| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Apr 2024 08:34:28 -0700
From: Xin Li <xin@...or.com>
To: "H. Peter Anvin" <hpa@...or.com>, Borislav Petkov <bp@...en8.de>
Cc: linux-kernel@...r.kernel.org, luto@...nel.org, tglx@...utronix.de,
mingo@...hat.com, dave.hansen@...ux.intel.com, x86@...nel.org
Subject: Re: [PATCH v3 1/1] x86/fred: Fix INT80 emulation for FRED
On 4/17/2024 7:59 AM, H. Peter Anvin wrote:
> On 4/17/24 02:38, Borislav Petkov wrote:
>> On Tue, Apr 16, 2024 at 11:30:01PM -0700, Xin Li (Intel) wrote:
>>> 3) The FRED kernel entry handler does *NOT* dispatch INT instructions,
>>> which is of event type EVENT_TYPE_SWINT, so compared with
>>> do_int80_emulation(), there is no need to do any user mode check.
>>
>> What does that mean?
>>
>> An event handler doesn't dispatch INT insns?
>>
>> /me is confused.
>
> FRED has separate entry flows depending on if the event came from user
> space or kernel space:
>
> asm_fred_entrypoint_user -> fred_entry_from_user
>
> asm_fred_entrypoint_kernel -> fred_entry_from_kernel
>
> fred_entry_from_kernel does not invoke fred_intx() if the event type is
> EVENT_TYPE_SWINT, instead it falls through to fred_bad_type(). Perhaps
> fred_intx() should be renamed fred_intx_user() for additional clarity.
This is a good idea, and again naming is so important.
>
> (It might also we worth noting in that function that the reason int
> $0x03 and int $0x04 are dispatched as INT3 and INTO is to be fully user
> space compatible with legacy IDT, which behaves similarly.)
Yeah, this is subtle, and we'd better make it explicit with comments.
FRED distinguishes int $0x03/$0x04 from INT3/INTO with event type
EVENT_TYPE_SWINT and EVENT_TYPE_SWEXC, and the Linux kernel itself can
still use INT3/INTO, however int $0x03/$0x04 is NOT allowed from kernel
context.
>
> Thus, the int $0x80 code is simply not reachable from kernel space; if
> kernel code were to invoke int $0x80 or any other INT instruction it
> will error out before getting to this code.
>
>>> +#ifdef CONFIG_X86_FRED
>>> +/*
>>> + * A FRED-specific INT80 handler fred_int80_emulation() is required:
>>> + *
>>> + * 1) As INT instructions and hardware interrupts are separate event
>>> + * types, FRED does not preclude the use of vector 0x80 for external
>>> + * interrupts. As a result the FRED setup code does *NOT* reserve
>>> + * vector 0x80 and calling int80_is_external() is not merely
>>> + * suboptimal but actively incorrect: it could cause a system call
>>> + * to be incorrectly ignored.
>>> + *
>>> + * 2) fred_int80_emulation(), only called for handling vector 0x80 of
>>> + * event type EVENT_TYPE_SWINT, will NEVER be called to handle any
>>> + * external interrupt (event type EVENT_TYPE_EXTINT).
>>> + *
>>> + * 3) The FRED kernel entry handler does *NOT* dispatch INT
>>> instructions,
>>> + * which is of event type EVENT_TYPE_SWINT, so compared with
>>> + * do_int80_emulation(), there is no need to do any user mode check.
>>> + *
>>> + * 4) int80_emulation() does a CLEAR_BRANCH_HISTORY, which is likely
>>> + * overkill for new x86 CPU implementations that support FRED.
>>> + *
>>> + * 5) int $0x80 is the FAST path for 32-bit system calls under FRED.
>>> + *
>>> + * A dedicated FRED INT80 handler duplicates quite a bit of the code in
>>> + * do_int80_emulation(), but it avoids sprinkling more tests and seems
>>> + * more readable. Just remember that we can always unify common stuff
>>> + * later if it turns out that it won't diverge anymore, i.e., after the
>>> + * FRED code settles.
>>> + */
>>
>> And this is talking about duplication above and that text is duplicated
>> from the commit message. :)
>>
>> I'll zap it when applying.
>>
>
> I suggested putting it into a comment for future reference. Obviously no
> need to duplicate it in the commit message :)
>
yes!
Powered by blists - more mailing lists