lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 12 Jun 2020 10:43:07 -0700
From:   Sean Christopherson <>
To:     Borislav Petkov <>
Cc:     x86-ml <>,
        Linus Torvalds <>,
        lkml <>
Subject: Re: [RFC PATCH] x86/msr: Filter MSR writes

On Fri, Jun 12, 2020 at 07:03:03PM +0200, Borislav Petkov wrote:
> On Fri, Jun 12, 2020 at 09:57:09AM -0700, Sean Christopherson wrote:
> > DS_AREA takes a virtual (linear) address, i.e. the address can be legal from
> > the CPUs perspective but still lead to a #PF due to the address not being
> > mapped in the page tables.
> It's not that - peterz and tglx - and I assume you meant that too - you
> all want to taint on the very *attempt* to WRMSR, regardless of whether
> the MSR exists or not.
> I don't necessarily agree with that because I don't think we should
> taint when the MSR doesn't exist but if you all want it, sure, whatever.
> I don't care that deeply.

The problem is a fault on WRMSR doesn't mean the MSR doesn't exist, it only
means WRMSR faulted.  WRMSR can for all intents and purpose trigger completely
arbitrary microcode flows, e.g. WRMSR 0x79 can fundamentally change the
behavior of the CPU.

And it's not like the WRMSR->taint is atomic, e.g. changing a platform scoped
MSR that affects voltage settings or something of that nature could easily
tank the system on a successful WRMSR before the kernel can be marked tainted.

> > So users don't have to unload and reload the module just to enable or
> > disable writes.  I don't think it changes the protections in any way, a
> > priveleged user still needs to explicitly toggle the control.
> There's /sys/module/msr/parameters/. A privileged user can do whatever.
> A non-privileged should not disable that.

0400 only allows a privelged user to read the parameter, e.g. for parameters
that are snapshotted at module load time and/or changing the param while the
module is running would cause breakage.

0600 allows a priveleged user to read and write the parameter, which AFAICT
is safe here.

0644 allows a priveleged user to read and write the parameter, and allows an
unpriveleged user to read the param.  

> -- 
> Regards/Gruss,
>     Boris.

Powered by blists - more mailing lists