lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110517085327.GG22093@elte.hu>
Date:	Tue, 17 May 2011 10:53:27 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Huang Ying <ying.huang@...el.com>
Cc:	Don Zickus <dzickus@...hat.com>,
	huang ying <huang.ying.caritas@...il.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Andi Kleen <andi@...stfloor.org>,
	Robert Richter <robert.richter@....com>,
	Andi Kleen <ak@...ux.intel.com>, Borislav Petkov <bp@...en8.de>
Subject: Re: [RFC] x86, NMI, Treat unknown NMI as hardware error


* Huang Ying <ying.huang@...el.com> wrote:

> On 05/16/2011 07:29 PM, Ingo Molnar wrote:
> > 
> > * Don Zickus <dzickus@...hat.com> wrote:
> > 
> >> On Fri, May 13, 2011 at 05:20:33PM +0200, Ingo Molnar wrote:
> >>>
> >>> * huang ying <huang.ying.caritas@...il.com> wrote:
> >>>
> >>>>> What should be done instead is to add an event for unknown NMIs, which can 
> >>>>> then be processed by the RAS daemon to implement policy.
> >>>>>
> >>>>> By using 'active' event filters it could even be set on a system to panic 
> >>>>> the box by default.
> >>>>
> >>>> If there is real fatal hardware error, maybe we have no luxury to go from NMI 
> >>>> handler to user space RAS daemon to determine what to do. System may explode, 
> >>>> bad data may go to disk before that.
> >>>
> >>> That is why i suggested:
> >>>
> >>>   > > By using 'active' event filters it could even be set on a system to panic 
> >>>   > > the box by default.
> >>>
> >>> event filters are evaluated in the kernel, so the panic could be instantaneous, 
> >>> without the event having to reach user-space.
> >>
> >> Interesting.  Question though, what do you mean by 'event filtering'.  Is 
> >> that different then setting 'unknown_nmi_panic' panic on the commandline or 
> >> procfs?
> >>
> >> Or are you suggesting something like registering another callback on the 
> >> die_chain that looks for DIE_NMIUNKNOWN as the event, swallows them and 
> >> implements the policy?  That way only on HEST related platforms would 
> >> register them while others would keep the default of 'Dazed and confused' 
> >> messages?
> > 
> > The idea is that "event filters", which are an existing upstream feature and 
> > which can be used in rather flexible ways:
> > 
> >   http://lkml.org/lkml/2011/4/27/660
> > 
> > Could be used to trigger non-standard policy action as well - such as to panic 
> > the box.
> > 
> > This would replace various very limited /debugfs and /sys event filtering hacks 
> > (and hardcoded policies) such as arch/x86/kernel/cpu/mcheck/mce-severity.c, and 
> > it would allow nonstandard behavior like 'panic the box on unknown NMIs' as 
> > well.
> > 
> > This could be set by the RAS daemon, and it could be propagated to the kernel 
> > boot line as well, where event filter syntax would look like this:
> > 
> >   events=nmi::unknown"if (reason == 0) panic();"
> > 
> > (Where the 'reason' field of the NMI event is the current legacy 'reason' value 
> > there.)
> > 
> > The filter code would have to be modified to be able to recognize the panic() 
> > bit, but that's desirable anyway and it is a one-time effort.
> > 
> > This:
> > 
> >   events=nmi::unknown:"if (reason == 0) ignore();"
> > 
> > would be a possible outcome as well, on certain boxes - to skip certain events.
> 
> We can determine whether NMI is unknown in kernel now.  If you want to push 
> all unknown NMI logic into user space (although I don't think that is the 
> best solution), is it not sufficient that just check system in user space 
> (via PCI ID or DMI ID, etc) and set existing "unknown_nmi_panic" accordingly?

yeah - no need to push the 'reason' if it's not needed.

We want the kernel defaults to be sane - i.e. this is not to 'push' anything to 
user-space in a forced way, this is to make *optional*, different policy action 
possible to configure.

For example the weird hack in arch/x86/kernel/cpu/mcheck/mce-severity.c would 
be handled via a set of default filters. The debugfs mce-severity hack API 
would go away, it could all be configured in the same way (and more) by using 
persistent events and such active filters.

That's roughly the direction the MCE code should take IMO.

Thanks,

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ