[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20161224013745.108716-1-ricardo.neri-calderon@linux.intel.com>
Date: Fri, 23 Dec 2016 17:37:38 -0800
From: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
To: Ingo Molnar <mingo@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
Borislav Petkov <bp@...e.de>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org,
<linux-msdos@...r.kernel.org>, <wine-devel@...ehq.org>,
Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Brian Gerst <brgerst@...il.com>,
Chen Yucong <slaoub@...il.com>,
Chris Metcalf <cmetcalf@...lanox.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Fenghua Yu <fenghua.yu@...el.com>,
Huang Rui <ray.huang@....com>, Jiri Slaby <jslaby@...e.cz>,
Jonathan Corbet <corbet@....net>,
"Michael S . Tsirkin" <mst@...hat.com>,
Paul Gortmaker <paul.gortmaker@...driver.com>,
"Ravi V . Shankar" <ravi.v.shankar@...el.com>,
Vlastimil Babka <vbabka@...e.cz>,
Shuah Khan <shuah@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Liang Z Li <liang.z.li@...el.com>
Subject: [v2 0/7] x86: enable User-Mode Instruction Prevention
This is v2 of my first submission done a while ago[1]. I apologize for the
delay.
User-Mode Instruction Prevention (UMIP) is a security feature present in
new Intel Processors. If enabled, it prevents the execution of certain
instructions if the Current Privilege Level (CPL) is greater than 0. If
these instructions were executed while in CPL > 0, user space applications
could have access to system-wide settings such as the global and local
descriptor tables, the segment selectors to the current task state and the
local descriptor table.
These are the instructions covered by UMIP:
* SGDT - Store Global Descriptor Table
* SIDT - Store Interrupt Descriptor Table
* SLDT - Store Local Descriptor Table
* SMSW - Store Machine Status Word
* STR - Store Task Register
If any of these instructions is executed with CPL > 0, a general protection
exception is issued when UMIP is enabled.
There is a caveat, however. Certain applications rely on some of these
instructions to function. An example of this are applications that use
WineHQ[2]. For instance, these applications rely on sidt returning a non-
accesible memory location[3]. During the discussions, it was proposed that
the fault could be relied to the user-space and perform the emulation in
user-mode. However, this would break existing applications until, for
instance, they update to a new WineHQ version. However, this approach
would require UMIP to be disabled by default. The concensus in this forum
is to always enable it.
This patchset initially treated tasks running in virtual-8086 mode as a
special case. However, I received clarification that DOSEMU[4] does not
support applications that use these instructions. It relies on WineHQ for
this[4]. Furthermore, the applications for which the concern was raised
run in protected mode [3].
This version keeps UMIP enabled at all times and by default. If a general
protection fault caused by the instructions protected by UMIP is
detected, such fault will be fixed-up by returning dummy values as follows:
* SGDT and SIDT return a base address to a dummy location in kernel memory
and a limit of 0.
* STR, SLDT returns 0 as the segment selector. This seems OK since we are
providing a dummy value as the base address of the global descriptor
table.
* SMSW returns 0.
Lastly, I found very useful the code for Intel MPX (Memory Protection
Extensions) used to parse opcodes and the memory locations contained in the
general purpose registers when used as operands. I put some of this code in
a separate file that both MPX and UMIP can access and avoid code
duplication. While here, I fixed two small bugs that I found in the MPX
implementation.
The code that I used to test the emulated instructions can be found in [6].
[1]. https://lwn.net/Articles/705877/
[2]. https://www.winehq.org/
[3]. https://www.winehq.org/pipermail/wine-devel/2016-November/115320.html
[4]. http://www.dosemu.org/
[5]. http://marc.info/?l=linux-kernel&m=147876798717927&w=2
[6]. https://github.com/01org/luv-yocto/tree/rneri/umip/meta-luv/recipes-core/umip/files
Thanks and BR,
Ricardo
Cc: Andy Lutomirski <luto@...nel.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: Borislav Petkov <bp@...e.de>
Cc: Brian Gerst <brgerst@...il.com>
Cc: Chen Yucong <slaoub@...il.com>
Cc: Chris Metcalf <cmetcalf@...lanox.com>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Fenghua Yu <fenghua.yu@...el.com>
Cc: Huang Rui <ray.huang@....com>
Cc: Jiri Slaby <jslaby@...e.cz>
Cc: Jonathan Corbet <corbet@....net>
Cc: Michael S. Tsirkin <mst@...hat.com>
Cc: Paul Gortmaker <paul.gortmaker@...driver.com>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Ravi V. Shankar <ravi.v.shankar@...el.com>
Cc: Vlastimil Babka <vbabka@...e.cz>
Cc: Shuah Khan <shuah@...nel.org>
Cc: Paolo Bonzini <pbonzini@...hat.com>
Cc: Liang Z Li <liang.z.li@...el.com>
Cc: x86@...nel.org
Cc: linux-msdos@...r.kernel.org
Changes since V1:
* Virtual-8086 mode tasks are not treated in a special manner. All code
for this purpose was removed.
* Instead of attempting to disable UMIP during a context switch or when
entering virtual-8086 mode, UMIP remains enabled all the time. General
protection faults that occur are fixed-up by returning dummy values as
detailed above.
* Removed umip= kernel parameter in favor of using clearcpuid=514 to
disable UMIP.
* Removed selftests designed to detect the absence of SIGSEGV signals when
running in virtual-8086 mode.
* Reused code from MPX to decode instructions operands. For this purpose
code was put in a common location.
* Fixed two bugs in MPX code that decodes operands.
Ricardo Neri (7):
x86/mpx: Do not use SIB index if index points to R/ESP
x86/mpx: Fail when implicit zero-displacement is used along with R/EBP
x86/mpx, x86/insn: Relocate insn util functions to a new insn-utils
x86/cpufeature: Add User-Mode Instruction Prevention definitions
x86: Add emulation code for UMIP instructions
x86/traps: Fixup general protection faults caused by UMIP
x86: Enable User-Mode Instruction Prevention
arch/x86/Kconfig | 10 ++
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/disabled-features.h | 8 +-
arch/x86/include/asm/insn.h | 6 +
arch/x86/include/asm/umip.h | 16 +++
arch/x86/include/uapi/asm/processor-flags.h | 2 +
arch/x86/kernel/Makefile | 1 +
arch/x86/kernel/cpu/common.c | 16 ++-
arch/x86/kernel/traps.c | 4 +
arch/x86/kernel/umip.c | 170 ++++++++++++++++++++++++++++
arch/x86/lib/Makefile | 2 +-
arch/x86/lib/insn-utils.c | 148 ++++++++++++++++++++++++
arch/x86/mm/mpx.c | 119 +------------------
13 files changed, 382 insertions(+), 121 deletions(-)
create mode 100644 arch/x86/include/asm/umip.h
create mode 100644 arch/x86/kernel/umip.c
create mode 100644 arch/x86/lib/insn-utils.c
--
2.9.3
Powered by blists - more mailing lists