Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1485097837.3733.1.camel@corsac.net>
Date: Sun, 22 Jan 2017 16:10:37 +0100
From: Yves-Alexis Perez <corsac@...sac.net>
To: Solar Designer <solar@...nwall.com>, kernel-hardening@...ts.openwall.com
Subject: Re: Disable and lock Silicon Debug feature on
 modern Intel CPUs

On Sun, 2017-01-22 at 00:41 +0100, Solar Designer wrote:
> Silicon Debug should probably be disabled and locked by default, but
> there should be a kernel parameter to avoid this.

Hi, I intended to take a look but (un)fortunately it seems that my laptop
(ThinkPad X250) has it locked disabled (I guess by Lenovo BIOS).

I can still work on a patch but it'll be untested. Does one know of unlocked
platforms?

For reference, here's how to determine your situation:

cpuid tools (version20161201) doesn't support the SDBG bit but you can display
the raw value:

cpuid -r -1 -l 1  | awk '/ecx=/ { print $5 }'
ecx=0x7ffafbbf

SDBG is bit 11, set here (Broadwell).

Looking at the IA32_DEBUG_INTERFACE (0xc80) MSR reveals its status:

rdmsr 0xc80
40000000

with:

IA32_DEBUG_INTERFACE_ENABLE	0x00000001
IA32_DEBUG_INTERFACE_LOCK	0x40000000
IA32_DEBUG_INTERFACE_MASK	0x80000000

So in my case it's not enabled, and it's locked.

Regards,
-- 
Yves-Alexis
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.