| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Feb 2013 09:53:45 -0800 From: Andy Lutomirski <luto@...capital.net> To: Joerg Roedel <joro@...tes.org> Cc: Gleb Natapov <gleb@...hat.com>, LKML <linux-kernel@...r.kernel.org>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, Alex Williamson <alex.williamson@...hat.com>, Don Zickus <dzickus@...hat.com>, Prarit Bhargava <prarit@...hat.com>, David Woodhouse <dwmw2@...radead.org> Subject: Re: [PATCH] intel_iommu: Disable vfio and kvm interrupt assignment when unsafe On Thu, Feb 7, 2013 at 9:27 AM, Joerg Roedel <joro@...tes.org> wrote: > On Thu, Feb 07, 2013 at 08:29:42AM -0800, Andy Lutomirski wrote: >> On Thu, Feb 7, 2013 at 3:33 AM, Joerg Roedel <joro@...tes.org> wrote: >> > On Wed, Feb 06, 2013 at 07:08:24PM -0800, Andy Lutomirski wrote: >> >> - if (x2apic_present) >> >> - WARN(1, KERN_WARNING >> >> - "Failed to enable irq remapping. You are vulnerable to irq-injection attacks.\n"); >> >> - >> >> + irq_remapping_is_secure = 0; >> >> return -1; >> >> } >> > >> > Why do you remove this warning? It seems unrelated to the rest of the >> > patch. >> >> The idea is that setting irq_remapping_is_secure = 0 makes you (much >> less) vulnerable to irq-injection attacks: you're vulnerable to >> malicious hardware but not to attack via vfio or kvm, because those >> paths are disabled. >> >> I'd have no problem leaving the warning in and letting whoever manages >> to trigger it and get annoyed fix it. FWIW, it's actually likely to >> be interesting if the warning hits. > > Hmm, looking into the intel_irq_remapping.c version in the tip tree > makes me wonder even more. Is this the version I'm based on (intel_irq_remapping: Clean up x2apic optout security warning mess), or something else? > > First, I wonder why the warning only hits when an x2apic is present. The > function is not x2apic-specific and the vulnerability also exists in > xapic mode. So that dependency can be removed. > > Second, I think that it should be a pr_warn instead of a full WARN. When > IRQ remapping could not be enabled it's most likely because of the BIOS > or the hardware. So a message in the kernel log will do and the > backtrace provides no additional value. > Which warning are you referring to? Unless I'm failing at reading code this morning, the result of this patch has no such warning. > Same is true for the warning in the function iommu_set_irq_remapping(): > > if (sts & DMA_GSTS_CFIS) > WARN(1, KERN_WARNING > "Compatibility-format IRQs enabled despite intr remapping;\n" > "you are vulnerable to IRQ injection.\n"); > > From what I can see this condition depends only on the hardware too. So > a simple pr_warn() provides the same amount of information. > What's the general rule here? If this warning hits, then my understanding of the Intel VT-d spec is wrong, and I don't think that firmware can cause it. A buggy hypervisor could, I suppose. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists