Received: by 2002:ac0:a679:0:0:0:0:0 with SMTP id p54csp635227imp; Thu, 21 Feb 2019 08:12:13 -0800 (PST) X-Google-Smtp-Source: AHgI3Ia8LCYB0AnGoSg1ErfXeRFSbBthy8py0bmIy3cOuX2SNEbjK0uyggtFfExAqYXBYS0OKEwP X-Received: by 2002:a63:ce16:: with SMTP id y22mr35317884pgf.296.1550765533475; Thu, 21 Feb 2019 08:12:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550765533; cv=none; d=google.com; s=arc-20160816; b=cFP10fYPJNADd1sFyhIXKOgPbBQLUsHsxqRfBKx/4A1q+wXcBBR28ay8uWVh3wBpKr mqxVxsm/9EZ5J/G2IEXbpUOZ1kFAJVqEGH1UXabfSQW0XomMMmLhUlOOMdEvbi6speE/ seRx7bJeu4ZPOVf9KqgOxElzDvXTdHLCeIBacai6sLdCT+SU79gqUWPJJVM/S6/Kh0OG 9TyzsPXJW2DDcEgLt5uJaZOGxfE37VmPK1lXMTU1vJNPUh3hOmQ7rcOKfIjkylSpWWm1 lEa/rn92RxUSs0/ekNSUP3j1XXIx+LJeesVpNmWSfvajFAdUiyZKAZnRnlDdH98BLTbZ gkIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=ccZQK5lkR0ntVe8r4wno0Ba7GkyoiaG7NSnztmD7HNI=; b=WQrmOIv+u0ZHwhy4kWBWH9GJ1KAIAdDR7cyqvo00CQganfkHsrXTH9g8+iwmepxFy1 nyX2vfpW9obeuq+zNKe8ZGTYweVMgFen3YZscyVq9niy7SwdBDytW/U+EVYaqYlWpzFV nkdBpXfzJ9z39c8lml2zVNSmwdILVzbBb344F4D35HW71nb1Nm5vf/EpDuNtrz8hdnYh i3/kuAKfKpow9CjozdqJ5Xbmh/XQ9uvfyMXikzeAgrlbtPgpjJ1L7bbOCzk2wkiIlxhn F7rRhVTQ5GZ3c7k1Bbv+5F06vSZ/U/4uqSR/fEhIws/qtiW+3PDU0ZgDSWksR1Y+gNSK NHiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=cbUbkuIY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r1si20923126pfb.118.2019.02.21.08.11.57; Thu, 21 Feb 2019 08:12:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=cbUbkuIY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728310AbfBUQLY (ORCPT + 99 others); Thu, 21 Feb 2019 11:11:24 -0500 Received: from mail-ua1-f66.google.com ([209.85.222.66]:42780 "EHLO mail-ua1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725880AbfBUQLY (ORCPT ); Thu, 21 Feb 2019 11:11:24 -0500 Received: by mail-ua1-f66.google.com with SMTP id d21so9725025uap.9 for ; Thu, 21 Feb 2019 08:11:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ccZQK5lkR0ntVe8r4wno0Ba7GkyoiaG7NSnztmD7HNI=; b=cbUbkuIY3IR9D+xAAD7lr4gBDCZv3CzNmA7AFdOWzgm6e8opYVtS1n3pa3tA5cFbD8 mUvB+dl0TWE+j7g97KrA+EEATSxLrm7k6sGdrq7DsLDP7wK0veKNaIw6Y3/0yDFDrfng 0LjFc2Q+IoVOt/m9T1vtEtXZdsLI27qP0z72I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ccZQK5lkR0ntVe8r4wno0Ba7GkyoiaG7NSnztmD7HNI=; b=sZcw5JjsiCeiXpt8RBW6DJfcFyWaU1o0iwdlSfaA8gCC+26goWEPBoGTuG9JfFDm25 F1JLQQZ4JBtjV4YDPs7jbo2w4QfSKipHQh7ZdSVsEaJ+37SX9+aCTa9/d29y/UM9HwKW kNismKes/ZIUb0abFhiZOkGyf9Sa2GooipKF/6RMAye7i6WgDUWQjtKOtVGopWkio2/y JqWSNJLxqQnsqA5rUOasOyMvtvRtQEkOmunm8/tza4MuNIYVXhtRmYUvknZBtmGZqSxa za9GsWav/vspGbJZ3sf72ZFGSCa/q0Jl0AwPGQFxiWCeXDsZMTY5ZwmfolACAtCZZL42 9v/A== X-Gm-Message-State: AHQUAua4o1SefsAq261PFo+2ITPPPHVClnoqfli7d7VF7o0yrQZ4/+Eb 6SrhD2QTWW7E0/1caQm38Wv16I30xgs= X-Received: by 2002:ab0:2bc9:: with SMTP id s9mr20286219uar.91.1550765481843; Thu, 21 Feb 2019 08:11:21 -0800 (PST) Received: from mail-ua1-f52.google.com (mail-ua1-f52.google.com. [209.85.222.52]) by smtp.gmail.com with ESMTPSA id t133sm20471118vsc.8.2019.02.21.08.11.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Feb 2019 08:11:21 -0800 (PST) Received: by mail-ua1-f52.google.com with SMTP id z11so9724177uaa.10 for ; Thu, 21 Feb 2019 08:11:20 -0800 (PST) X-Received: by 2002:a05:6102:d2:: with SMTP id u18mr13546244vsp.172.1550765480348; Thu, 21 Feb 2019 08:11:20 -0800 (PST) MIME-Version: 1.0 References: <20190220180934.GA46255@beast> <20190220184859.GA6429@openwall.com> <20190221130645.GA8281@openwall.com> In-Reply-To: <20190221130645.GA8281@openwall.com> From: Kees Cook Date: Thu, 21 Feb 2019 08:11:08 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] x86/asm: Pin sensitive CR4 bits To: Solar Designer Cc: Thomas Gleixner , Jann Horn , Dominik Brodowski , LKML , Kernel Hardening , X86 ML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 21, 2019 at 5:06 AM Solar Designer wrote: > > On Wed, Feb 20, 2019 at 01:20:58PM -0800, Kees Cook wrote: > > On Wed, Feb 20, 2019 at 10:49 AM Solar Designer wrote: > > > > > > On Wed, Feb 20, 2019 at 10:09:34AM -0800, Kees Cook wrote: > > > > + if (WARN_ONCE((val & cr4_pin) != cr4_pin, "cr4 bypass attempt?!\n")) > > > > + goto again; > > > > > > I think "goto again" is too mild a response given that it occurs after a > > > successful write of a non-pinned value to CR4. I think it'd allow some > > > exploits to eventually win the race: make their desired use of whatever > > > functionality SMEP, etc. would have prevented - which may be just a few > > > instructions they need to run - before the CR4 value is reverted after > > > "goto again". I think it's one of those cases where a kernel panic > > > would be more appropriate. > > > > It will not land upstream with a BUG() or panic(). Linus has > > explicitly stated that none of this work can do that until it has > > "baked" in the kernel for a couple years. > > OK. > > > In his defense, anyone sufficiently paranoid can already raise the > > priority of a WARN() into a panic via sysctl kernel.panic_on_warn (and > > kernel.panic_on_oops). > > I think there are too many uses of WARN() for anyone sane to enable > that in production, whereas it'd have made sense to enable it for the > few security-related uses. Yeah, that's been my thinking too. I've been thinking about this for a while trying to decide if we need something between WARN and BUG, but I can't make up my mind. ;) > > > Also, WARN_ONCE possibly introduces a delay sufficient to realistically > > > win this race on the first try. If we choose to warn, we should do it > > > after having reverted the CR4 value, not before. > > > > Isn't cr4 CPU-local though? > > Good point. I don't know. If CR4 is per hardware thread, then the race > would require an interrupt and would be much harder to win. > > > Couldn't we turn off interrupts to stop the race? > > This won't help. An attack would skip the code that disables interrupts > and land right on the MOV instruction. Oh duh, yeah. ;) I think v2 is good enough given the constraints we've got. Thanks for looking at it! -- Kees Cook