lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f0fc93ca-ba1d-2570-5d79-0c02ee388f9d@citrix.com>
Date:   Fri, 16 Feb 2018 00:45:35 +0000
From:   Andrew Cooper <andrew.cooper3@...rix.com>
To:     Nadav Amit <nadav.amit@...il.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>
Cc:     Ingo Molnar <mingo@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Andy Lutomirski <luto@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Willy Tarreau <w@....eu>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC v2 0/6] x86: Disabling PTI in compatibility mode

On 16/02/2018 00:25, Nadav Amit wrote:
> Dave Hansen <dave.hansen@...ux.intel.com> wrote:
>
>> On 02/15/2018 08:35 AM, Nadav Amit wrote:
>>> I removed the PTI disabling while SMEP is unsupported, although I
>>> must admit I did not fully understand why it is required.
>> Do you mean you don't fully understand how PTI gives SMEP-like behavior
>> on non-SMEP hardware?
> No. I understand how it provide SMEP-like behavior, and I understand the value
> of SMEP by itself.
>
> However, I do not understand why SMEP-like protection is required to protect
> processes that run in compatibility-mode from Meltdown/Spectre attacks. As
> far as I understand, the process should not be able to manipulate the kernel
> to execute code in the low 4GB.

Being 32bit is itself sufficient protection against Meltdown (as long as
there nothing interesting of the kernels mapped below the 4G boundary).

However, a 32bit compatibility process try to attack with Spectre/SP2 to
redirect speculation back into userspace, at which point (if successful)
the pipeline will be speculating in 64bit mode, and Meltdown is back on
the table.  SMEP will block this attack vector, irrespective of other
SP2 defences the kernel may employ, but a fully SP2-defended kernel
doesn't require SMEP to be safe in this case.

~Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ