| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 May 2024 17:48:11 +0200 From: Juergen Gross <jgross@...e.com> To: Dave Hansen <dave.hansen@...el.com>, "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com> Cc: linux-kernel@...r.kernel.org, x86@...nel.org, linux-coco@...ts.linux.dev, Dave Hansen <dave.hansen@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, "H. Peter Anvin" <hpa@...or.com> Subject: Re: [PATCH] x86/kvm/tdx: Save %rbp in TDX_MODULE_CALL On 17.05.24 17:43, Dave Hansen wrote: > On 5/17/24 08:27, Jürgen Groß wrote: >> On 17.05.24 17:16, Dave Hansen wrote: >>> On 5/17/24 07:44, Juergen Gross wrote: >>>> Just another data point: Before using this machine I was testing on >>>> another one with older firmware. That one really didn't support >>>> NOM_RBP_MOD >>>> and I needed to build the kernel with CONFIG_FRAME_POINTER enabled to >>>> get >>>> past the check you are mentioning above. >>> >>> For all intents and purposes, the modules that intentionally clobber RBP >>> don't support Linux. If buggy modules are accidentally clobbering RBP, >>> we can debate how much the kernel should bend over to accommodate them, >>> but my preference would be to ignore them. >>> >>> I'd much rather put a deny list in the kernel than try to tolerate RBP >>> clobbering universally. >> >> Would you be fine with adding a new X86_FEATURE (or BUG?) allowing >> to switch RBP save/restore via ALTERNATIVE, controlled by a command >> line option? >> >> Or maybe by adding a new CONFIG_TDX_MODULE_CAN_CLOBBER_RBP (probably >> using a shorter name) option? > > As a last resort maybe. > >> TBH I'm slightly puzzled that the firmware I'm using could make it >> outside Intel. I'm fearing this might happen again. > > You're puzzled that the firmware is either old buggy or both? Huh. > > Intel ships all kinds of crazy pre-production stuff as development > platforms. Let's make sure we know what you've got before we go tearing > up mainline for it. > > Because if the options are: > > 1. Maintain code in mainline until the day I die^Wretire > > or > > 2. Get Jürgen a BIOS update so he stops sending patches > > .. it's kinda an easy choice. ;) > :-) Is the BIOS version printed at boot enough to see what I have? [ 0.000000] DMI: Intel Corporation D50DNP/D50DNP, BIOS SE5C7411.86B.9535.D04.2312270518 12/27/2023 Juergen Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3684 bytes) Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (496 bytes)
Powered by blists - more mailing lists