Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp5151741iob; Mon, 9 May 2022 09:38:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyrM3s2KsQPmor4c+g+jlsh75SKC3eAQ7kLrIcswCQ/y7KEfzpGxx+f2MsnZklp/P+ByCay X-Received: by 2002:a05:622a:58d:b0:2f3:cceb:d9ab with SMTP id c13-20020a05622a058d00b002f3ccebd9abmr12525641qtb.36.1652114330657; Mon, 09 May 2022 09:38:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652114330; cv=none; d=google.com; s=arc-20160816; b=NvHoj8f4mxK6Itck1o+1S/fx4fjpIO+Jzfge4LfnBBajx+DpX9wLuLmRUeiaGbTR5G vfeDR8jcTv8Lp7GZwyIIm/LGAIYtdWJA+/lQnywQGtIx3YyQRBy8uDdcDg4SX0sQ3CvA 45Nl/zvZmT8W6o6Vi79RpsSa2I7tfHOtt7Jml1rJt8Cfn0qd4J/rQFxz4BV9zwomijwN bwGeLhRR7n5Rh2dmazdEbZcvCATsPDwOoxLvJ5lSrk410IOacsbxzAuy8XWiFwYf9L4u bkaB7NkdwXOLmpvAUYLNLYGtID70igLXZAOGkTjOuv1FjigM3xSelMETQYNwoFTaeNi9 af/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=YVZDhhuwFnG0wO9zG2gz1m1ChZD7/QsEFk2nXCEHMmY=; b=VXLQEVG/J/zWZooDU4m0pN4wj5mWL898/mf6m30ZN8dowzxzLMfzdpMtvVii0LtE6F qZOSz6KQRBgN0xNRaA3ThDW2G7VSzkTUKe8DMoKHhtckAz45IyYulR2FSlLtj4w617/+ 1XHdSS4GrlWBL/BQedFca/4LKYAn3oIoo2/2gPivlE8/bPEs1tdAXK1NiKg0Z3D/ryF+ lEMD7IDTXWwxMFIRVvrxjO2myTRqPL91/Bm6LyFHNtjNW20O/Wwx6oUQQMY5JWdja6bh 6CRC1IaHsoSYYpvgVB2EaN8bM8BwsIeRoK+dW8fji36dtlE6MfVV3nEQ5/qhNx8+vJA1 gjWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=rGl4Ip+P; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id q11-20020a056214194b00b00456374088c0si10122799qvk.404.2022.05.09.09.38.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 May 2022 09:38:50 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=rGl4Ip+P; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 93FDCEAB81; Mon, 9 May 2022 09:31:47 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238936AbiEIQfg (ORCPT + 99 others); Mon, 9 May 2022 12:35:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238152AbiEIQff (ORCPT ); Mon, 9 May 2022 12:35:35 -0400 Received: from mail.skyhub.de (mail.skyhub.de [5.9.137.197]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 693C62E098; Mon, 9 May 2022 09:31:41 -0700 (PDT) Received: from zn.tnic (p5de8eeb4.dip0.t-ipconnect.de [93.232.238.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id ADA9F1EC01D4; Mon, 9 May 2022 18:31:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1652113895; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=YVZDhhuwFnG0wO9zG2gz1m1ChZD7/QsEFk2nXCEHMmY=; b=rGl4Ip+PNvLTALQHSdUG89pzYor5BP8t3NYCl5ruhddTTsfk9a0w3Vx+hjAt8rPD77xcel u35x0hFwVkG2cz5/8d/HDeuA70a/n7vqEwwnvRNo6drlfmU0ISJPcTrvrXG1EJw6hv8WgM xY5BKcbCNji7BIHkNvD1AwirRUrRVUU= Date: Mon, 9 May 2022 18:31:38 +0200 From: Borislav Petkov To: Tony Luck Cc: hdegoede@redhat.com, markgross@kernel.org, tglx@linutronix.de, mingo@redhat.com, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, corbet@lwn.net, gregkh@linuxfoundation.org, andriy.shevchenko@linux.intel.com, jithu.joseph@intel.com, ashok.raj@intel.com, rostedt@goodmis.org, dan.j.williams@intel.com, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, platform-driver-x86@vger.kernel.org, patches@lists.linux.dev, ravi.v.shankar@intel.com Subject: Re: [PATCH v7 06/12] platform/x86/intel/ifs: Check IFS Image sanity Message-ID: References: <20220506014035.1173578-1-tony.luck@intel.com> <20220506225410.1652287-1-tony.luck@intel.com> <20220506225410.1652287-7-tony.luck@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20220506225410.1652287-7-tony.luck@intel.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 06, 2022 at 03:54:04PM -0700, Tony Luck wrote: > From: Jithu Joseph > > IFS image is designed specifically for a given family, model and > stepping of the processor. Like Intel microcode header, the IFS image > has the Processor Signature, Checksum and Processor Flags that must be > matched with the information returned by the CPUID. Is the checksum the only protection against people loading arbitrary IFS images or are those things signed or encrypted, just like the microcode? I'd hope they pass the same checks as microcode, when they get loaded, considering the similarity of how they're handled... -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette