lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1a0fd968-15a0-401f-a683-e8989c2df669@intel.com>
Date: Thu, 26 Sep 2024 10:37:05 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Xi Ruoyao <xry111@...111.site>, Dave Hansen
 <dave.hansen@...ux.intel.com>, Michael Kelley <mhklinux@...look.com>,
 Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
Cc: Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>,
 Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
 Borislav Petkov <bp@...en8.de>, "H. Peter Anvin" <hpa@...or.com>,
 x86@...nel.org, linux-kernel@...r.kernel.org,
 Sean Christopherson <seanjc@...gle.com>,
 Andrew Cooper <andrew.cooper3@...rix.com>
Subject: Re: [PATCH v10 2/2] x86/mm: Don't disable PCID if the kernel is
 running on a hypervisor

On 5/21/24 19:06, Xi Ruoyao wrote:
> -	invlpg_miss_match = x86_match_cpu(invlpg_miss_ids);
> +	/* Only bare-metal is affected.  PCIDs in guests are OK.  */
> +	if (!boot_cpu_has(X86_FEATURE_HYPERVISOR))
> +		invlpg_miss_match = x86_match_cpu(invlpg_miss_ids);

So, surely, the common case is hypervisors that set
X86_FEATURE_HYPERVISOR are running the guest under VMX.  But it doesn't
cover everything, either.

The guest could be running under regular old QEMU without KVM.  Or it
could be one of the hypervisors that has a sense of humor and runs guest
ring0 in hardware ring3.  But those setups aren't vulnerable in the
first place because they don't actually execute INVLPG directly on the
hardware.

That said, if this check goes wrong (like seeing a
X86_FEATURE_HYPERVISOR==0 under VMX) the worst that can happen is that
PCIDs get disabled without a good reason.

So I think the patch is correct, but I don't like the idea that
X86_FEATURE_HYPERVISOR has any kind of strict connection to VMX.

I'd rather just say:

	Hypervisors lie about CPUID making model and microcode version
	checks worthless. Just assume all guests are immune either
	because they can't use INVLPG directly or are running under VMX
	and are unaffected.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ