu, Jan 11, 2018 at 10:38 AM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
> On 01/11/2018 10:32 AM, Josh Poimboeuf wrote:
>>> hmm. Exposing cr3 to user space will make it trivial for user process
>>> to know whether kpti is active. Not sure how exploitable such
>>> information leak.
>> It's already trivial to detect PTI from user space.
>
> Do tell.

One way to do it is to just run the attack, and see if you get something.

So it's not really "is PTI enabled", but a "is meltdown there". Then
you just use that together with cpuinfo to decide if PTI is enabled.

So I think Josh is 100% right. Detecting PTI on/off is not hard.

But that does *not* mean that %cr3 isn't secret. %cr3 should
definitely never *ever* be accessible to user space.

             Linus