lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7c23621b-66fc-eb35-c329-bb947798016a@citrix.com>
Date:   Mon, 18 Jul 2022 17:19:14 +0000
From:   Andrew Cooper <Andrew.Cooper3@...rix.com>
To:     Peter Zijlstra <peterz@...radead.org>, Borislav Petkov <bp@...e.de>
CC:     Thadeu Lima de Souza Cascardo <cascardo@...onical.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
        "x86@...nel.org" <x86@...nel.org>,
        "ardb@...nel.org" <ardb@...nel.org>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
        Guenter Roeck <linux@...ck-us.net>,
        Josh Poimboeuf <jpoimboe@...nel.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH] efi/x86: use naked RET on mixed mode call wrapper

On 18/07/2022 17:38, Peter Zijlstra wrote:
> On Mon, Jul 18, 2022 at 06:28:27PM +0200, Borislav Petkov wrote:
>> On Mon, Jul 18, 2022 at 01:41:37PM +0200, Peter Zijlstra wrote:
>>> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
>>> index 10a3bfc1eb23..f934dcdb7c0d 100644
>>> --- a/arch/x86/include/asm/nospec-branch.h
>>> +++ b/arch/x86/include/asm/nospec-branch.h
>>> @@ -297,6 +297,8 @@ do {									\
>>>  	alternative_msr_write(MSR_IA32_SPEC_CTRL,			\
>>>  			      spec_ctrl_current() | SPEC_CTRL_IBRS,	\
>>>  			      X86_FEATURE_USE_IBRS_FW);			\
>>> +	altnerative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB,		\
>>> +			      X86_FEATURE_USE_IBPB_FW);			\
>>>  } while (0)
>> So I'm being told we need to untrain on return from EFI to protect the
>> kernel from it. Ontop of yours.
> I don't think there's any credible way we can protect against EFI taking
> over the system if it wants to. It runs at CPL0 and has access to the
> direct map. If EFI wants it can take over the system without trying.

I don't think an untrain is needed either.  EFI RS can do anything it
wants, architecturally speaking, so the only threat is it acting as a
confused deputy.

The IBPB on the way in mitigates any BTC attacks against EFI-RS.

The "safe" BTB entry can be evicted due to competition or an alias, both
in kernel code or EFI code, but neither of these contexts will be
deliberately creating a malicious entry.

~Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ