| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Nov 2017 21:51:13 -0800
From: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
To: Ingo Molnar <mingo@...nel.org>
Cc: Ingo Molnar <mingo@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
"H. Peter Anvin" <hpa@...or.com>,
Andy Lutomirski <luto@...nel.org>,
Borislav Petkov <bp@...e.de>,
Peter Zijlstra <peterz@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Brian Gerst <brgerst@...il.com>,
Chris Metcalf <cmetcalf@...lanox.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Masami Hiramatsu <mhiramat@...nel.org>,
Huang Rui <ray.huang@....com>, Jiri Slaby <jslaby@...e.cz>,
Jonathan Corbet <corbet@....net>,
"Michael S. Tsirkin" <mst@...hat.com>,
Paul Gortmaker <paul.gortmaker@...driver.com>,
Vlastimil Babka <vbabka@...e.cz>,
Chen Yucong <slaoub@...il.com>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
Shuah Khan <shuah@...nel.org>, linux-kernel@...r.kernel.org,
x86@...nel.org, ricardo.neri@...el.com,
Tony Luck <tony.luck@...el.com>,
Fenghua Yu <fenghua.yu@...el.com>
Subject: Re: [PATCH v11 09/12] x86: Enable User-Mode Instruction Prevention
at runtime
On Wed, Nov 08, 2017 at 10:52:59AM +0100, Ingo Molnar wrote:
>
> * Ricardo Neri <ricardo.neri-calderon@...ux.intel.com> wrote:
>
> > User-Mode Instruction Prevention (UMIP) is enabled by setting/clearing a
> > bit in %cr4.
> >
> > It makes sense to enable UMIP at some point while booting, before user
> > spaces come up. Like SMAP and SMEP, is not critical to have it enabled
> > very early during boot. This is because UMIP is relevant only when there is
> > a user space to be protected from. Given these similarities, UMIP can be
> > enabled along with SMAP and SMEP.
> >
> > At the moment, UMIP is disabled by default at build time. It can be enabled
> > at build time by selecting CONFIG_X86_INTEL_UMIP. If enabled at build time,
> > it can be disabled at run time by adding clearcpuid=514 to the kernel
> > parameters.
>
> > +config X86_INTEL_UMIP
> > + def_bool n
> > + depends on CPU_SUP_INTEL
> > + prompt "Intel User Mode Instruction Prevention" if EXPERT
> > + ---help---
> > + The User Mode Instruction Prevention (UMIP) is a security
> > + feature in newer Intel processors. If enabled, a general
> > + protection fault is issued if the instructions SGDT, SLDT,
> > + SIDT, SMSW and STR are executed in user mode.
>
> Ok, I really like this latest series.
Thanks!
>
> One small request: could you please make the feature default-y, which is what we
> do for new hardware features that don't have a significant runtime cost. There's
> no ABI breakage expected, right?
No, no ABI breakage should happen. The only visible change is that processes running
in user long mode will see a SIGSEGV signal if they try to use any of the instructions
that UMIP protects. Also, any process using SLDT or or STR will see the SIGSEGV signal.
I will submit an extra patch to do this default-y.
>
> Another request: could you please extend the Kconfig description to _explain_ to
> the user why this feature is useful - in a short sentence or so. I.e. point out
> that these instructions expose information about hardware state that is not really
> necessary for the vast majority of applications.
Sure, I will submit an extra with this explanation.
>
> Plus:
>
> > + cr4_set_bits(X86_CR4_UMIP);
>
> Please also inform admins that it's enabled, via something like:
>
> pr_info("x86/cpu: Activated the Intel User Mode Instruction Prevention (UMIP) CPU feature\n");
Will do.
>
> ... or so.
>
> Please do these changes in a separate add-on patch #13 on top of this series, as
> I've already started testing these bits.
Sure.
Thanks and BR,
Ricardo
Powered by blists - more mailing lists