| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Jul 2020 17:51:30 -0700
From: Sean Christopherson <sean.j.christopherson@...el.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
Borislav Petkov <bp@...en8.de>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>,
Tony Luck <tony.luck@...el.com>,
"Gomez Iglesias, Antonio" <antonio.gomez.iglesias@...el.com>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Fenghua Yu <fenghua.yu@...el.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Vincenzo Frascino <vincenzo.frascino@....com>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Anthony Steinhauser <asteinhauser@...gle.com>,
Mike Rapoport <rppt@...ux.ibm.com>,
Mark Gross <mgross@...ux.intel.com>,
Waiman Long <longman@...hat.com>, linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
Jonathan Corbet <corbet@....net>
Subject: Re: [PATCH] x86/bugs/multihit: Fix mitigation reporting when KVM is
not in use
On Tue, Jul 14, 2020 at 02:20:59PM -0700, Dave Hansen wrote:
> On 7/14/20 2:04 PM, Pawan Gupta wrote:
> >> I see three inputs and four possible states (sorry for the ugly table,
> >> it was this or a spreadsheet :):
> >>
> >> X86_FEATURE_VMX CONFIG_KVM_* hpage split Result Reason
> >> N x x Not Affected No VMX
> >> Y N x Not affected No KVM
This line item is pointless, the relevant itlb_multihit_show_state()
implementation depends on CONFIG_KVM_INTEL. The !KVM_INTEL version simply
prints ""Processor vulnerable".
> >> Y Y Y Mitigated hpage split
> >> Y Y N Vulnerable
> > Thank you.
> >
> > Just a note... for the last 2 cases kernel wont know about "hpage split"
> > mitigation until KVM is loaded. So for these cases reporting at boot
> > will be "Vulnerable" and would change to "Mitigated" once KVM is loaded
> > and deploys the mitigation. This is the current behavior.
>
> That's OK with me, because it's actually pretty closely tied to reality.
> You are literally "vulnerable" until you've committed to a mitigation
> and that doesn't happen until KVM is loaded.
Not that it really matters since itlb_multihit_show_state() reflects current
state, but loading KVM doesn't commit to a mitigation. KVM's nx_huge_pages
module param is writable by root, e.g. the mitigation can be turned off
while KVM is loaded and even while guests are running.
To do the above table, KVM will also need to update itlb_multihit_kvm_mitigation
when it is unloaded, which seems rather silly. That's partly why I suggested
keying off CR4.VMXE as it doesn't require poking directly into KVM. E.g. the
entire fix becomes:
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index ed54b3b21c39..4452df7f332d 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1447,7 +1447,12 @@ static ssize_t l1tf_show_state(char *buf)
static ssize_t itlb_multihit_show_state(char *buf)
{
- if (itlb_multihit_kvm_mitigation)
+ if (!boot_cpu_has(X86_FEATURE_MSR_IA32_FEAT_CTL) ||
+ !boot_cpu_has(X86_FEATURE_VMX))
+ return sprintf(buf, "KVM: Mitigation: VMX unsupported\n");
+ else if (!(cr4_read_shadow() & X86_CR4_VMXE))
+ return sprintf(buf, "KVM: Mitigation: VMX disabled\n");
+ else if (itlb_multihit_kvm_mitigation)
return sprintf(buf, "KVM: Mitigation: Split huge pages\n");
else
return sprintf(buf, "KVM: Vulnerable\n");
Powered by blists - more mailing lists