Re: Initial process CPU state was Re: SSE related security hole

[torvalds@transmeta.com (Linus Torvalds)]

In article <m3ofgbcppe.fsf@averell.firstfloor.org>,
Andi Kleen  <ak@muc.de> wrote:
>
>Could you quickly describe what the Intel recommended way is to clear
>the whole CPU at the beginning of a process? Is there a better way
>than "save state with fxsave at bootup and restore into each
>new process"?

Note that I will _not_ accept a patch that does the "fxsave at bootup"
thing, because since Linux doesn't actually control the bootup, and
since it gets more an dmore likely that the BIOS will actually use the
SSE etc registers, a boot-time "fxsave" will mean that different
machines will have potentially quite different process initialization. 

In fact, even the same machine might act differently depending on how it
was booted up (ie warm vs cold vs resume boot, different BIOS path due
to different BIOS options etc). 

Now, that wouldn't be a security hole per se, but it would be hell to
debug problems ("My other machine that is identical doesn't show that
bug").

Basically there _needs_ to be an architected way to ensure that the FP
data is in a known and valid state.

(The "fxsave early" approach results in a valid - but not known -
state). 

>Another way would be to do a fxsave after clearing of known state (x87,MMX,
>SSE) at OS bootup and then afterwards set all the so far reserved parts of the 
>FXSAVE image to zero.

This is basically what we do right now (ie as of 2.5.9, just released). 

Except we set it to zero before, since the state we _do_ know about (ie
current x87, MMX, SSE) is initialized to exactly the state you mention
(by hand), and then the rest is just initialized to zero. 

		Linus