Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp285957ybb; Tue, 7 Apr 2020 23:02:01 -0700 (PDT) X-Google-Smtp-Source: APiQypI0/M2A0j6Lda9DvbLO+fwAdiiKl3jq2SgPJC9kASq6DEQ0F5d0ZT07MAERIEoICeiod+6P X-Received: by 2002:aca:c506:: with SMTP id v6mr1337167oif.26.1586325721749; Tue, 07 Apr 2020 23:02:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586325721; cv=none; d=google.com; s=arc-20160816; b=EOqpXD/Cips5+kc76E1AcazEblI+QWoADFCxJe18waxt9YOSrsg3nR3LRAnXmC1mBe pObzKjJilFThJkLX/XtfBDswml12qmGAgCL07TYjlbAvWjBkum7UZHcjt9B6qHEy6dQe IRkkHBCtLxffoan9gNaHUj8svYVjuBwQLHIWEOAceZxcwMjQnx+Z82MPgzS2shBmvX6l r+ZperWdB0Cz2Xdv0V8ffqsrc1QuiTV2cs8o1YsdIR+7Znb+MtMT6ETwN6lVdPai7ua0 xI+McJuR2WCT17Llt0vptejxeTghQpWCiaqlH2HdoogpNug64aYzaHFOsPP8jdf4VZk3 KSZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=8BKpUEWasjfI71lqhZ433n5QO8PTzrLLgGGnYZ0fQDg=; b=nTFKN357mNII1ARNdZHlrSWVpARMWw7bstE3zvqiqRSJXKd1ZActPtiF2FJtNvT/fY /z1Xx5GiPGu8gNu35bYLT8mIoCjqnMx4YkkJzmBVlJFLxFiPqwlpOdg6IBROV78LX7p/ AIaJAuJx6t4836whPveeaA1K/FWOLUqB5gMckMbX4Nm4oeWReJ0VbxChMu6EYTTU5xQJ JX3E/o97wbLhpUpFFU8vfTasvefxnGC94vf5UtxS/yUg/V+LuxJ5c+uOZaez5TG11Xj6 fC8B8VKdVWofoKnIDVxApYsDEyNySD6tljCKRTg6cUzyX3URLJT9P3fOJMfPGcd+r7Tp 5yqw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b17si2174262ook.91.2020.04.07.23.01.47; Tue, 07 Apr 2020 23:02:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726634AbgDHGA0 (ORCPT + 99 others); Wed, 8 Apr 2020 02:00:26 -0400 Received: from gecko.sbs.de ([194.138.37.40]:42883 "EHLO gecko.sbs.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725440AbgDHGA0 (ORCPT ); Wed, 8 Apr 2020 02:00:26 -0400 Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 0385x3BM017885 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 8 Apr 2020 07:59:03 +0200 Received: from [167.87.145.84] ([167.87.145.84]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 0385wr4o028544; Wed, 8 Apr 2020 07:58:54 +0200 Subject: Re: [PATCH 4/4] x86,module: Detect CRn and DRn manipulation To: Steven Rostedt , Peter Zijlstra Cc: tglx@linutronix.de, linux-kernel@vger.kernel.org, hch@infradead.org, sean.j.christopherson@intel.com, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org, kenny@panix.com, jeyu@kernel.org, rasmus.villemoes@prevas.dk, pbonzini@redhat.com, fenghua.yu@intel.com, xiaoyao.li@intel.com, nadav.amit@gmail.com, thellstrom@vmware.com, tony.luck@intel.com, gregkh@linuxfoundation.org, jannh@google.com, keescook@chromium.org, David.Laight@aculab.com, dcovelli@vmware.com, mhiramat@kernel.org, Wolfgang Mauerer References: <20200407110236.930134290@infradead.org> <20200407111007.429362016@infradead.org> <20200407174824.5e97a597@gandalf.local.home> From: Jan Kiszka Message-ID: <137fe245-69f3-080e-5f2b-207cd218f199@siemens.com> Date: Wed, 8 Apr 2020 07:58:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <20200407174824.5e97a597@gandalf.local.home> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07.04.20 23:48, Steven Rostedt wrote: > On Tue, 07 Apr 2020 13:02:40 +0200 > Peter Zijlstra wrote: > >> Since we now have infrastructure to analyze module text, disallow >> modules that write to CRn and DRn registers. >> >> Signed-off-by: Peter Zijlstra (Intel) >> --- >> arch/x86/kernel/module.c | 21 +++++++++++++++++++++ >> 1 file changed, 21 insertions(+) >> >> --- a/arch/x86/kernel/module.c >> +++ b/arch/x86/kernel/module.c >> @@ -266,6 +266,22 @@ static bool insn_is_vmx(struct insn *ins >> return false; >> } >> >> +static bool insn_is_mov_CRn(struct insn *insn) >> +{ >> + if (insn->opcode.bytes[0] == 0x0f && insn->opcode.bytes[1] == 0x22) >> + return true; >> + >> + return false; >> +} >> + >> +static bool insn_is_mov_DRn(struct insn *insn) >> +{ >> + if (insn->opcode.bytes[0] == 0x0f && insn->opcode.bytes[1] == 0x23) >> + return true; >> + >> + return false; >> +} >> + >> static int decode_module(struct module *mod, void *text, void *text_end, bool sld_safe) >> { >> bool allow_vmx = sld_safe || !split_lock_enabled(); >> @@ -285,6 +301,11 @@ static int decode_module(struct module * >> return -ENOEXEC; >> } >> >> + if (insn_is_mov_CRn(&insn) || insn_is_mov_DRn(&insn)) { >> + pr_err("Module writes to CRn or DRn, please use the proper accessors: %s\n", mod->name); >> + return -ENOEXEC; >> + } > > Hmm, wont this break jailhouse? Yes, possibly. We load the hypervisor binary via request_firmware into executable memory and then jump into it. So most of the "suspicious" code is there - except two cr4_init_shadow() calls to propagate the non-transparent update of VMXE into that shadow. We could hide that CR4 flag, but that could mislead root Linux to try to use VMX while in jail. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux