Received: by 2002:a25:2c96:0:0:0:0:0 with SMTP id s144csp272336ybs; Tue, 26 May 2020 08:50:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJySSWQoS8vp3zg/u1+YFGh4e0oEJ9KBt16pXmsKNeOsJqiVzO/bbz1BXeqWj0eNtJ1DvPez X-Received: by 2002:a50:bb07:: with SMTP id y7mr19890559ede.176.1590508259525; Tue, 26 May 2020 08:50:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590508259; cv=none; d=google.com; s=arc-20160816; b=iHH/M23oqmuYg/o8VCEIdGPT4yuU6bevvg4JkemmlzEvopMCk2W3ZUvdVOElJXkgbd keA9uuby6DHF0+IKaRn8m9ZXRexCvm4wJNpc0lu6t0/lIog71TMgKl5ocbw3a6jBo7th ThjaWsV2kIfKQPe3lwwD5QfCtKnDzo2u9kUOF7BcpjOYyS25Lcp0Fgf7l6ReA/PfuPt4 5NVQDEwu5d1H0Men7cMNGQSEt+cvyMBCpeoq3uzxbbRCRQWJbeNY2G7FomYoVqxBmVMr qHR66wu0Brcv/VC4awkJfHRNEdDBZWeIiKaZYRs1qe+fVRQzMOBJRmSAzwu10XDcyY69 alIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :ironport-sdr:ironport-sdr; bh=qcgaYfE1YcYws04WXb+BV6/BlQl+7MLAIHOJRo5rRTo=; b=XGggCGdcG5TdkOojmdpj1hLkyaAmIjgr8nQ2GCQNzV70hM4uhV2QFI+YL3qZQIQrhj jKKEBqbdCBQUWuGmEpRtnbuylm165DnCFJKGpjiAhMfEj4WM1+dM5MALqMB1Mshw7twO N5RyHUlkDHDDD5n24LQs7sOPWb+X7rmJZfaNBmuXYzofJrus9P1N0T301tQVYoczdS9n m/0bADUY87wUq/x+rkYqEGypVNUGM7aVIfOPUmv7l2hJE/K+BPvHYykSIRKMJ2bfG88j dpf/b6zgpFH/MOZA3hz4WlhF8m9p7Uscpfo7YqQWmCv6Afmp5PSF/AwVppNTxmL3oWLL 1ung== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t10si97432edw.408.2020.05.26.08.50.36; Tue, 26 May 2020 08:50:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728503AbgEZPsn (ORCPT + 99 others); Tue, 26 May 2020 11:48:43 -0400 Received: from mga11.intel.com ([192.55.52.93]:27189 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727061AbgEZPsn (ORCPT ); Tue, 26 May 2020 11:48:43 -0400 IronPort-SDR: KRGgT9oQ9Der3d4hH0ZOEIRyfDJ/B0MadeUpkkdeFxVPFONYKYN4Rzy5k9BTQ2kcaM1Qy9NXlO 18i8V+SKrtoA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 May 2020 08:48:36 -0700 IronPort-SDR: 9r1wevZOJJL4X3ZpDu4uVOXS/LfIhzSY80MVMsGu9VilwjF0IoSxDNFLoHZusveuLa+8k+eaiu g5y9tOhzbybQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,437,1583222400"; d="scan'208";a="256491252" Received: from tassilo.jf.intel.com (HELO tassilo.localdomain) ([10.7.201.21]) by fmsmga008.fm.intel.com with ESMTP; 26 May 2020 08:48:36 -0700 Received: by tassilo.localdomain (Postfix, from userid 1000) id 06777301C5F; Tue, 26 May 2020 08:48:36 -0700 (PDT) Date: Tue, 26 May 2020 08:48:35 -0700 From: Andi Kleen To: Greg KH Cc: Andi Kleen , x86@kernel.org, keescook@chromium.org, linux-kernel@vger.kernel.org, sashal@kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v1] x86: Pin cr4 FSGSBASE Message-ID: <20200526154835.GW499505@tassilo.jf.intel.com> References: <20200526052848.605423-1-andi@firstfloor.org> <20200526065618.GC2580410@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200526065618.GC2580410@kroah.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 26, 2020 at 08:56:18AM +0200, Greg KH wrote: > On Mon, May 25, 2020 at 10:28:48PM -0700, Andi Kleen wrote: > > From: Andi Kleen > > > > Since there seem to be kernel modules floating around that set > > FSGSBASE incorrectly, prevent this in the CR4 pinning. Currently > > CR4 pinning just checks that bits are set, this also checks > > that the FSGSBASE bit is not set, and if it is clears it again. > > So we are trying to "protect" ourselves from broken out-of-tree kernel > modules now? Well it's a specific case where we know they're opening a root hole unintentionally. This is just an pragmatic attempt to protect the users in the short term. > Why stop with this type of check, why not just forbid them > entirely if we don't trust them? :) Would be pointless -- lots of people rely on them, so such a rule wouldn't survive very long in production kernels. > > diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c > > index bed0cb83fe24..1f5b7871ae9a 100644 > > --- a/arch/x86/kernel/cpu/common.c > > +++ b/arch/x86/kernel/cpu/common.c > > @@ -385,6 +385,11 @@ void native_write_cr4(unsigned long val) > > /* Warn after we've set the missing bits. */ > > WARN_ONCE(bits_missing, "CR4 bits went missing: %lx!?\n", > > bits_missing); > > + if (val & X86_CR4_FSGSBASE) { > > + WARN_ONCE(1, "CR4 unexpectedly set FSGSBASE!?\n"); > > Like this will actually be noticed by anyone who calls this? What is a > user supposed to do about this? In the long term they would need to apply the proper patches for FSGSBASE. > > What about those systems that panic-on-warn? I assume they're ok with "panic on root hole" > > > + val &= ~X86_CR4_FSGSBASE; > > So you just prevented them from setting this, thereby fixing up their > broken code that will never be fixed because you did this? Why do this? If they rely on the functionality they will apply the proper patches then. Or at least they will be aware that they have a root hole, which they are currently not. -Andi