lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200115021545.GD11244@42.do-not-panic.com>
Date:   Wed, 15 Jan 2020 02:15:45 +0000
From:   Luis Chamberlain <mcgrof@...nel.org>
To:     Jari Ruusu <jari.ruusu@...il.com>
Cc:     Borislav Petkov <bp@...en8.de>, Fenghua Yu <fenghua.yu@...el.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        johannes.berg@...el.com, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org, Hans de Goede <hdegoede@...hat.com>,
        Andy Lutomirski <luto@...nel.org>
Subject: Re: Fix built-in early-load Intel microcode alignment

On Mon, Jan 13, 2020 at 09:58:25PM +0200, Jari Ruusu wrote:
> On 1/13/20, Luis Chamberlain <mcgrof@...nel.org> wrote:
> > So what happens with you use the built-in firmware loader for
> > the Intel microcode at this time? I am surprised this issue
> > wasn't reported earlier, so thanks for picking it up, but to
> > be complete such a change requires a bit more information.
> >
> > What exactly happens now?
> 
> Before that 16-byte alignment patch was applied, my only one
> microcode built-in BLOB was "accidentally" 16-byte aligned.

How did it accidentially get 16-byte aligned?

Also, how do you *know* something is broken right now? I mean
you issued a patch for stable. I thought you hit a panic or
some issue while loading. If we are not sure this fixes a real
issue as of yet, I can't see the merit for propagating a fix
to stable.

> After that patch was applied, new kernel System.map file was
> exactly same. So, for me that patch did not change anything.
> 
> Same 16-byte alignment before and after patch:
> 
> $  grep " _fw_.*_bin" System.map
> ffffffff81f55e90 r _fw_intel_ucode_06_8e_09_bin
> 
> >> Fix this by forcing all built-in firmware BLOBs to 16-byte
> >> alignment.
> >
> > That's a huge stretch, see below.
> 
> I understand and to some degree agree.
> 
> > So I'd like to determine first if we really need this.
> 
> We do need it. Violating Intel specs is not good. It may be that
> some processor models require aligned and some accept less
> aligned.

Fair point. A fix to follow the spec is however different than to say
without it things don't work, and we need to propagate a fix to stable
kernels.

> > If set as a global new config option, we can use the same logic and
> > allow an architecture override if the user / architecture kconfig
> > configures it such:
> >
> > config ARCH_DEFAULT_FIRMWARE_ALIGNMENT
> > 	string "Default architecture firmware aligmnent"
> > 	"4" if 64BIT
> > 	"3" if !64BIT
> >
> > config FIRMWARE_BUILTIN_ALIGN
> > 	string "Built in firmware aligment requirement"
> > 	default ARCH_DEFAULT_FIRMWARE_ALIGNMENT if !ARCH_CUSTOM_FIRMWARE_ALIGNMENT
> > 	default ARCH_CUSTOM_FIRMWARE_ALIGNMENT_VAL if
> > ARCH_CUSTOM_FIRMWARE_ALIGNMENT
> > 	  Some good description goes here
> >
> > Or something like that.
> 
> It doesn't have to user visible config option, only default align
> changed when selected set of options are enabled.

Right, I didn't intend for it to be visible really. It was just an
example of kconfig magic how perhaps how to define this if we needed
something configurable per arch.

> My patch was intentionally minimal, without #ifdef spaghetti.

Thanks for it. We just need to dust it off a bit now.

  Luis

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ