lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a5d47668-3948-43f5-7327-2247e901ef35@redhat.com>
Date:   Thu, 21 Feb 2019 14:01:15 -0500
From:   Prarit Bhargava <prarit@...hat.com>
To:     Andi Kleen <ak@...ux.intel.com>,
        Peter Zijlstra <peterz@...radead.org>
Cc:     linux-kernel@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
        linux-doc@...r.kernel.org
Subject: Re: [PATCH] x86/fpu: Parse comma separated list passed in clearcpuid



On 2/21/19 1:58 PM, Andi Kleen wrote:
> On Thu, Feb 21, 2019 at 02:37:45PM +0100, Peter Zijlstra wrote:
>> On Thu, Feb 21, 2019 at 08:12:25AM -0500, Prarit Bhargava wrote:
>>> Users cannot disable multiple CPU features with the kernel parameter
>>> clearcpuid=.  For example, "clearcpuid=154 clearcpuid=227" only disables
>>> CPUID bit 154.
>>>
>>> Previous to commit 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE
>>> argument") it was possible to pass multiple clearcpuid options as kernel
>>> parameters using individual entries.  With the new code it isn't easy to
>>> replicate exactly that behaviour but a comma separated list can be easily
>>> implemented, eg) "clearcpuid=154,227"
>>>
>>> Make the clearcpuid parse a comma-separated list of values instead of only
>>> a single value.
>>
>> So I think the feature is broken as is; because it doesn't clear the
>> CPUID bits for userspace.
> 
> Usually it's enough to make the kernel stop using something. I used it many 
> times for this.
> 
> People who want to affect user space usually run VMs anyways.

Disabling AVX and/or AVX512, SMT and SMX are all use cases.  Andi is correct --
this is to stop the kernel from using the feature.  The Documentation is clear
on that:

Also note that user programs calling CPUID directly
or using the feature without checking anything
will still see it. This just prevents it from
being used by the kernel or shown in /proc/cpuinfo.

P.

> 
> -Andi
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ