Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp428964ybb; Wed, 8 Apr 2020 02:45:23 -0700 (PDT) X-Google-Smtp-Source: APiQypI3SXX8m4pz57lYhT2HLPmGxGtGVIGCXYE1heuiDPXCiJp0csPXP9MCPaZ+WyEKVGVuR5HJ X-Received: by 2002:a05:6830:1b66:: with SMTP id d6mr4957940ote.12.1586339123405; Wed, 08 Apr 2020 02:45:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586339123; cv=none; d=google.com; s=arc-20160816; b=OqL6FGTzRymbLaTfzWp828Mq0Sw9CEQkHagmQk+Bux8oi58pa5Ig0Gj02gTjyY3qmJ OJvAwMmjosN5BLTaM+UBhS6ZkChHKS4RNIbV5vEPQWye4LMj8ym1kU7tCki1rVudJ8Dl RVgy5fZtaDzIUZ/s155kq6L4/nIvmDU0neyEqoQnzrDlnO0Lfqv65t2WdRjYjv6/2IAG 71Dw0Jh9FZu1CXVDcslkKLh5GYzgAClUiwWVmihOc0avLAMpZNWPZBnbq/whUjJd5jcE xHIiR8n19PctVZKxhfOduqck2m6erLYgQ/lDXSyCgWiNlAxrVDtPKkHmVyeauNH9Qrnd vddw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=PipElj2fKvvExm5+6zcHyz0npMHOfoUuBS2mRrjJ2T4=; b=eRj+C96jo4mULu8PLrdVNceE9X7sR0VWf3YTiv2SF3T0J43OTOmOI4xJywuEmJpAw8 hZ7FI3ftOmeMbrdqVFr0RGGT6xS54lbeLYEw4IfSKfkEtlLrJ01q2ppnYoxYOpYTE3nh L837nZ6DCQdSqdQvcEXFoxnxzLLAp4XLLWUnmwEc2atpG5TXquQy0kg/ImDp/37J61k1 OH+JiG92BLWB3YibK/GxQ0XA4GRn8f72d6eBnVVN04qngmWpcFeyy6wSxfJ66ie9EWek fOgzAeTM1qNoHJ6KiPCZPQt+sw7bbuQf9XLw62FkPDUYrLz5zKa6kzQiMbg9a8NXtQE1 4/uw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s28si1869958oij.120.2020.04.08.02.45.08; Wed, 08 Apr 2020 02:45:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726726AbgDHJAQ (ORCPT + 99 others); Wed, 8 Apr 2020 05:00:16 -0400 Received: from goliath.siemens.de ([192.35.17.28]:56619 "EHLO goliath.siemens.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726345AbgDHJAQ (ORCPT ); Wed, 8 Apr 2020 05:00:16 -0400 Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id 0388x3im022750 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 8 Apr 2020 10:59:03 +0200 Received: from [167.87.145.84] ([167.87.145.84]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 0388wrid023153; Wed, 8 Apr 2020 10:58:54 +0200 Subject: Re: [PATCH 4/4] x86,module: Detect CRn and DRn manipulation To: Paolo Bonzini , Steven Rostedt , Peter Zijlstra Cc: tglx@linutronix.de, linux-kernel@vger.kernel.org, hch@infradead.org, sean.j.christopherson@intel.com, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org, kenny@panix.com, jeyu@kernel.org, rasmus.villemoes@prevas.dk, fenghua.yu@intel.com, xiaoyao.li@intel.com, nadav.amit@gmail.com, thellstrom@vmware.com, tony.luck@intel.com, gregkh@linuxfoundation.org, jannh@google.com, keescook@chromium.org, David.Laight@aculab.com, dcovelli@vmware.com, mhiramat@kernel.org, Wolfgang Mauerer References: <20200407110236.930134290@infradead.org> <20200407111007.429362016@infradead.org> <20200407174824.5e97a597@gandalf.local.home> <137fe245-69f3-080e-5f2b-207cd218f199@siemens.com> <0ed2739b-6961-c476-be2d-020e855796dc@redhat.com> From: Jan Kiszka Message-ID: <2aed2b96-c726-1357-44bb-649ec0a809ad@siemens.com> Date: Wed, 8 Apr 2020 10:58:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <0ed2739b-6961-c476-be2d-020e855796dc@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08.04.20 10:03, Paolo Bonzini wrote: > On 08/04/20 07:58, Jan Kiszka wrote: >>>> >>>>   +        if (insn_is_mov_CRn(&insn) || insn_is_mov_DRn(&insn)) { >>>> +            pr_err("Module writes to CRn or DRn, please use the >>>> proper accessors: %s\n", mod->name); >>>> +            return -ENOEXEC; >>>> +        } >>> >>> Hmm, wont this break jailhouse? >> >> Yes, possibly. We load the hypervisor binary via request_firmware into >> executable memory and then jump into it. So most of the "suspicious" >> code is there - except two cr4_init_shadow() calls to propagate the >> non-transparent update of VMXE into that shadow. We could hide that CR4 >> flag, but that could mislead root Linux to try to use VMX while in jail. > > Why not contribute the Jailhouse loader into Linux? > Definitely planned. But right now it would add the burden of managing the interface between loader and hypervisor carefully. Currently it is internal to Jailhouse and maintained in lock-step, without any backward compatibility. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux