lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20251013-l1tf-test-v1-0-583fb664836d@google.com>
Date: Mon, 13 Oct 2025 15:13:53 +0000
From: Brendan Jackman <jackmanb@...gle.com>
To: Shuah Khan <shuah@...nel.org>, Paolo Bonzini <pbonzini@...hat.com>, 
	Sean Christopherson <seanjc@...gle.com>
Cc: Alexandra Sandulescu <aesa@...gle.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, 
	Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, 
	linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org, 
	kvm@...r.kernel.org, Brendan Jackman <jackmanb@...gle.com>
Subject: [PATCH 0/2] KVM: x86: selftests: add L1TF exploit test

This has been tested on a Google Skylake platform. 

One potential issue with this test is that it fails (that is, the
exploit succeeds) when using the conditional L1D flush, because the
gadget is injected into the hypercall path which doesn't appear to
include a flush. If this is unacceptable, we should discuss how to amend
the test so that it can be used to evaluate the conditional flush logic
as well. This would basically mean simulating some more complicated
gadget where the "attacker" has found another way to steer the host
kernel towards the target data, instead of just a simple hypercall.

The reason this limitation is tolerable to me is my ulterior motive,
i.e. because I am specifically interested in an end-to-end test for
Address Space Isolation [0], which is abstracted from these details of the
exploit.

Based on kvm/next.

[0] https://lore.kernel.org/all/20250924-b4-asi-page-alloc-v1-0-2d861768041f@google.com/T/#t

Signed-off-by: Brendan Jackman <jackmanb@...gle.com>
---
Alexandra Sandulescu (1):
      KVM: x86: selftests: add an L1TF exploit test

Brendan Jackman (1):
      selftests: fix installing nested TEST_GEN_MODS_DIR

 tools/testing/selftests/kvm/Makefile.kvm           |   7 +
 tools/testing/selftests/kvm/x86/l1tf_test.c        | 633 +++++++++++++++++++++
 tools/testing/selftests/kvm/x86/l1tf_test.sh       |  10 +
 .../selftests/kvm/x86/test_modules/Makefile        |  10 +
 .../kvm/x86/test_modules/l1tf_test_helper.c        |  92 +++
 tools/testing/selftests/lib.mk                     |   2 +-
 6 files changed, 753 insertions(+), 1 deletion(-)
---
base-commit: 6b36119b94d0b2bb8cea9d512017efafd461d6ac
change-id: 20251013-l1tf-test-1bee540cefb4

Best regards,
-- 
Brendan Jackman <jackmanb@...gle.com>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ