From: Pavel Machek <pavel@ucw.cz>
To: Thomas Garnier <thgarnie@google.com>
Cc: "Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Andrey Ryabinin" <aryabinin@virtuozzo.com>,
"Alexander Potapenko" <glider@google.com>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Lorenzo Stoakes" <lstoakes@gmail.com>,
"Kees Cook" <keescook@chromium.org>,
"Juergen Gross" <jgross@suse.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Paul Gortmaker" <paul.gortmaker@windriver.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Michal Hocko" <mhocko@suse.com>, zijun_hu <zijun_hu@htc.com>,
"Chris Wilson" <chris@chris-wilson.co.uk>,
"Andy Lutomirski" <luto@amacapital.net>,
"Rafael J . Wysocki" <rjw@rjwysocki.net>,
"Len Brown" <len.brown@intel.com>,
"Jiri Kosina" <jikos@kernel.org>,
"Matt Fleming" <matt@codeblueprint.co.uk>,
"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
"Boris Ostrovsky" <boris.ostrovsky@oracle.com>,
"Rusty Russell" <rusty@rustcorp.com.au>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Borislav Petkov" <bp@suse.de>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Frederic Weisbecker" <fweisbec@gmail.com>,
"Luis R . Rodriguez" <mcgrof@kernel.org>,
"Stanislaw Gruszka" <sgruszka@redhat.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Josh Poimboeuf" <jpoimboe@redhat.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Tim Chen" <tim.c.chen@linux.intel.com>,
"Joerg Roedel" <joro@8bytes.org>,
"Radim Krčmář" <rkrcmar@redhat.com>,
x86@kernel.org, linux-kernel@vger.kernel.org,
linux-doc@vger.kernel.org, kasan-dev@googlegroups.com,
linux-mm@kvack.org, linux-pm@vger.kernel.org,
linux-efi@vger.kernel.org, xen-devel@lists.xenproject.org,
lguest@lists.ozlabs.org, kvm@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH v7 3/3] x86: Make the GDT remapping read-only on 64-bit
Date: Tue, 14 Mar 2017 22:04:24 +0100 [thread overview]
Message-ID: <20170314210424.GA5023@amd> (raw)
In-Reply-To: <20170314170508.100882-3-thgarnie@google.com>
[-- Attachment #1: Type: text/plain, Size: 1197 bytes --]
On Tue 2017-03-14 10:05:08, Thomas Garnier wrote:
> This patch makes the GDT remapped pages read-only to prevent corruption.
> This change is done only on 64-bit.
>
> The native_load_tr_desc function was adapted to correctly handle a
> read-only GDT. The LTR instruction always writes to the GDT TSS entry.
> This generates a page fault if the GDT is read-only. This change checks
> if the current GDT is a remap and swap GDTs as needed. This function was
> tested by booting multiple machines and checking hibernation works
> properly.
>
> KVM SVM and VMX were adapted to use the writeable GDT. On VMX, the
> per-cpu variable was removed for functions to fetch the original GDT.
> Instead of reloading the previous GDT, VMX will reload the fixmap GDT as
> expected. For testing, VMs were started and restored on multiple
> configurations.
>
> Signed-off-by: Thomas Garnier <thgarnie@google.com>
Can we get the same change for 32-bit, too? Growing differences
between 32 and 64 bit are a bit of a problem...
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Pavel Machek <pavel@ucw.cz>
To: Thomas Garnier <thgarnie@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
Jonathan Corbet <corbet@lwn.net>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Lorenzo Stoakes <lstoakes@gmail.com>,
Kees Cook <keescook@chromium.org>,
Juergen Gross <jgross@suse.com>,
Andy Lutomirski <luto@kernel.org>,
Paul Gortmaker <paul.gortmaker@windriver.com>,
Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, zijun_hu <zijun_hu@htc.com>,
Chris Wilson <chris@chris-wilson.co.uk>,
Andy Lutomirski <luto@amacapital.net>,
"Rafael J . Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Jiri Kosina <jikos@kernel.org>,
Matt Fleming <matt@codeblueprint.co.uk>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Rusty
Subject: Re: [PATCH v7 3/3] x86: Make the GDT remapping read-only on 64-bit
Date: Tue, 14 Mar 2017 22:04:24 +0100 [thread overview]
Message-ID: <20170314210424.GA5023@amd> (raw)
In-Reply-To: <20170314170508.100882-3-thgarnie@google.com>
[-- Attachment #1: Type: text/plain, Size: 1197 bytes --]
On Tue 2017-03-14 10:05:08, Thomas Garnier wrote:
> This patch makes the GDT remapped pages read-only to prevent corruption.
> This change is done only on 64-bit.
>
> The native_load_tr_desc function was adapted to correctly handle a
> read-only GDT. The LTR instruction always writes to the GDT TSS entry.
> This generates a page fault if the GDT is read-only. This change checks
> if the current GDT is a remap and swap GDTs as needed. This function was
> tested by booting multiple machines and checking hibernation works
> properly.
>
> KVM SVM and VMX were adapted to use the writeable GDT. On VMX, the
> per-cpu variable was removed for functions to fetch the original GDT.
> Instead of reloading the previous GDT, VMX will reload the fixmap GDT as
> expected. For testing, VMs were started and restored on multiple
> configurations.
>
> Signed-off-by: Thomas Garnier <thgarnie@google.com>
Can we get the same change for 32-bit, too? Growing differences
between 32 and 64 bit are a bit of a problem...
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Pavel Machek <pavel@ucw.cz>
To: Thomas Garnier <thgarnie@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
Jonathan Corbet <corbet@lwn.net>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
Lorenzo Stoakes <lstoakes@gmail.com>,
Kees Cook <keescook@chromium.org>,
Juergen Gross <jgross@suse.com>,
Andy Lutomirski <luto@kernel.org>,
Paul Gortmaker <paul.gortmaker@windriver.com>,
Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, zijun_hu <zijun_hu@htc.com>,
Chris Wilson <chris@chris-wilson.co.uk>,
Andy Lutomirski <luto@amacapital.net>,
"Rafael J . Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Jiri Kosina <jikos@kernel.org>,
Matt Fleming <matt@codeblueprint.co.uk>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Rusty Rus
Subject: Re: [PATCH v7 3/3] x86: Make the GDT remapping read-only on 64-bit
Date: Tue, 14 Mar 2017 22:04:24 +0100 [thread overview]
Message-ID: <20170314210424.GA5023@amd> (raw)
In-Reply-To: <20170314170508.100882-3-thgarnie@google.com>
[-- Attachment #1: Type: text/plain, Size: 1197 bytes --]
On Tue 2017-03-14 10:05:08, Thomas Garnier wrote:
> This patch makes the GDT remapped pages read-only to prevent corruption.
> This change is done only on 64-bit.
>
> The native_load_tr_desc function was adapted to correctly handle a
> read-only GDT. The LTR instruction always writes to the GDT TSS entry.
> This generates a page fault if the GDT is read-only. This change checks
> if the current GDT is a remap and swap GDTs as needed. This function was
> tested by booting multiple machines and checking hibernation works
> properly.
>
> KVM SVM and VMX were adapted to use the writeable GDT. On VMX, the
> per-cpu variable was removed for functions to fetch the original GDT.
> Instead of reloading the previous GDT, VMX will reload the fixmap GDT as
> expected. For testing, VMs were started and restored on multiple
> configurations.
>
> Signed-off-by: Thomas Garnier <thgarnie@google.com>
Can we get the same change for 32-bit, too? Growing differences
between 32 and 64 bit are a bit of a problem...
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Pavel Machek <pavel@ucw.cz>
To: Thomas Garnier <thgarnie@google.com>
Cc: "Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Andrey Ryabinin" <aryabinin@virtuozzo.com>,
"Alexander Potapenko" <glider@google.com>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Lorenzo Stoakes" <lstoakes@gmail.com>,
"Kees Cook" <keescook@chromium.org>,
"Juergen Gross" <jgross@suse.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Paul Gortmaker" <paul.gortmaker@windriver.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Michal Hocko" <mhocko@suse.com>, zijun_hu <zijun_hu@htc.com>,
"Chris Wilson" <chris@chris-wilson.co.uk>,
"Andy Lutomirski" <luto@amacapital.net>,
"Rafael J . Wysocki" <rjw@rjwysocki.net>,
"Len Brown" <len.brown@intel.com>,
"Jiri Kosina" <jikos@kernel.org>,
"Matt Fleming" <matt@codeblueprint.co.uk>,
"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
"Boris Ostrovsky" <boris.ostrovsky@oracle.com>,
"Rusty Russell" <rusty@rustcorp.com.au>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Borislav Petkov" <bp@suse.de>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Frederic Weisbecker" <fweisbec@gmail.com>,
"Luis R . Rodriguez" <mcgrof@kernel.org>,
"Stanislaw Gruszka" <sgruszka@redhat.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Josh Poimboeuf" <jpoimboe@redhat.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Tim Chen" <tim.c.chen@linux.intel.com>,
"Joerg Roedel" <joro@8bytes.org>,
"Radim Krčmář" <rkrcmar@redhat.com>,
x86@kernel.org, linux-kernel@vger.kernel.org,
linux-doc@vger.kernel.org, kasan-dev@googlegroups.com,
linux-mm@kvack.org, linux-pm@vger.kernel.org,
linux-efi@vger.kernel.org, xen-devel@lists.xenproject.org,
lguest@lists.ozlabs.org, kvm@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v7 3/3] x86: Make the GDT remapping read-only on 64-bit
Date: Tue, 14 Mar 2017 22:04:24 +0100 [thread overview]
Message-ID: <20170314210424.GA5023@amd> (raw)
In-Reply-To: <20170314170508.100882-3-thgarnie@google.com>
[-- Attachment #1: Type: text/plain, Size: 1197 bytes --]
On Tue 2017-03-14 10:05:08, Thomas Garnier wrote:
> This patch makes the GDT remapped pages read-only to prevent corruption.
> This change is done only on 64-bit.
>
> The native_load_tr_desc function was adapted to correctly handle a
> read-only GDT. The LTR instruction always writes to the GDT TSS entry.
> This generates a page fault if the GDT is read-only. This change checks
> if the current GDT is a remap and swap GDTs as needed. This function was
> tested by booting multiple machines and checking hibernation works
> properly.
>
> KVM SVM and VMX were adapted to use the writeable GDT. On VMX, the
> per-cpu variable was removed for functions to fetch the original GDT.
> Instead of reloading the previous GDT, VMX will reload the fixmap GDT as
> expected. For testing, VMs were started and restored on multiple
> configurations.
>
> Signed-off-by: Thomas Garnier <thgarnie@google.com>
Can we get the same change for 32-bit, too? Growing differences
between 32 and 64 bit are a bit of a problem...
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2017-03-14 21:04 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-14 17:05 [kernel-hardening] [PATCH v7 1/3] x86/mm: Adapt MODULES_END based on Fixmap section size Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` [PATCH v7 2/3] x86: Remap GDT tables in the Fixmap section Thomas Garnier
2017-03-14 17:05 ` [kernel-hardening] " Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-16 11:10 ` [tip:x86/mm] x86: Remap GDT tables in the fixmap section tip-bot for Thomas Garnier
2017-03-14 17:05 ` [kernel-hardening] [PATCH v7 3/3] x86: Make the GDT remapping read-only on 64-bit Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 17:05 ` Thomas Garnier
2017-03-14 21:04 ` Pavel Machek [this message]
2017-03-14 21:04 ` Pavel Machek
2017-03-14 21:04 ` Pavel Machek
2017-03-14 21:04 ` Pavel Machek
2017-03-14 21:20 ` [kernel-hardening] " Thomas Garnier
2017-03-14 21:20 ` Thomas Garnier
2017-03-14 21:20 ` Thomas Garnier
2017-03-14 21:20 ` Thomas Garnier
2017-03-14 22:43 ` H. Peter Anvin
2017-03-14 22:43 ` H. Peter Anvin
2017-03-14 22:43 ` H. Peter Anvin
2017-03-14 21:20 ` Thomas Garnier
2017-03-14 21:04 ` Pavel Machek
2017-03-16 11:11 ` [tip:x86/mm] " tip-bot for Thomas Garnier
2017-03-14 17:05 ` [PATCH v7 3/3] " Thomas Garnier
2017-03-15 13:52 ` [kernel-hardening] Re: [PATCH v7 1/3] x86/mm: Adapt MODULES_END based on Fixmap section size Boris Ostrovsky
2017-03-15 13:52 ` Boris Ostrovsky
2017-03-15 13:52 ` Boris Ostrovsky
2017-03-15 13:52 ` Boris Ostrovsky
2017-03-15 13:52 ` Boris Ostrovsky
2017-03-15 13:52 ` Boris Ostrovsky
2017-03-16 8:10 ` [kernel-hardening] " Ingo Molnar
2017-03-16 8:10 ` Ingo Molnar
2017-03-16 8:10 ` Ingo Molnar
2017-03-16 8:10 ` Ingo Molnar
2017-03-16 8:10 ` Ingo Molnar
2017-03-16 15:33 ` [kernel-hardening] " Thomas Garnier
2017-03-16 15:33 ` Thomas Garnier
2017-03-16 15:33 ` Thomas Garnier
2017-03-16 15:33 ` Thomas Garnier
2017-03-17 7:34 ` Ingo Molnar
2017-03-17 7:34 ` [kernel-hardening] " Ingo Molnar
2017-03-17 7:34 ` Ingo Molnar
2017-03-17 7:34 ` Ingo Molnar
2017-03-17 7:34 ` Ingo Molnar
2017-03-16 15:33 ` Thomas Garnier
2017-03-16 8:10 ` Ingo Molnar
2017-03-16 11:10 ` [tip:x86/mm] x86/mm: Adapt MODULES_END based on fixmap " tip-bot for Thomas Garnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170314210424.GA5023@amd \
--to=pavel@ucw.cz \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=aryabinin@virtuozzo.com \
--cc=boris.ostrovsky@oracle.com \
--cc=borntraeger@de.ibm.com \
--cc=bp@suse.de \
--cc=chris@chris-wilson.co.uk \
--cc=corbet@lwn.net \
--cc=dvyukov@google.com \
--cc=fweisbec@gmail.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=jikos@kernel.org \
--cc=joro@8bytes.org \
--cc=jpoimboe@redhat.com \
--cc=kasan-dev@googlegroups.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kvm@vger.kernel.org \
--cc=len.brown@intel.com \
--cc=lguest@lists.ozlabs.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-pm@vger.kernel.org \
--cc=lstoakes@gmail.com \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=matt@codeblueprint.co.uk \
--cc=mcgrof@kernel.org \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=paul.gortmaker@windriver.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rjw@rjwysocki.net \
--cc=rkrcmar@redhat.com \
--cc=rusty@rustcorp.com.au \
--cc=sgruszka@redhat.com \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=tim.c.chen@linux.intel.com \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
--cc=zijun_hu@htc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.