lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 8 Nov 2017 21:51:13 -0800
From:   Ricardo Neri <>
To:     Ingo Molnar <>
Cc:     Ingo Molnar <>,
        Thomas Gleixner <>,
        "H. Peter Anvin" <>,
        Andy Lutomirski <>,
        Borislav Petkov <>,
        Peter Zijlstra <>,
        Andrew Morton <>,
        Brian Gerst <>,
        Chris Metcalf <>,
        Dave Hansen <>,
        Paolo Bonzini <>,
        Masami Hiramatsu <>,
        Huang Rui <>, Jiri Slaby <>,
        Jonathan Corbet <>,
        "Michael S. Tsirkin" <>,
        Paul Gortmaker <>,
        Vlastimil Babka <>,
        Chen Yucong <>,
        "Ravi V. Shankar" <>,
        Shuah Khan <>,,,,
        Tony Luck <>,
        Fenghua Yu <>
Subject: Re: [PATCH v11 09/12] x86: Enable User-Mode Instruction Prevention
 at runtime

On Wed, Nov 08, 2017 at 10:52:59AM +0100, Ingo Molnar wrote:
> * Ricardo Neri <> wrote:
> > User-Mode Instruction Prevention (UMIP) is enabled by setting/clearing a
> > bit in %cr4.
> > 
> > It makes sense to enable UMIP at some point while booting, before user
> > spaces come up. Like SMAP and SMEP, is not critical to have it enabled
> > very early during boot. This is because UMIP is relevant only when there is
> > a user space to be protected from. Given these similarities, UMIP can be
> > enabled along with SMAP and SMEP.
> > 
> > At the moment, UMIP is disabled by default at build time. It can be enabled
> > at build time by selecting CONFIG_X86_INTEL_UMIP. If enabled at build time,
> > it can be disabled at run time by adding clearcpuid=514 to the kernel
> > parameters.
> > +config X86_INTEL_UMIP
> > +	def_bool n
> > +	depends on CPU_SUP_INTEL
> > +	prompt "Intel User Mode Instruction Prevention" if EXPERT
> > +	---help---
> > +	  The User Mode Instruction Prevention (UMIP) is a security
> > +	  feature in newer Intel processors. If enabled, a general
> > +	  protection fault is issued if the instructions SGDT, SLDT,
> > +	  SIDT, SMSW and STR are executed in user mode.
> Ok, I really like this latest series.


> One small request: could you please make the feature default-y, which is what we 
> do for new hardware features that don't have a significant runtime cost. There's 
> no ABI breakage expected, right?

No, no ABI breakage should happen. The only visible change is that processes running
in user long mode will see a SIGSEGV signal if they try to use any of the instructions
that UMIP protects. Also, any process using SLDT or or STR will see the SIGSEGV signal.

I will submit an extra patch to do this default-y.
> Another request: could you please extend the Kconfig description to _explain_ to 
> the user why this feature is useful - in a short sentence or so. I.e. point out 
> that these instructions expose information about hardware state that is not really 
> necessary for the vast majority of applications.

Sure, I will submit an extra with this explanation.
> Plus:
> > +       cr4_set_bits(X86_CR4_UMIP);
> Please also inform admins that it's enabled, via something like:
> 	pr_info("x86/cpu: Activated the Intel User Mode Instruction Prevention (UMIP) CPU feature\n");

Will do.
> ... or so.
> Please do these changes in a separate add-on patch #13 on top of this series, as 
> I've already started testing these bits.


Thanks and BR,

Powered by blists - more mailing lists