From: Andrew Cooper <Andrew.Cooper3@citrix.com>
To: Peter Zijlstra <peterz@infradead.org>, Borislav Petkov <bp@suse.de>
Cc: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"ardb@kernel.org" <ardb@kernel.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
Guenter Roeck <linux@roeck-us.net>,
Josh Poimboeuf <jpoimboe@kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: Re: [PATCH] efi/x86: use naked RET on mixed mode call wrapper
Date: Mon, 18 Jul 2022 17:19:14 +0000 [thread overview]
Message-ID: <7c23621b-66fc-eb35-c329-bb947798016a@citrix.com> (raw)
In-Reply-To: <YtWMiyem8+N4vbKE@worktop.programming.kicks-ass.net>
On 18/07/2022 17:38, Peter Zijlstra wrote:
> On Mon, Jul 18, 2022 at 06:28:27PM +0200, Borislav Petkov wrote:
>> On Mon, Jul 18, 2022 at 01:41:37PM +0200, Peter Zijlstra wrote:
>>> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
>>> index 10a3bfc1eb23..f934dcdb7c0d 100644
>>> --- a/arch/x86/include/asm/nospec-branch.h
>>> +++ b/arch/x86/include/asm/nospec-branch.h
>>> @@ -297,6 +297,8 @@ do { \
>>> alternative_msr_write(MSR_IA32_SPEC_CTRL, \
>>> spec_ctrl_current() | SPEC_CTRL_IBRS, \
>>> X86_FEATURE_USE_IBRS_FW); \
>>> + altnerative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB, \
>>> + X86_FEATURE_USE_IBPB_FW); \
>>> } while (0)
>> So I'm being told we need to untrain on return from EFI to protect the
>> kernel from it. Ontop of yours.
> I don't think there's any credible way we can protect against EFI taking
> over the system if it wants to. It runs at CPL0 and has access to the
> direct map. If EFI wants it can take over the system without trying.
I don't think an untrain is needed either. EFI RS can do anything it
wants, architecturally speaking, so the only threat is it acting as a
confused deputy.
The IBPB on the way in mitigates any BTC attacks against EFI-RS.
The "safe" BTB entry can be evicted due to competition or an alias, both
in kernel code or EFI code, but neither of these contexts will be
deliberately creating a malicious entry.
~Andrew
next prev parent reply other threads:[~2022-07-18 17:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-15 19:45 [PATCH] efi/x86: use naked RET on mixed mode call wrapper Thadeu Lima de Souza Cascardo
2022-07-15 22:51 ` Guenter Roeck
2022-07-18 11:41 ` Peter Zijlstra
2022-07-18 13:59 ` Thadeu Lima de Souza Cascardo
2022-07-18 16:10 ` Peter Zijlstra
2022-07-18 16:28 ` Borislav Petkov
2022-07-18 16:38 ` Peter Zijlstra
2022-07-18 17:19 ` Andrew Cooper [this message]
2022-07-18 18:34 ` Linus Torvalds
2022-07-18 18:46 ` Borislav Petkov
2022-07-19 15:22 ` Ard Biesheuvel
2022-07-19 17:37 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7c23621b-66fc-eb35-c329-bb947798016a@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=ardb@kernel.org \
--cc=bp@suse.de \
--cc=cascardo@canonical.com \
--cc=gregkh@linuxfoundation.org \
--cc=jpoimboe@kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox