lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5s25fkpxv6p3ai2iagtgyqhpt3c4cv54q6lgeeebizsseediyy@wl4epcc7i35a>
Date: Wed, 2 Jul 2025 12:47:24 +0300
From: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
To: Sohil Mehta <sohil.mehta@...el.com>
Cc: Andy Lutomirski <luto@...nel.org>, 
	Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, 
	Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, 
	Peter Zijlstra <peterz@...radead.org>, Ard Biesheuvel <ardb@...nel.org>, 
	"Paul E. McKenney" <paulmck@...nel.org>, Josh Poimboeuf <jpoimboe@...nel.org>, 
	Xiongwei Song <xiongwei.song@...driver.com>, Xin Li <xin3.li@...el.com>, 
	"Mike Rapoport (IBM)" <rppt@...nel.org>, Brijesh Singh <brijesh.singh@....com>, 
	Michael Roth <michael.roth@....com>, Tony Luck <tony.luck@...el.com>, 
	Alexey Kardashevskiy <aik@....com>, Alexander Shishkin <alexander.shishkin@...ux.intel.com>, 
	Jonathan Corbet <corbet@....net>, Ingo Molnar <mingo@...nel.org>, 
	Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>, Daniel Sneddon <daniel.sneddon@...ux.intel.com>, 
	Kai Huang <kai.huang@...el.com>, Sandipan Das <sandipan.das@....com>, 
	Breno Leitao <leitao@...ian.org>, Rick Edgecombe <rick.p.edgecombe@...el.com>, 
	Alexei Starovoitov <ast@...nel.org>, Hou Tao <houtao1@...wei.com>, Juergen Gross <jgross@...e.com>, 
	Vegard Nossum <vegard.nossum@...cle.com>, Kees Cook <kees@...nel.org>, Eric Biggers <ebiggers@...gle.com>, 
	Jason Gunthorpe <jgg@...pe.ca>, "Masami Hiramatsu (Google)" <mhiramat@...nel.org>, 
	Andrew Morton <akpm@...ux-foundation.org>, Luis Chamberlain <mcgrof@...nel.org>, 
	Yuntao Wang <ytcoode@...il.com>, Rasmus Villemoes <linux@...musvillemoes.dk>, 
	Christophe Leroy <christophe.leroy@...roup.eu>, Tejun Heo <tj@...nel.org>, Changbin Du <changbin.du@...wei.com>, 
	Huang Shijie <shijie@...amperecomputing.com>, Geert Uytterhoeven <geert+renesas@...der.be>, 
	Namhyung Kim <namhyung@...nel.org>, Arnaldo Carvalho de Melo <acme@...hat.com>, 
	linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org, 
	linux-mm@...ck.org
Subject: Re: [PATCHv8 04/17] x86/cpu: Defer CR pinning setup until after EFI
 initialization

On Tue, Jul 01, 2025 at 12:03:01PM -0700, Sohil Mehta wrote:
> On 7/1/2025 2:58 AM, Kirill A. Shutemov wrote:
> > From: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
> > 
> > In order to map the EFI runtime services, set_virtual_address_map()
> > needs to be called, which resides in the lower half of the address
> > space. This means that LASS needs to be temporarily disabled around
> > this call. This can only be done before the CR pinning is set up.
> > 
> > Move CR pinning setup behind the EFI initialization.
> > 
> > Wrapping efi_enter_virtual_mode() into lass_disable/enable_enforcement()
> 
> I believe this should be lass_stac()/clac() since we reverted to the
> original naming.

Doh. Will fix.

> > is not enough because AC flag gates data accesses, but not instruction
> > fetch. Clearing the CR4 bit is required.
> > 
> > Signed-off-by: Alexander Shishkin <alexander.shishkin@...ux.intel.com>
> > Suggested-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
> > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
> > ---
> >  arch/x86/kernel/cpu/common.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> > index 4f430be285de..9918121e0adc 100644
> > --- a/arch/x86/kernel/cpu/common.c
> > +++ b/arch/x86/kernel/cpu/common.c
> > @@ -2081,7 +2081,6 @@ static __init void identify_boot_cpu(void)
> >  	enable_sep_cpu();
> >  #endif
> >  	cpu_detect_tlb(&boot_cpu_data);
> > -	setup_cr_pinning();
> >  
> >  	tsx_init();
> >  	tdx_init();
> > @@ -2532,10 +2531,14 @@ void __init arch_cpu_finalize_init(void)
> >  
> >  	/*
> >  	 * This needs to follow the FPU initializtion, since EFI depends on it.
> > +	 *
> > +	 * EFI twiddles CR4.LASS. Do it before CR pinning.
> >  	 */
> >  	if (efi_enabled(EFI_RUNTIME_SERVICES))
> >  		efi_enter_virtual_mode();
> >  
> > +	setup_cr_pinning();
> > +
> 
> Instead of EFI toggling CR4.LASS, why not defer the first LASS
> activation itself?
> 
> i.e.
> 
> 	if (efi_enabled(EFI_RUNTIME_SERVICES))
> 		efi_enter_virtual_mode();
> 
> 	setup_lass();
> 
> 	setup_cr_pinning();
> 
> 
> This way, we can avoid the following patch (#5) altogether.

That's definitely an option.

The benefit of current approach is that the enforcement is enabled
earlier and cover more boot code, providing marginal protection
improvement.

I also like that related security features (SMEP/SMAP/UMIP/LASS) are
enabled in the same place.

In the end it is a judgement call.

Maintainers, any preference?

-- 
  Kiryl Shutsemau / Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ