lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200526172403.GA14256@invisiblethingslab.com>
Date:   Tue, 26 May 2020 19:24:03 +0200
From:   Wojtek Porczyk <woju@...isiblethingslab.com>
To:     Greg KH <gregkh@...uxfoundation.org>,
        Andi Kleen <ak@...ux.intel.com>
Cc:     Andi Kleen <andi@...stfloor.org>, x86@...nel.org,
        keescook@...omium.org, linux-kernel@...r.kernel.org,
        sashal@...nel.org, stable@...r.kernel.org
Subject: Re: [PATCH v1] x86: Pin cr4 FSGSBASE

On Tue, May 26, 2020 at 06:32:35PM +0200, Greg KH wrote:
> On Tue, May 26, 2020 at 08:48:35AM -0700, Andi Kleen wrote:
> > On Tue, May 26, 2020 at 08:56:18AM +0200, Greg KH wrote:
> > > On Mon, May 25, 2020 at 10:28:48PM -0700, Andi Kleen wrote:
> > > > From: Andi Kleen <ak@...ux.intel.com>
> > > > 
> > > > Since there seem to be kernel modules floating around that set
> > > > FSGSBASE incorrectly, prevent this in the CR4 pinning. Currently
> > > > CR4 pinning just checks that bits are set, this also checks
> > > > that the FSGSBASE bit is not set, and if it is clears it again.
> > > 
> > > So we are trying to "protect" ourselves from broken out-of-tree kernel
> > > modules now?  
> > 
> > Well it's a specific case where we know they're opening a root hole
> > unintentionally. This is just an pragmatic attempt to protect the users in the 
> > short term.
> 
> Can't you just go and fix those out-of-tree kernel modules instead?
> What's keeping you all from just doing that instead of trying to force
> the kernel to play traffic cop?

We'd very much welcome any help really, but we're under impression that this
couldn't be done correctly in a module, so this hack occured.

This was written in 2015 as part of original (research) codebase for those
reasons:
- A module is easier to deploy by scientists, who are no kernel developers and
  no sysadmins either, so applying patchset and recompiling kernel is a big
  ask.
- It has no implications on security in SGX/Graphene threat model and in
  expected deployment scenario.
- This had no meaning to the actual research being done, so it wasn't cared
  about.

Let me expand the second point, because I understand both the module and the
explanation looks wrong.

Graphene is intended to be run in a cloud, where the CPU time is sold in
a form of virtual machine, so the VM kernel, which would load this module, is
not trusted by hardware owner, so s/he don't care. But the owner of the
enclave also doesn't care, because SGX' threat model assumes adversary who is
capable of arbitrary code execution in both kernel and userspace outside
enclave. So the kernel immediately outside the enclave is a no-man's land,
untrusted by both sides and forsaken, reduced to a compatibility layer
between x86 and ELF.

I acknowledge this is unusual threat model and certainly to mainline
developers, who rarely encounter userspace that is more trusted than kernel.

What we've failed at is to properly explain this, because if someone loads
this module outside of this expected scenario, will certainly be exposed to
a gaping root hole. Therefore we acknowledge this patch and as part of
Graphene we'll probably maintain a patchset, until the support is upstream.
Right now this will take us some time to change from our current kernel
interfaces.


-- 
pozdrawiam / best regards
Wojtek Porczyk
Graphene / Invisible Things Lab
 
 I do not fear computers,
 I fear lack of them.
    -- Isaac Asimov

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ