| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 May 2024 17:27:39 +0200 From: Jürgen Groß <jgross@...e.com> To: Dave Hansen <dave.hansen@...el.com>, "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com> Cc: linux-kernel@...r.kernel.org, x86@...nel.org, linux-coco@...ts.linux.dev, Dave Hansen <dave.hansen@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, "H. Peter Anvin" <hpa@...or.com> Subject: Re: [PATCH] x86/kvm/tdx: Save %rbp in TDX_MODULE_CALL On 17.05.24 17:16, Dave Hansen wrote: > On 5/17/24 07:44, Juergen Gross wrote: >> Just another data point: Before using this machine I was testing on >> another one with older firmware. That one really didn't support NOM_RBP_MOD >> and I needed to build the kernel with CONFIG_FRAME_POINTER enabled to get >> past the check you are mentioning above. > > For all intents and purposes, the modules that intentionally clobber RBP > don't support Linux. If buggy modules are accidentally clobbering RBP, > we can debate how much the kernel should bend over to accommodate them, > but my preference would be to ignore them. > > I'd much rather put a deny list in the kernel than try to tolerate RBP > clobbering universally. Would you be fine with adding a new X86_FEATURE (or BUG?) allowing to switch RBP save/restore via ALTERNATIVE, controlled by a command line option? Or maybe by adding a new CONFIG_TDX_MODULE_CAN_CLOBBER_RBP (probably using a shorter name) option? TBH I'm slightly puzzled that the firmware I'm using could make it outside Intel. I'm fearing this might happen again. Juergen
Powered by blists - more mailing lists