| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a24a2c7d-cfab-a049-37e8-7260a9063a7c@citrix.com>
Date: Thu, 15 Aug 2019 21:59:03 +0100
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: "Lendacky, Thomas" <Thomas.Lendacky@....com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
"linux-pm@...r.kernel.org" <linux-pm@...r.kernel.org>,
"x86@...nel.org" <x86@...nel.org>
CC: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
"Rafael J . Wysocki" <rjw@...ysocki.net>,
Pavel Machek <pavel@....cz>, Chen Yu <yu.c.chen@...el.com>,
Jonathan Corbet <corbet@....net>
Subject: Re: [PATCH] x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h
On 14/08/2019 22:17, Lendacky, Thomas wrote:
> +static void init_hide_rdrand(struct cpuinfo_x86 *c)
> +{
> + /*
> + * The nordrand option can clear X86_FEATURE_RDRAND, so check for
> + * RDRAND support using the CPUID function directly.
> + */
> + if (!(cpuid_ecx(1) & BIT(30)) || rdrand_force)
> + return;
> +
> + msr_clear_bit(MSR_AMD64_CPUID_FN_00000001, 62);
> + clear_cpu_cap(c, X86_FEATURE_RDRAND);
> + pr_info_once("hiding RDRAND via CPUID\n");
If you're virtualised, the write to MSR_AMD64_CPUID_FN_1 almost
certainly won't take effect, which means userspace will still be able to
see the bit.
Best to leave everything untouched if you can't actually clear the bit.
All you can do is trust that your hypervisor knows what it is doing.
~Andrew
Powered by blists - more mailing lists