Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp77475rwd; Tue, 30 May 2023 16:33:16 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6Xtldmwjr+jI4rWRN6wzN+w+23QS+R7bZE/AqlQ0ALsHkLD1AAoSrx2b0l0I2+rrYJQQ6F X-Received: by 2002:a17:903:1ca:b0:1b0:42ac:74e0 with SMTP id e10-20020a17090301ca00b001b042ac74e0mr4115819plh.11.1685489596234; Tue, 30 May 2023 16:33:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685489596; cv=none; d=google.com; s=arc-20160816; b=ZGTyBJaAPO/8Qp0/GNtZ6vhtPk2ckoDkVbz359qHOY68tkK9zEOBrCiXs2Uz+U1R6X 30/8/NW9SeM5V+hxrmnSSA73vUtMC5JQDygiIgD5yGQYVuzyytE5kfGRF0+ei5m1nncr 1HrCKyX1qcojeIGTfHfCJ/vKBbMpO4WiknNNs8NPL5wLxStCbK+sehyP1iU5jIM/JWxr 29lWNoC6F9s1M/XUljdDqR0vOREHxN8r1qwwwkO4tARhLDSFeKC4HKYmmIRgES7Gc8ed sGYkNZDQTNSqkpqvYGlo3Orzbx3tf2wE596VSEgXpUDroE+JGUxudfRdhYHEju+7+OX0 bITQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=q6wOdCsvPcfL1AGuKhq7si1i+l1tB9VGHRhgBuI4hFQ=; b=IBIrFupayle6H8xoHTlyADavL6mKtprE5Q9+CW2FuH+hsFttDyFKalsZBAh3r8JZk+ dOQnCVMIqh6AJo6ZKZY+yLGpYw1/3sxaS3ikzk/u4ArCSIXH7BUMOtuYQuUYqKp+LRDr uRv1hVK6jya7B9qBTZ3aZUcnlEONDHwqf7fbrcaXBS0IIn9eZusxdd5+71rkkMHkGDLa y7nbugwVFacBmIBvdgN18I7FfbyG7g0zNpj/nLuvCaD5slpttlGuG+iFnZblYMVUrRok yKGRJyHej6XM2qgKNizN3NO/v1q3I9Ck1UrnBrzGOToUpzYudPcZotrUNThp9ifXow+L eL3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=A6P9MRUq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b15-20020a170903228f00b001ac9a3ebb38si1742985plh.360.2023.05.30.16.33.01; Tue, 30 May 2023 16:33:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=A6P9MRUq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233797AbjE3XQP (ORCPT + 99 others); Tue, 30 May 2023 19:16:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233792AbjE3XQM (ORCPT ); Tue, 30 May 2023 19:16:12 -0400 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 688D2F7 for ; Tue, 30 May 2023 16:16:11 -0700 (PDT) Received: by mail-pf1-x42b.google.com with SMTP id d2e1a72fcca58-64d1a0d640cso3842684b3a.1 for ; Tue, 30 May 2023 16:16:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1685488571; x=1688080571; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=q6wOdCsvPcfL1AGuKhq7si1i+l1tB9VGHRhgBuI4hFQ=; b=A6P9MRUqWxltKJ9Zgwok7DSDRoOxoww2FWlF6WQO1tYgoM5+Hi0Ez2oEaQQjsD1m8R d4fRiNfemEoHsLbKtPfU643qi1eTaIaRbZTrXG8PIKxDT7zOE/fxQqSHWBsVd7zxgsD9 9LmT/yPeVeEdIlXyQ0jganlgblNgnS7PESvrk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685488571; x=1688080571; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=q6wOdCsvPcfL1AGuKhq7si1i+l1tB9VGHRhgBuI4hFQ=; b=NOqfOIGC+mDIz9ArMup+xTlK3OxCPKSrKm2Sr2QE6Oy72Fe3fIZ91+lpSF8RDin0J7 n7KC5Yz9VZARyG6SbNREnL77WsllqvZnzXLBVLNeIg17IpsqCJVcuBiqDrFDfopyiPKq HFNqh5H3u8lUAkGyZeIssOSyXAesxHrcGcdqFFQwxyLsRfqzyDjzkJ3pTB5rBQpNeUc8 C05a/zReYPyk+nBnScwz9EAVrq7zu/CXuxAt1dT9XqXZ4l7Xei8i1Zv5AwP3sS1djRDt 1UOKVEyuVi1AK7sgehdZ3qnt53bkCKUVUJTFN+e5wLRxZMy324CPDu2Rlpu5FCNURVuA c+Ew== X-Gm-Message-State: AC+VfDyrAYB8EUEVNh4PkQvpUgJ5e4D/Q9we3NAT9+PlZ+8cikPVHebC gUqN1cZR2M+WVg0AGx1E37OFCg== X-Received: by 2002:a05:6a00:10c4:b0:646:663a:9d60 with SMTP id d4-20020a056a0010c400b00646663a9d60mr4308038pfu.10.1685488570875; Tue, 30 May 2023 16:16:10 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id v22-20020aa78516000000b0063d3d776910sm2123773pfn.138.2023.05.30.16.16.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 May 2023 16:16:10 -0700 (PDT) Date: Tue, 30 May 2023 16:16:09 -0700 From: Kees Cook To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: Wei Liu , Borislav Petkov , Dave Hansen , "H . Peter Anvin" , Ingo Molnar , Paolo Bonzini , Sean Christopherson , Thomas Gleixner , Vitaly Kuznetsov , Wanpeng Li , Alexander Graf , Forrest Yuan Yu , James Morris , John Andersen , "Madhavan T . Venkataraman" , Marian Rotariu , Mihai =?utf-8?B?RG9uyJt1?= , =?utf-8?B?TmljdciZb3IgQ8OuyJt1?= , Rick Edgecombe , Thara Gopinath , Will Deacon , Zahra Tarkhani , =?utf-8?Q?=C8=98tefan_=C8=98icleru?= , dev@lists.cloudhypervisor.org, kvm@vger.kernel.org, linux-hardening@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, qemu-devel@nongnu.org, virtualization@lists.linux-foundation.org, x86@kernel.org, xen-devel@lists.xenproject.org Subject: Re: [PATCH v1 5/9] KVM: x86: Add new hypercall to lock control registers Message-ID: <202305301614.BF8D80D3D5@keescook> References: <20230505152046.6575-1-mic@digikod.net> <20230505152046.6575-6-mic@digikod.net> <901ff104-215c-8e81-fbae-5ecd8fa94449@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <901ff104-215c-8e81-fbae-5ecd8fa94449@digikod.net> X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 29, 2023 at 06:48:03PM +0200, Micka?l Sala?n wrote: > > On 08/05/2023 23:11, Wei Liu wrote: > > On Fri, May 05, 2023 at 05:20:42PM +0200, Micka?l Sala?n wrote: > > > This enables guests to lock their CR0 and CR4 registers with a subset of > > > X86_CR0_WP, X86_CR4_SMEP, X86_CR4_SMAP, X86_CR4_UMIP, X86_CR4_FSGSBASE > > > and X86_CR4_CET flags. > > > > > > The new KVM_HC_LOCK_CR_UPDATE hypercall takes two arguments. The first > > > is to identify the control register, and the second is a bit mask to > > > pin (i.e. mark as read-only). > > > > > > These register flags should already be pinned by Linux guests, but once > > > compromised, this self-protection mechanism could be disabled, which is > > > not the case with this dedicated hypercall. > > > > > > Cc: Borislav Petkov > > > Cc: Dave Hansen > > > Cc: H. Peter Anvin > > > Cc: Ingo Molnar > > > Cc: Kees Cook > > > Cc: Madhavan T. Venkataraman > > > Cc: Paolo Bonzini > > > Cc: Sean Christopherson > > > Cc: Thomas Gleixner > > > Cc: Vitaly Kuznetsov > > > Cc: Wanpeng Li > > > Signed-off-by: Micka?l Sala?n > > > Link: https://lore.kernel.org/r/20230505152046.6575-6-mic@digikod.net > > [...] > > > hw_cr4 = (cr4_read_shadow() & X86_CR4_MCE) | (cr4 & ~X86_CR4_MCE); > > > if (is_unrestricted_guest(vcpu)) > > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > > > index ffab64d08de3..a529455359ac 100644 > > > --- a/arch/x86/kvm/x86.c > > > +++ b/arch/x86/kvm/x86.c > > > @@ -7927,11 +7927,77 @@ static unsigned long emulator_get_cr(struct x86_emulate_ctxt *ctxt, int cr) > > > return value; > > > } > > > +#ifdef CONFIG_HEKI > > > + > > > +extern unsigned long cr4_pinned_mask; > > > + > > > > Can this be moved to a header file? > > Yep, but I'm not sure which one. Any preference Kees? Uh, er, I was never expecting that mask to be non-static. ;) To that end, how about putting it in arch/x86/kvm/x86.h ? -- Kees Cook