Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 23 Jun 2020 20:03:35 +0000
From: "Andersen, John" <john.s.andersen@...el.com>
To: Andy Lutomirski <luto@...nel.org>
Cc: Jonathan Corbet <corbet@....net>, Paolo Bonzini <pbonzini@...hat.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
	X86 ML <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>,
	Shuah Khan <shuah@...nel.org>,
	"Christopherson, Sean J" <sean.j.christopherson@...el.com>,
	Liran Alon <liran.alon@...cle.com>,
	Andrew Jones <drjones@...hat.com>,
	Rick Edgecombe <rick.p.edgecombe@...el.com>,
	Kristen Carlson Accardi <kristen@...ux.intel.com>,
	Vitaly Kuznetsov <vkuznets@...hat.com>,
	Wanpeng Li <wanpengli@...cent.com>,
	Jim Mattson <jmattson@...gle.com>, Joerg Roedel <joro@...tes.org>,
	mchehab+huawei@...nel.org, Greg KH <gregkh@...uxfoundation.org>,
	"Paul E. McKenney" <paulmck@...nel.org>,
	pawan.kumar.gupta@...ux.intel.com, Juergen Gross <jgross@...e.com>,
	Mike Kravetz <mike.kravetz@...cle.com>,
	Oliver Neukum <oneukum@...e.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Fenghua Yu <fenghua.yu@...el.com>, reinette.chatre@...el.com,
	vineela.tummalapalli@...el.com,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	Arjan van de Ven <arjan@...ux.intel.com>, caoj.fnst@...fujitsu.com,
	Baoquan He <bhe@...hat.com>, Arvind Sankar <nivedita@...m.mit.edu>,
	Kees Cook <keescook@...omium.org>,
	Dan Williams <dan.j.williams@...el.com>, eric.auger@...hat.com,
	aaronlewis@...gle.com, Peter Xu <peterx@...hat.com>,
	makarandsonare@...gle.com,
	"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>, kvm list <kvm@...r.kernel.org>,
	"open list:KERNEL SELFTEST FRAMEWORK" <linux-kselftest@...r.kernel.org>,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH 4/4] X86: Use KVM CR pin MSRs

On Fri, Jun 19, 2020 at 10:13:25PM -0700, Andy Lutomirski wrote:
> On Wed, Jun 17, 2020 at 12:05 PM John Andersen
> <john.s.andersen@...el.com> wrote:
> > Guests using the kexec system call currently do not support
> > paravirtualized control register pinning. This is due to early boot
> > code writing known good values to control registers, these values do
> > not contain the protected bits. This is due to CPU feature
> > identification being done at a later time, when the kernel properly
> > checks if it can enable protections. As such, the pv_cr_pin command line
> > option has been added which instructs the kernel to disable kexec in
> > favor of enabling paravirtualized control register pinning. crashkernel
> > is also disabled when the pv_cr_pin parameter is specified due to its
> > reliance on kexec.
> 
> Is there a plan for fixing this for real?  I'm wondering if there is a
> sane weakening of this feature that still allows things like kexec.
> 

I'm pretty sure kexec can be fixed. I had it working at one point, I'm
currently in the process of revalidating this. The issue was though that
kexec only worked within the guest, not on the physical host, which I suspect
is related to the need for supervisor pages to be mapped, which seems to be
required before enabling SMAP (based on what I'd seen with the selftests and
unittests). I was also just blindly turning on the bits without checking for
support when I'd tried this, so that could have been the issue too.

I think most of the changes for just blindly enabling the bits were in
relocate_kernel, secondary_startup_64, and startup_32.

> What happens if a guest tries to reset?  For that matter, what happens
> when a guest vCPU sends SIPI to another guest vCPU?  The target CPU
> starts up in real mode, right?
>

In this case we hit kvm_vcpu_reset, where we clear pinning. Yes I believe it
starts up in real mode.

> There's no SMEP or SMAP in real mode, and real mode has basically no security
> mitigations at all.
> 

We'd thought about the switch to real mode being a case where we'd want to drop
pinning. However, we weren't sure how much weaker, if at all, it makes this
protection.

Unless someone knows, I'll probably need to do some digging into what an
exploit might look like that tries switching to real mode and switching back as
a way around this protection.

If we can use the switch to real mode as a drop pinning trigger then I think
that might just solve the kexec problem.

> PCID is an odd case.  I see no good reason to pin it, and pinning PCID
> on prevents use of 32-bit mode.

Maybe it makes sense to default to the values we have, but allow host userspace
to overwrite the allowed values, in case some other guest OS wants to do
something that Linux doesn't with PCID or other bits.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.