lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <6A4C8FFC-0A4E-4374-B276-DE5A751BDB72@gmail.com>
Date:   Wed, 23 Nov 2016 08:42:40 -0800
From:   Tony Luck <tony.luck@...il.com>
To:     Borislav Petkov <bp@...e.de>
Cc:     Henrique de Moraes Holschuh <hmh@....eng.br>,
        "Luck, Tony" <tony.luck@...el.com>,
        Andi Kleen <andi@...stfloor.org>,
        Ashok Raj <ashok.raj@...el.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] x86/mce: Include the PPIN in machine check records when it is available

If the BIOS writes 10b, then PPIN is disabled and will remain so until the processor is reset. Bit 1 is a one way trip, it can be set by s/w, but not cleared again.

All this is because of the huge stink last time Intel tried to add a serial number to CPUs a decade and a half ago. The lockout bit is so that this can be turned off in a way that you can be sure that it can't be turned on again.

-Tony

Sent from my iPhone

> On Nov 23, 2016, at 06:05, Borislav Petkov <bp@...e.de> wrote:
> 
>> On Wed, Nov 23, 2016 at 02:37:23PM +0100, Borislav Petkov wrote:
>> You can't reenable it:
>> 
>> "LockOut (R/WO)
>> Set 1 to prevent further writes to MSR_PPIN_CTL. Writing 1 to
>> MSR_PPINCTL[bit 0] is permitted only if MSR_PPIN_CTL[bit 1] is
>> clear, Default is 0."
> 
> Well, almost.
> 
> "Enable_PPIN (R/W)
> If 1, enables MSR_PPIN to be accessible using RDMSR. Once set,
> attempt to write 1 to MSR_PPIN_CTL[bit 0] will cause #GP.
> If 0, an attempt to read MSR_PPIN will cause #GP. Default is 0."
> 
> Frankly, I don't get what the deal behind that locking out is. And it
> says that BIOS should provide an opt-in so that agent can read the PPIN
> and then that agent should *disable* it again by writing 01b to the CTL
> MSR.
> 
> But then the first paragraph above says that the write
> MSR_PPIN_CTL[0]=1b will #GP because MSR_PPIN_CTL[1] will be 1 for the
> agent to read out MSR_PPIN first.
> 
> I guess we need to write a 00b first to disable PPIN and then write 01b
> to lock it out.
> 
> So AFAIU, the steps will be:
> 
> * BIOS writes 10b
> * agent reads MSR_PPIN
> * agent writes 00b to disable MSR_PPIN
> * agent writes 01b because bit 1 is clear now and it won't #GP.
> 
> Meh...
> 
> -- 
> Regards/Gruss,
>    Boris.
> 
> SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
> -- 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ