From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD459C433DF for ; Tue, 23 Jun 2020 20:07:54 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 42D7E2078A for ; Tue, 23 Jun 2020 20:07:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 42D7E2078A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-19080-kernel-hardening=archiver.kernel.org@lists.openwall.com Received: (qmail 11665 invoked by uid 550); 23 Jun 2020 20:07:46 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Received: (qmail 11642 invoked from network); 23 Jun 2020 20:07:45 -0000 IronPort-SDR: Xz/CUfjnEf8yHiL/MpVWKEQzH5VlS9Zyf1GAYu/7dBXzfdiIwcYy/aT6o/DNbAwyyZVYb3B3RC 35R3BIBuq8Tg== X-IronPort-AV: E=McAfee;i="6000,8403,9661"; a="143312457" X-IronPort-AV: E=Sophos;i="5.75,272,1589266800"; d="scan'208";a="143312457" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False IronPort-SDR: BUquHP6/egIubskUC+wd1qMKZIo8Ikj9vc9R1L2KgEVN7Re1Fh7E6yhj8tO0FBTJxozd8Oe4ES HDhJEnS/VEsA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,272,1589266800"; d="scan'208";a="301379329" Date: Tue, 23 Jun 2020 20:03:35 +0000 From: "Andersen, John" To: Andy Lutomirski Cc: Jonathan Corbet , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , X86 ML , "H. Peter Anvin" , Shuah Khan , "Christopherson, Sean J" , Liran Alon , Andrew Jones , Rick Edgecombe , Kristen Carlson Accardi , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , mchehab+huawei@kernel.org, Greg KH , "Paul E. McKenney" , pawan.kumar.gupta@linux.intel.com, Juergen Gross , Mike Kravetz , Oliver Neukum , Peter Zijlstra , Fenghua Yu , reinette.chatre@intel.com, vineela.tummalapalli@intel.com, Dave Hansen , Arjan van de Ven , caoj.fnst@cn.fujitsu.com, Baoquan He , Arvind Sankar , Kees Cook , Dan Williams , eric.auger@redhat.com, aaronlewis@google.com, Peter Xu , makarandsonare@google.com, "open list:DOCUMENTATION" , LKML , kvm list , "open list:KERNEL SELFTEST FRAMEWORK" , Kernel Hardening Subject: Re: [PATCH 4/4] X86: Use KVM CR pin MSRs Message-ID: <20200623200334.GA23@6540770db1d7> References: <20200617190757.27081-1-john.s.andersen@intel.com> <20200617190757.27081-5-john.s.andersen@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) On Fri, Jun 19, 2020 at 10:13:25PM -0700, Andy Lutomirski wrote: > On Wed, Jun 17, 2020 at 12:05 PM John Andersen > wrote: > > Guests using the kexec system call currently do not support > > paravirtualized control register pinning. This is due to early boot > > code writing known good values to control registers, these values do > > not contain the protected bits. This is due to CPU feature > > identification being done at a later time, when the kernel properly > > checks if it can enable protections. As such, the pv_cr_pin command line > > option has been added which instructs the kernel to disable kexec in > > favor of enabling paravirtualized control register pinning. crashkernel > > is also disabled when the pv_cr_pin parameter is specified due to its > > reliance on kexec. > > Is there a plan for fixing this for real? I'm wondering if there is a > sane weakening of this feature that still allows things like kexec. > I'm pretty sure kexec can be fixed. I had it working at one point, I'm currently in the process of revalidating this. The issue was though that kexec only worked within the guest, not on the physical host, which I suspect is related to the need for supervisor pages to be mapped, which seems to be required before enabling SMAP (based on what I'd seen with the selftests and unittests). I was also just blindly turning on the bits without checking for support when I'd tried this, so that could have been the issue too. I think most of the changes for just blindly enabling the bits were in relocate_kernel, secondary_startup_64, and startup_32. > What happens if a guest tries to reset? For that matter, what happens > when a guest vCPU sends SIPI to another guest vCPU? The target CPU > starts up in real mode, right? > In this case we hit kvm_vcpu_reset, where we clear pinning. Yes I believe it starts up in real mode. > There's no SMEP or SMAP in real mode, and real mode has basically no security > mitigations at all. > We'd thought about the switch to real mode being a case where we'd want to drop pinning. However, we weren't sure how much weaker, if at all, it makes this protection. Unless someone knows, I'll probably need to do some digging into what an exploit might look like that tries switching to real mode and switching back as a way around this protection. If we can use the switch to real mode as a drop pinning trigger then I think that might just solve the kexec problem. > PCID is an odd case. I see no good reason to pin it, and pinning PCID > on prevents use of 32-bit mode. Maybe it makes sense to default to the values we have, but allow host userspace to overwrite the allowed values, in case some other guest OS wants to do something that Linux doesn't with PCID or other bits.