lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 8 Sep 2008 16:04:23 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Yan Li <elliot.li.tech@...il.com>
Cc:	linux-kernel@...r.kernel.org, joerg.roedel@....com,
	rjmaomao@...il.com, Yinghai Lu <yhlu.kernel@...il.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH 1/2] VMware detection support for x86 and x86-64


* Yan Li <elliot.li.tech@...il.com> wrote:

> +/* Backdoor def from open-vm-tools/lib/include/backdoor_def.h */
> +#define BDOOR_MAGIC          0x564D5868
> +/* Low-bandwidth backdoor port. --hpreg */
> +#define BDOOR_PORT           0x5658
> +#define BDOOR_CMD_GETVERSION 10
> +#define VERSION_MAGIC        0x6
> +
> +/*
> + *  getVersion  -  Read VM version & product code through backdoor
> + */
> +void getVersion(u32 *version)
> +{
> +	u32 eax, ebx, ecx, edx;
> +
> +	asm volatile("inl (%%dx)" :
> +		     "=a"(eax), "=c"(ecx), "=d"(edx), "=b"(ebx) :
> +		     "0"(BDOOR_MAGIC), "1"(BDOOR_CMD_GETVERSION),
> +		     "2"(BDOOR_PORT) : "memory");

hm, i know it's not your fault as you just took this vmware code, but 
this is really not an acceptable method of detection. The above is 
totally unsafe to do on native hardware - we dont know whether there's 
anything on that port.

vmware could have used one of the following methods to communicate to 
the guest kernel:

 - a CPUID and an MSR range - like a good virtual CPU should. That way 
   even bootloaders could detect the presence of vmware.
 - or a PCI ID and a PCI driver like KVM does
 - or a system call hypercall gateway like Xen and KVM does
 - or it could even have used a DMI signature of some sort

but no, vmware had to use 30 year old unsafe ISA port magic...

To add insult to injury that port is named 'backdoor' - very smart and 
confidence raising naming. Plus it does not even use some well-known PC 
port that is harmless to read - it has to be from the middle of the 
generic IO port resource range where a real PCI card could sit: 0x5658. 
Brilliant.

is there really no vmware PCI ID to query? Could you post the lspci -v 
output of your vmware guest? We could add an early-quirk for one of the 
core vmware PCI devices (in case there are any - i bet there are).

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ