Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4778816ybb; Tue, 7 Apr 2020 14:24:54 -0700 (PDT) X-Google-Smtp-Source: APiQypIVLLrfOoLBnwqbgimKCkQmtxUT1pmmXl/7FftdK9FObig5vPFQWtPxT3zF16e76rSPQJ5q X-Received: by 2002:a4a:940e:: with SMTP id h14mr3609934ooi.26.1586294694763; Tue, 07 Apr 2020 14:24:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586294694; cv=none; d=google.com; s=arc-20160816; b=dRFJqCdp1pLytajrfUkNvJYv29hxWPn364/VoWbB9Cka55K4fA0mm/q+9Skk8rI2lg Y2xtNRUTSkvglyTCGQqxONVXTSIYCWZZP0YFOsB60WOKhGAw9h5R3r0b9zg8nd/mvVZs EMqthaz6/QzvmTGtiu3K79Uq/IO949pGicuFotf0wPuJI9MwzcQXp8dem3+HB1Z493TL vWjsAdfchNljwX5hWC1KB8oceIvi5V2/BgOPzHw1Y91V6qAv5M/kzTsiL6ogyQWMgWbA LYN59xPDWKtIlBUzbFkSBGpibt3+A/4f6Z3OdiB8Xpbvu2/gBD7XmodufHuiS13Be+55 otew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=hVx3sh2GK2wusgv8a/PlfL3asnMbGqdITsqZ+CSRnPY=; b=IwY1bDg4OnkYCrqV+XuE4ea102KWUMwHl9L5StJJWeoj9kiyQh67VSm2xAPI5t0rrx YfIl6hdeiMPsIpjMQDVFpWozGVxaD0OaRknp9ppohQ84bwe2ZiQ7PvbuZSPSg7eLgogy P105vXBzbxNUifNCB2GmdgqjbGHIIXbS4OILeXW4PbJBOcqBmQ96lq+zNhQB0hIKUL// FDaE95jZ1ohJhpQOjH5zwPnOD2wLn2otX4LcaWPIW2HIvJ4uR3Hah5S+oKhs7L0Xw2h3 0I24Zx9eByxWlCCTKxiD57t4ZQZQbJ/0x3Z1Za/7LwoB4ZYJacKFPbiqbsHcOMbap6dD OGYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=tdhJMCgw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r82si1167402oia.155.2020.04.07.14.24.40; Tue, 07 Apr 2020 14:24:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=tdhJMCgw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726481AbgDGVWR (ORCPT + 99 others); Tue, 7 Apr 2020 17:22:17 -0400 Received: from mail-pj1-f65.google.com ([209.85.216.65]:34450 "EHLO mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726380AbgDGVWQ (ORCPT ); Tue, 7 Apr 2020 17:22:16 -0400 Received: by mail-pj1-f65.google.com with SMTP id q16so1477598pje.1 for ; Tue, 07 Apr 2020 14:22:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hVx3sh2GK2wusgv8a/PlfL3asnMbGqdITsqZ+CSRnPY=; b=tdhJMCgw+f1ilVFD0pIN0Jty0JGGM7Mp3sQjJCFKR+OyvrK1L6HYmZ+ih5ffJQcyxt zGcZQOp9qtTlpjizF8VictViF8wXZgZrc7EZK7I/R4L1O1DZWcDgBoMuTPi3yew8ZxE6 IRwzXJ/kD6IkbQUAcKkDvLe5kyGSf2BSBzCfoQjs3k+F33uZD5zT7xuxDiFXXVLo7qVP NPUfzucyy6fAm71/o6cfyAocruYYW2R7TMnLCa/BhFemyUBLKf4gOnfiiJWpVATD0Isk TNNq/66qtH5sZ0Xb03zMTfnWx0AYq3KjJZMuDTARSOKL2wMZxVpGbR/i3Zvr5JMxtLno 9fbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hVx3sh2GK2wusgv8a/PlfL3asnMbGqdITsqZ+CSRnPY=; b=cok3xMCjpKAH3CAH+M9TKaTbztm6fZfkMXc7SY9Y9YPT+bMPXA1taq9noHETN8aEk7 944Z/JiYm8m4SlNjAWo/ErVowk3UIXD0vo5SjRjVhmUcIZmsfdoUOWvZWkp22QhGJR0h Qksv6Mx43AO3ZUCNk4Kuhznj4R8y4bZSGMZJtn8cduw8SCM4piksLTvQaHg0KtUbo+t8 yVGacIcdotscf59S5Hyo1GnzUlPXjNxIc9GZXukFRYhnrEPtS6Gje+/+zSMBJSwx5ouB nS8nvZJ/KSSv7lLI9d/2B0syFbZDr41I1YKLv2uFB/yBm4My9i7bhQs3I4FdIuu5ZRrj M9lg== X-Gm-Message-State: AGi0PuaVV4qhitlcmJTa3BdWgsqIoilvb1WzPWxV1IsQAr9jqjP6G8Sd OQgYUav4LuuSIBs0bf/HYzI= X-Received: by 2002:a17:90a:8a08:: with SMTP id w8mr1423402pjn.119.1586294535352; Tue, 07 Apr 2020 14:22:15 -0700 (PDT) Received: from [10.0.1.60] (c-24-4-128-201.hsd1.ca.comcast.net. [24.4.128.201]) by smtp.gmail.com with ESMTPSA id d5sm14773871pfa.59.2020.04.07.14.22.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Apr 2020 14:22:14 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: Re: [PATCH 4/4] x86,module: Detect CRn and DRn manipulation From: Nadav Amit In-Reply-To: <20200407205042.GT2452@worktop.programming.kicks-ass.net> Date: Tue, 7 Apr 2020 14:22:11 -0700 Cc: Thomas Gleixner , LKML , hch@infradead.org, Sean Christopherson , mingo , bp , hpa@zytor.com, x86 , "Kenneth R. Crudup" , Jessica Yu , Rasmus Villemoes , Paolo Bonzini , Fenghua Yu , Xiaoyao Li , Thomas Hellstrom , Tony Luck , Steven Rostedt , Greg Kroah-Hartman , jannh@google.com, keescook@chromium.org, David.Laight@aculab.com, Doug Covelli , mhiramat@kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: <96C2F23A-D6F4-4A04-82B6-284788C5D2CC@gmail.com> References: <20200407110236.930134290@infradead.org> <20200407111007.429362016@infradead.org> <10ABBCEE-A74D-4100-99D9-05B4C1758FF6@gmail.com> <20200407193853.GP2452@worktop.programming.kicks-ass.net> <90B32DAE-0BB5-4455-8F73-C43037695E7C@gmail.com> <20200407205042.GT2452@worktop.programming.kicks-ass.net> To: Peter Zijlstra X-Mailer: Apple Mail (2.3608.80.23.2.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Apr 7, 2020, at 1:50 PM, Peter Zijlstra = wrote: >=20 > On Tue, Apr 07, 2020 at 01:27:45PM -0700, Nadav Amit wrote: >>> On Apr 7, 2020, at 12:38 PM, Peter Zijlstra = wrote: >>>=20 >>> On Tue, Apr 07, 2020 at 11:55:21AM -0700, Nadav Amit wrote: >>>>> On Apr 7, 2020, at 4:02 AM, Peter Zijlstra = wrote: >>>>>=20 >>>>> Since we now have infrastructure to analyze module text, disallow >>>>> modules that write to CRn and DRn registers. >>>>=20 >>>> Assuming the kernel is built without CONFIG_PARAVIRT, what is the = right way >>>> for out-of-tree modules to write to CRs? Let=E2=80=99s say CR2? >>>=20 >>> Most of them there is no real justification for ever writing to. CR2 = I >>> suppose we can have an exception for given a sane rationale for why >>> you'd need to rewrite the fault address. >>=20 >> For the same reason that KVM writes to CR2 - to restore CR2 before = entering >> a guest, since CR2 not architecturally loaded from the VMCS. I = suspect there >> are additional use-cases which are not covered by the kernel = interfaces. >=20 > So I'm not much of a virt guy (clearly), and *groan*, that's horrible. > I'll go make an exception for CR2. Clearly you are not a virt guy if you think that this is the horrible = part in x86 virtualization ;-) Anyhow, I do not think it is the only use-case which is not covered by = your patches (even considering CRs/DRs alone). For example, there is no = kernel function to turn on CR4.VMXE, which is required to run hypervisors on = x86. I think a thorough analysis of existing software is needed to figure out which use-cases are valid, and to exclude them during module scanning or = to provide alternative kernel interfaces to enable them. This may require a transition phase in which module scanning would only issue warnings and would not prevent the module from being loaded.