lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 6 Jan 2018 18:37:29 +0100
From:   Andrea Arcangeli <aarcange@...hat.com>
To:     Xishi Qiu <qiuxishi@...wei.com>
Cc:     Jiri Kosina <jikos@...nel.org>, dave.hansen@...ux.intel.com,
        LKML <linux-kernel@...r.kernel.org>,
        Linux MM <linux-mm@...ck.org>,
        Yisheng Xie <xieyisheng1@...wei.com>,
        "Wangkefeng (Maro)" <wangkefeng.wang@...wei.com>,
        Hanjun Guo <guohanjun@...wei.com>,
        Zhao Hongjiang <zhaohongjiang@...wei.com>
Subject: Re: [RFC] boot failed when enable KAISER/KPTI

Hello Xishi,

On Sat, Jan 06, 2018 at 02:45:30PM +0800, Xishi Qiu wrote:
> How about this fix patch? I tested and it works.
> 
> diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
> index 088681d..f6c32f5 100644
> --- a/arch/x86/kernel/tboot.c
> +++ b/arch/x86/kernel/tboot.c
> @@ -131,6 +131,8 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
>  	pud = pud_alloc(&tboot_mm, pgd, vaddr);
>  	if (!pud)
>  		return -1;
> +	if (__supported_pte_mask & _PAGE_NX)
> +		pgd->pgd &= ~_PAGE_NX;
>  	pmd = pmd_alloc(&tboot_mm, pud, vaddr);
>  	if (!pmd)
>  		return -1;

Oh great that you already verified this.

The only difference from the above to what I applied is that I didn't
check "__supported_pte_mask & _PAGE_NX", but that's superflous
here. It won't hurt to add it, your patch is fine as well.

The location where to do the NX clearing is the correct one and same
optimal place as in efi_64.c too (right after pud_alloc success).

Only the setting of NX requires verification that it's in the
__supported_pte_mask first, the clearing is always fine (worst case it
will do nothing).

On a side note, I already verified if NX is disabled (-cpu nx=off) the
pgd isn't NX poisoned in the first place, but clearing NX won't hurt
even in such case.

Thanks,
Andrea

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ