All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Borislav Petkov <bp@alien8.de>
Cc: x86-ml <x86@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	lkml <linux-kernel@vger.kernel.org>
Subject: Re: [RFC PATCH] x86/msr: Filter MSR writes
Date: Fri, 12 Jun 2020 10:43:07 -0700	[thread overview]
Message-ID: <20200612174307.GD1026@linux.intel.com> (raw)
In-Reply-To: <20200612170303.GD22660@zn.tnic>

On Fri, Jun 12, 2020 at 07:03:03PM +0200, Borislav Petkov wrote:
> On Fri, Jun 12, 2020 at 09:57:09AM -0700, Sean Christopherson wrote:
> > DS_AREA takes a virtual (linear) address, i.e. the address can be legal from
> > the CPUs perspective but still lead to a #PF due to the address not being
> > mapped in the page tables.
> 
> It's not that - peterz and tglx - and I assume you meant that too - you
> all want to taint on the very *attempt* to WRMSR, regardless of whether
> the MSR exists or not.
> 
> I don't necessarily agree with that because I don't think we should
> taint when the MSR doesn't exist but if you all want it, sure, whatever.
> I don't care that deeply.

The problem is a fault on WRMSR doesn't mean the MSR doesn't exist, it only
means WRMSR faulted.  WRMSR can for all intents and purpose trigger completely
arbitrary microcode flows, e.g. WRMSR 0x79 can fundamentally change the
behavior of the CPU.

And it's not like the WRMSR->taint is atomic, e.g. changing a platform scoped
MSR that affects voltage settings or something of that nature could easily
tank the system on a successful WRMSR before the kernel can be marked tainted.

> > So users don't have to unload and reload the module just to enable or
> > disable writes.  I don't think it changes the protections in any way, a
> > priveleged user still needs to explicitly toggle the control.
> 
> There's /sys/module/msr/parameters/. A privileged user can do whatever.
> A non-privileged should not disable that.

0400 only allows a privelged user to read the parameter, e.g. for parameters
that are snapshotted at module load time and/or changing the param while the
module is running would cause breakage.

0600 allows a priveleged user to read and write the parameter, which AFAICT
is safe here.

0644 allows a priveleged user to read and write the parameter, and allows an
unpriveleged user to read the param.  

> -- 
> Regards/Gruss,
>     Boris.
> 
> https://people.kernel.org/tglx/notes-about-netiquette

  reply	other threads:[~2020-06-12 17:43 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-12 10:50 [RFC PATCH] x86/msr: Filter MSR writes Borislav Petkov
2020-06-12 16:34 ` Sean Christopherson
2020-06-12 16:46   ` Borislav Petkov
2020-06-12 16:57     ` Sean Christopherson
2020-06-12 17:03       ` Borislav Petkov
2020-06-12 17:43         ` Sean Christopherson [this message]
2020-06-12 17:52           ` Borislav Petkov
2020-06-12 17:20 ` Linus Torvalds
2020-06-12 17:48   ` Borislav Petkov
2020-06-12 19:47     ` Borislav Petkov
2020-06-12 20:39     ` Peter Zijlstra
2020-06-13  5:40       ` Tony Luck
2020-06-13  9:39       ` Borislav Petkov
2020-06-13 15:48 ` [PATCH -v2] " Borislav Petkov
2020-06-15  6:38   ` [PATCH -v2.1] " Borislav Petkov
2020-06-25  5:51     ` Sean Christopherson
2020-06-25  8:37       ` Borislav Petkov
2020-07-14 12:19     ` Chris Down
2020-07-14 15:47       ` Borislav Petkov
2020-07-14 16:04         ` Chris Down
2020-07-14 16:46           ` Luck, Tony
2020-07-14 16:58             ` Borislav Petkov
2020-07-14 17:02             ` Chris Down
2020-07-14 16:56           ` Borislav Petkov
2020-07-14 17:04             ` Chris Down
2020-07-14 18:52             ` Srinivas Pandruvada
2020-07-15  4:26               ` Borislav Petkov
2020-07-14 19:17           ` Matthew Garrett
2020-11-17 21:00             ` Mathieu Chouquet-Stringer
2020-11-17 21:20               ` Borislav Petkov
2020-11-18  8:58                 ` Mathieu Chouquet-Stringer
2020-11-18  9:09                 ` Mathieu Chouquet-Stringer
2020-11-18 11:50                   ` Borislav Petkov
2020-11-18 14:04                     ` [PATCH] " Mathieu Chouquet-Stringer
2020-11-18 17:50                       ` Borislav Petkov
2020-11-19 10:53                         ` Mathieu Chouquet-Stringer
2020-11-25 21:41                           ` Mathieu Chouquet-Stringer
2020-11-26 10:03                           ` Borislav Petkov
2020-11-17 21:21               ` [PATCH -v2.1] " Matthew Garrett
2020-11-17 21:22                 ` Matthew Garrett
2020-11-18  9:02                   ` Mathieu Chouquet-Stringer
2020-06-17 15:06 ` [tip: x86/misc] " tip-bot2 for Borislav Petkov
2020-06-25  8:45 ` tip-bot2 for Borislav Petkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200612174307.GD1026@linux.intel.com \
    --to=sean.j.christopherson@intel.com \
    --cc=bp@alien8.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.