|
Message-ID: <ciirm8va2gg3rp.fsf@u54ee758033e858cfa736.ant.amazon.com> Date: Tue, 22 Jan 2019 16:34:18 +0200 From: Julian Stecklina <jsteckli@...zon.de> To: Kees Cook <keescook@...omium.org> Cc: Greg KH <gregkh@...uxfoundation.org>, Andi Kleen <ak@...ux.intel.com>, LKML <linux-kernel@...r.kernel.org>, David Woodhouse <dwmw2@...radead.org>, Liran Alon <liran.alon@...cle.com>, Paolo Bonzini <pbonzini@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, Linus Torvalds <torvalds@...ux-foundation.org>, X86 ML <x86@...nel.org>, Kernel Hardening <kernel-hardening@...ts.openwall.com> Subject: Re: [RFC] x86/speculation: add L1 Terminal Fault / Foreshadow demo Kees Cook <keescook@...omium.org> writes: > On Tue, Jan 22, 2019 at 8:15 AM Greg KH <gregkh@...uxfoundation.org> wrote: >> >> On Mon, Jan 21, 2019 at 10:36:18AM -0800, Andi Kleen wrote: >> > > + /* Check the start address: needs to be page-aligned.. */ >> > > +- if (start & ~PAGE_MASK) >> > > ++ if (start & ~PAGE_MASK) { >> > > ++ >> > > ++ /* >> > > ++ * XXX Hack >> > > ++ * >> > > ++ * We re-use this error case to show case a cache load gadget: >> > > ++ * There is a mispredicted branch, which leads to prefetching >> > > ++ * the cache with attacker controlled data. >> > > ++ */ >> > > ++ asm volatile ( >> > >> > Obviously that can never be added to a standard kernel. >> >> No, that's why it is a patch, right? Yes, this is obviously only for experimenting. >> People want to test things, it's nice to have a way to easily do >> this. > > What about adding something like it to drivers/misc/lkdtm/ instead? > > It's not a "production" module, but it regularly get built for selftest builds. For people who want to test L1TF hardening patches in the kernel (e.g. XPFO) it's certainly nice to not have to manually patch the kernel to add an easy to reach cache load gadget. It's also nice if you quickly want to test whether a random Intel CPU has this vulnerability. The cache load gadget as it is right now is mostly to show a reasonably realistic scenario of speculatively executed code fetching memory into the L1 cache. I didn't want to make this a completely crafted example where I just literally execute a prefetch instruction. But what I could do is add a bit of code in lkdtm that exposes a debugfs file with this functionality. Thoughts? Julian
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.