lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 29 Aug 2020 17:55:25 +0200
From:   Borislav Petkov <bp@...en8.de>
To:     Joerg Roedel <joro@...tes.org>
Cc:     x86@...nel.org, Joerg Roedel <jroedel@...e.de>, hpa@...or.com,
        Andy Lutomirski <luto@...nel.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Jiri Slaby <jslaby@...e.cz>,
        Dan Williams <dan.j.williams@...el.com>,
        Tom Lendacky <thomas.lendacky@....com>,
        Juergen Gross <jgross@...e.com>,
        Kees Cook <keescook@...omium.org>,
        David Rientjes <rientjes@...gle.com>,
        Cfir Cohen <cfir@...gle.com>,
        Erdem Aktas <erdemaktas@...gle.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Mike Stunes <mstunes@...are.com>,
        Sean Christopherson <sean.j.christopherson@...el.com>,
        Martin Radev <martin.b.radev@...il.com>,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
        virtualization@...ts.linux-foundation.org
Subject: Re: [PATCH v6 38/76] x86/head/64: Set CR4.FSGSBASE early

On Mon, Aug 24, 2020 at 10:54:33AM +0200, Joerg Roedel wrote:
> From: Joerg Roedel <jroedel@...e.de>
> 
> Early exception handling will use rd/wrgsbase in paranoid_entry/exit.
> Enable the feature to avoid #UD exceptions on boot APs.
> 
> Signed-off-by: Joerg Roedel <jroedel@...e.de>
> Link: https://lore.kernel.org/r/20200724160336.5435-38-joro@8bytes.org
> ---
>  arch/x86/kernel/head_64.S | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
> index 08412f308de3..4622940134a5 100644
> --- a/arch/x86/kernel/head_64.S
> +++ b/arch/x86/kernel/head_64.S
> @@ -153,6 +153,13 @@ SYM_CODE_START(secondary_startup_64)
>  	orl	$X86_CR4_LA57, %ecx
>  1:
>  #endif
> +
> +	ALTERNATIVE "jmp .Lstartup_write_cr4", "", X86_FEATURE_FSGSBASE
> +
> +	/* Early exception handling uses FSGSBASE on APs */
> +	orl	$X86_CR4_FSGSBASE, %ecx

How is this supposed to work?

Alternatives haven't run that early yet and that piece of code looks
like this:

ffffffff81000067:       eb 06                   jmp    ffffffff8100006f <secondary_startup_64+0x1f>
ffffffff81000069:       81 c9 00 00 01 00       or     $0x10000,%ecx
ffffffff8100006f:       0f 22 e1                mov    %rcx,%cr4

so we'll never set X86_CR4_FSGSBASE during early boot.

Stopping a guest with gdb just before that shows the same thing:

Dump of assembler code from 0x1000069 to 0x100007b:
=> 0x0000000001000069:  eb 06   jmp    0x1000071
   0x000000000100006b:  81 c9 00 00 01 00       or     $0x10000,%ecx
   0x0000000001000071:  0f 22 e1        mov    %rcx,%cr4
   0x0000000001000074:  48 03 05 95 ff 20 01    add    0x120ff95(%rip),%rax        # 0x2210010

the unconditional JMP is there and it hasn't been patched out yet.

If you really need to test CPUID flags, you need to do something similar
to what verify_cpu does that early. And looking at that thing:

 *      verify_cpu, returns the status of longmode and SSE in register %eax.
 *              0: Success    1: Failure

you could return the FSGSBASE CPUID bit there too and act accordingly.

Hmm.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists