Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jul 2020 05:36:33 +0000
From: "Andersen, John" <>, Arvind Sankar <>
To: Andy Lutomirski <>
Cc: Dave Hansen <>,
	Paolo Bonzini <>,
	Sean Christopherson <>,
	Jonathan Corbet <>,
	Thomas Gleixner <>,
	Ingo Molnar <>, Borislav Petkov <>,
	X86 ML <>, "H. Peter Anvin" <>,
	Shuah Khan <>, Liran Alon <>,
	Andrew Jones <>,
	Rick Edgecombe <>,
	Kristen Carlson Accardi <>,
	Vitaly Kuznetsov <>,
	Wanpeng Li <>,
	Jim Mattson <>, Joerg Roedel <>,
	Mauro Carvalho Chehab <>,
	Greg KH <>,
	"Paul E. McKenney" <>,
	Pawan Gupta <>,
	Juergen Gross <>,
	Mike Kravetz <>,
	Oliver Neukum <>,
	Peter Zijlstra <>,
	Fenghua Yu <>,,,
	Dave Hansen <>,
	Arjan van de Ven <>,,
	Baoquan He <>, Kees Cook <>,
	Dan Williams <>,,, Peter Xu <>,,
	"open list:DOCUMENTATION" <>,
	LKML <>, kvm list <>,
	Kernel Hardening <>
Subject: Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning

On Thu, Jul 09, 2020 at 09:27:43AM -0700, Andy Lutomirski wrote:
> On Thu, Jul 9, 2020 at 9:22 AM Dave Hansen <> wrote:
> >
> > On 7/9/20 9:07 AM, Andy Lutomirski wrote:
> > > On Thu, Jul 9, 2020 at 8:56 AM Dave Hansen <> wrote:
> > >> On 7/9/20 8:44 AM, Andersen, John wrote:
> > >>>         Bits which are allowed to be pinned default to WP for CR0 and SMEP,
> > >>>         SMAP, and UMIP for CR4.
> > >> I think it also makes sense to have FSGSBASE in this set.
> > >>
> > >> I know it hasn't been tested, but I think we should do the legwork to
> > >> test it.  If not in this set, can we agree that it's a logical next step?
> > > I have no objection to pinning FSGSBASE, but is there a clear
> > > description of the threat model that this whole series is meant to
> > > address?  The idea is to provide a degree of protection against an
> > > attacker who is able to convince a guest kernel to write something
> > > inappropriate to CR4, right?  How realistic is this?
> >
> > If a quick search can find this:
> >
> > >
> >
> > I'd pretty confident that the guys doing actual bad things have it in
> > their toolbox too.
> >
> True, but we have the existing software CR4 pinning.  I suppose the
> virtualization version is stronger.

Yes, as Kees said this will be stronger because it stops ROP and other gadget
based techniques which avoid the use of native_write_cr0/4().

With regards to what should be done in this patchset and what in other
patchsets. I have a fix for kexec thanks to Arvind's note about
TRAMPOLINE_32BIT_CODE_SIZE. The physical host boots fine now and the virtual
one can kexec fine.

What remains to be done on that front is to add some identifying information to
the kernel image to declare that it supports paravirtualized control register
pinning or not.

Liran suggested adding a section to the built image acting as a flag to signify
support for being kexec'd by a kernel with pinning enabled. If anyone has any
opinions on how they'd like to see this implemented please let me know.
Otherwise I'll just take a stab at it and you'll all see it hopefully in the
next version.

With regards to FSGSBASE, are we open to validating and adding that to the
DEFAULT set as a part of a separate patchset? This patchset is focused on
replicating the functionality we already have natively.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.