Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7471537imu;
        Tue, 22 Jan 2019 06:36:58 -0800 (PST)
X-Google-Smtp-Source: ALg8bN43wYe7lzJBDlgnyLbHMQUn26BxMK7Re5ZNeABe1N3RriOU6oyZrJiv0Qm24AJuoE1r27NC
X-Received: by 2002:a17:902:74cc:: with SMTP id f12mr34614397plt.134.1548167818322;
        Tue, 22 Jan 2019 06:36:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548167818; cv=none;
        d=google.com; s=arc-20160816;
        b=yx2qO5hWFMjRxuSJXf7Y8maGYFlwFsvCo+pVC9Q+CFHt6rffAHgKmfRe5IJ7UVqnwr
         TD4T5MQkecAgkHFMNCVwGD0E0HEZUFNaO3OQ54EVbOGICNFgLPY59LdMs/j5senJYzG5
         mNijX35uMrttasTXCiDGa5gb+aw5jkAF95vOWyBBi2n19hnXMd7n6/+FHYcLdOqdHYM2
         VLFt3NsHWw/z3+EqMA/hi8OPYBaO5RGGkbUbJo6w1hzMi6iwM99H8hx7asG7Ere97FgE
         NauQhawYllGkXYAXO3X/ioaYQsikpXcLoekdEOaPBXqauZOeQTbxBXzQyrnB2Lw0dehR
         y0zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :in-reply-to:date:references:subject:cc:to:from:dkim-signature;
        bh=YkGDjKCwpTkQ3ciXGSJgFWNPj3TDMt7uYsw3MtLoxL4=;
        b=qVTDGmTFF1pxXVxjvjIuF5zIzukM4N3Q+z5MSZydtDDH/ru+v2PR+mgznd1WMCjJi2
         jDXIJrHizrcww5yugIe6xnCWQog//EHW4Ga8ceUKor/LU4vFZ2oIXIgfWyd6mhjep6g6
         LlYx/DH1IA64LyiyBBZPHcYbESHvYzk5hEU5AMziZT23Wgtlrxfnnh27TzPxcxljYeOq
         BAay8b60b5mx5jPCtM/OsUMlAYtol2hwXB5kFFRydPOOgglc88y6SQArcl3/QRWqECXo
         KC+p0h/cIV+OYpfLcBLWLaD/r1TRgqRzmtbJTWsWZZ+suXtuo3mAdYrYNLDvDG5v5ftZ
         aVog==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sgVLnmZP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c17si16139408pgl.385.2019.01.22.06.36.42;
        Tue, 22 Jan 2019 06:36:58 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sgVLnmZP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728816AbfAVOe1 (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Tue, 22 Jan 2019 09:34:27 -0500
Received: from smtp-fw-4101.amazon.com ([72.21.198.25]:56711 "EHLO
        smtp-fw-4101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728371AbfAVOe1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 Jan 2019 09:34:27 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209;
  t=1548167666; x=1579703666;
  h=from:to:cc:subject:references:date:in-reply-to:
   message-id:mime-version;
  bh=YkGDjKCwpTkQ3ciXGSJgFWNPj3TDMt7uYsw3MtLoxL4=;
  b=sgVLnmZPj1S14xIOx61cnfvS8k0IoDWnl3TkIZK4kvIE1pLu3cDRQYLc
   gntkCjn0EfWGlWuX1drDYUeQiB3ki5nQnewXcskxwEPxIFWEsZ5OqpvEr
   R4UOF6PUAy6hxCalQjljVp4awCS0ksVbmCpbfc/vtlTSCFBDqKNa/8q0Y
   M=;
X-IronPort-AV: E=Sophos;i="5.56,253,1539648000"; 
   d="scan'208";a="755360991"
Received: from iad6-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2b-baacba05.us-west-2.amazon.com) ([10.124.125.6])
  by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 22 Jan 2019 14:34:23 +0000
Received: from u54ee758033e858cfa736.ant.amazon.com (pdx2-ws-svc-lb17-vlan3.amazon.com [10.247.140.70])
        by email-inbound-relay-2b-baacba05.us-west-2.amazon.com (Postfix) with ESMTPS id D3944A1F8C;
        Tue, 22 Jan 2019 14:34:20 +0000 (UTC)
From:   Julian Stecklina <jsteckli@amazon.de>
To:     Kees Cook <keescook@chromium.org>
Cc:     Greg KH <gregkh@linuxfoundation.org>,
        Andi Kleen <ak@linux.intel.com>,
        LKML <linux-kernel@vger.kernel.org>,
        David Woodhouse <dwmw2@infradead.org>,
        Liran Alon <liran.alon@oracle.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        X86 ML <x86@kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [RFC] x86/speculation: add L1 Terminal Fault / Foreshadow demo
References: <1548076208-6442-1-git-send-email-jsteckli@amazon.de>
        <20190121183618.GP6118@tassilo.jf.intel.com>
        <20190121191541.GB4026@kroah.com>
        <CAGXu5j+h9RKAND8+SJR6P6CQY_YO3ezjsnfuzLGsQbY=O4XCuw@mail.gmail.com>
Date:   Tue, 22 Jan 2019 16:34:18 +0200
In-Reply-To: <CAGXu5j+h9RKAND8+SJR6P6CQY_YO3ezjsnfuzLGsQbY=O4XCuw@mail.gmail.com>
        (Kees Cook's message of "Tue, 22 Jan 2019 09:42:13 +1300")
Message-ID: <ciirm8va2gg3rp.fsf@u54ee758033e858cfa736.ant.amazon.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Kees Cook <keescook@chromium.org> writes:

> On Tue, Jan 22, 2019 at 8:15 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>>
>> On Mon, Jan 21, 2019 at 10:36:18AM -0800, Andi Kleen wrote:
>> > > +   /* Check the start address: needs to be page-aligned.. */
>> > > +-  if (start & ~PAGE_MASK)
>> > > ++  if (start & ~PAGE_MASK) {
>> > > ++
>> > > ++          /*
>> > > ++           * XXX Hack
>> > > ++           *
>> > > ++           * We re-use this error case to show case a cache load gadget:
>> > > ++           * There is a mispredicted branch, which leads to prefetching
>> > > ++           * the cache with attacker controlled data.
>> > > ++           */
>> > > ++          asm volatile (
>> >
>> > Obviously that can never be added to a standard kernel.
>>
>> No, that's why it is a patch, right?

Yes, this is obviously only for experimenting.

>> People want to test things, it's nice to have a way to easily do
>> this.
>
> What about adding something like it to drivers/misc/lkdtm/ instead?
>
> It's not a "production" module, but it regularly get built for selftest builds.

For people who want to test L1TF hardening patches in the kernel (e.g.
XPFO) it's certainly nice to not have to manually patch the kernel to add
an easy to reach cache load gadget. It's also nice if you quickly want
to test whether a random Intel CPU has this vulnerability.

The cache load gadget as it is right now is mostly to show a reasonably
realistic scenario of speculatively executed code fetching memory into
the L1 cache. I didn't want to make this a completely crafted example
where I just literally execute a prefetch instruction.

But what I could do is add a bit of code in lkdtm that exposes a debugfs
file with this functionality.

Thoughts?

Julian