From: Stas Sergeev <stsp@list.ru> To: Andy Lutomirski <luto@kernel.org>, Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Cc: Ingo Molnar <mingo@redhat.com>, Thomas Gleixner <tglx@linutronix.de>, "H. Peter Anvin" <hpa@zytor.com>, Borislav Petkov <bp@suse.de>, Peter Zijlstra <peterz@infradead.org>, Andrew Morton <akpm@linux-foundation.org>, Brian Gerst <brgerst@gmail.com>, Chris Metcalf <cmetcalf@mellanox.com>, Dave Hansen <dave.hansen@linux.intel.com>, Paolo Bonzini <pbonzini@redhat.com>, Masami Hiramatsu <mhiramat@kernel.org>, Huang Rui <ray.huang@amd.com>, Jiri Slaby <jslaby@suse.cz>, Jonathan Corbet <corbet@lwn.net>, "Michael S. Tsirkin" <mst@redhat.com>, Paul Gortmaker <paul.gortmaker@windriver.com>, Vlastimil Babka <vbabka@suse.cz>, Chen Yucong <slaoub@gmail.com>, Alexandre Julliard <julliard@winehq.org>, Fenghua Yu <fenghua.yu@intel.com>, "Ravi V. Shankar" <ravi.v.shankar@intel.com>, Shuah Khan <shuah@kernel.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>, linux-msdos@vger.kernel.org, wine-devel@winehq.org Subject: Re: [v6 PATCH 00/21] x86: Enable User-Mode Instruction Prevention Date: Fri, 10 Mar 2017 13:30:06 +0300 [thread overview] Message-ID: <7ea39103-c193-4d6d-572f-a1bdb27c3627@list.ru> (raw) In-Reply-To: <CALCETrX3WnnKGJUT7sXCD8Ynq58CCHS4fgi-D-bLQR5r-6Z_RQ@mail.gmail.com> 10.03.2017 05:41, Andy Lutomirski пишет: > On Wed, Mar 8, 2017 at 5:11 PM, Ricardo Neri > <ricardo.neri-calderon@linux.intel.com> wrote: >> On Wed, 2017-03-08 at 19:53 +0300, Stas Sergeev wrote: >>> 08.03.2017 19:46, Andy Lutomirski пишет: >>>>> No no, since I meant prot mode, this is not what I need. >>>>> I would never need to disable UMIP as to allow the >>>>> prot mode apps to do SLDT. Instead it would be good >>>>> to have an ability to provide a replacement for the dummy >>>>> emulation that is currently being proposed for kernel. >>>>> All is needed for this, is just to deliver a SIGSEGV. >>>> That's what I meant. Turning off FIXUP_UMIP would leave UMIP on but >>>> turn off the fixup, so you'd get a SIGSEGV indicating #GP (or a vm86 >>>> GP exit). >>> But then I am confused with the word "compat" in >>> your "COMPAT_MASK0_X86_UMIP_FIXUP" and >>> "sys_adjust_compat_mask(int op, int word, u32 mask);" >>> >>> Leaving UMIP on and only disabling a fixup doesn't >>> sound like a compat option to me. I would expect >>> compat to disable it completely. >> I guess that the _UMIP_FIXUP part makes it clear that emulation, not >> UMIP is disabled, allowing the SIGSEGV be delivered to the user space >> program. >> >> Would having a COMPAT_MASK0_X86_UMIP_FIXUP to disable emulation and a >> COMPAT_MASK0_X86_UMIP to disable UMIP make sense? >> >> Also, wouldn't having a COMPAT_MASK0_X86_UMIP to disable UMIP defeat its >> purpose? Applications could simply use this compat mask to bypass UMIP >> and gain access to the instructions it protects. >> > I was obviously extremely unclear. The point of the proposed syscall > is to let programs opt out of legacy features. I guess both "compat" and "legacy" are misleading here. Maybe these are "x86-specific" or "hypervisor-specific", but a mere enabling of UMIP doesn't immediately make the use of SLDT instruction a legacy IMHO. > I'll ponder this a bit more. So if we are to invent something new, it would be nice to also think up a clear terminology for it. Maybe something like "X86_FEATURE_xxx_MASK" or alike.
WARNING: multiple messages have this Message-ID (diff)
From: Stas Sergeev <stsp@list.ru> To: Andy Lutomirski <luto@kernel.org>, Ricardo Neri <ricardo.neri-calderon@linux.intel.com> Cc: Ingo Molnar <mingo@redhat.com>, Thomas Gleixner <tglx@linutronix.de>, "H. Peter Anvin" <hpa@zytor.com>, Borislav Petkov <bp@suse.de>, Peter Zijlstra <peterz@infradead.org>, Andrew Morton <akpm@linux-foundation.org>, Brian Gerst <brgerst@gmail.com>, Chris Metcalf <cmetcalf@mellanox.com>, Dave Hansen <dave.hansen@linux.intel.com>, Paolo Bonzini <pbonzini@redhat.com>, Masami Hiramatsu <mhiramat@kernel.org>, Huang Rui <ray.huang@amd.com>, Jiri Slaby <jslaby@suse.cz>, Jonathan Corbet <corbet@lwn.net>, "Michael S. Tsirkin" <mst@redhat.com>, Paul Gortmaker <paul.gortmaker@windriver.com>, Vlastimil Babka <vbabka@suse.cz>, Chen Yucong <slaoub@gmail.com>, Alexandre Julliard <julliard@winehq.org>, Fenghua Yu <fenghua.yu@intel.com>, "Ravi V. Shankar" <ra> Subject: Re: [v6 PATCH 00/21] x86: Enable User-Mode Instruction Prevention Date: Fri, 10 Mar 2017 13:30:06 +0300 [thread overview] Message-ID: <7ea39103-c193-4d6d-572f-a1bdb27c3627@list.ru> (raw) In-Reply-To: <CALCETrX3WnnKGJUT7sXCD8Ynq58CCHS4fgi-D-bLQR5r-6Z_RQ@mail.gmail.com> 10.03.2017 05:41, Andy Lutomirski пишет: > On Wed, Mar 8, 2017 at 5:11 PM, Ricardo Neri > <ricardo.neri-calderon@linux.intel.com> wrote: >> On Wed, 2017-03-08 at 19:53 +0300, Stas Sergeev wrote: >>> 08.03.2017 19:46, Andy Lutomirski пишет: >>>>> No no, since I meant prot mode, this is not what I need. >>>>> I would never need to disable UMIP as to allow the >>>>> prot mode apps to do SLDT. Instead it would be good >>>>> to have an ability to provide a replacement for the dummy >>>>> emulation that is currently being proposed for kernel. >>>>> All is needed for this, is just to deliver a SIGSEGV. >>>> That's what I meant. Turning off FIXUP_UMIP would leave UMIP on but >>>> turn off the fixup, so you'd get a SIGSEGV indicating #GP (or a vm86 >>>> GP exit). >>> But then I am confused with the word "compat" in >>> your "COMPAT_MASK0_X86_UMIP_FIXUP" and >>> "sys_adjust_compat_mask(int op, int word, u32 mask);" >>> >>> Leaving UMIP on and only disabling a fixup doesn't >>> sound like a compat option to me. I would expect >>> compat to disable it completely. >> I guess that the _UMIP_FIXUP part makes it clear that emulation, not >> UMIP is disabled, allowing the SIGSEGV be delivered to the user space >> program. >> >> Would having a COMPAT_MASK0_X86_UMIP_FIXUP to disable emulation and a >> COMPAT_MASK0_X86_UMIP to disable UMIP make sense? >> >> Also, wouldn't having a COMPAT_MASK0_X86_UMIP to disable UMIP defeat its >> purpose? Applications could simply use this compat mask to bypass UMIP >> and gain access to the instructions it protects. >> > I was obviously extremely unclear. The point of the proposed syscall > is to let programs opt out of legacy features. I guess both "compat" and "legacy" are misleading here. Maybe these are "x86-specific" or "hypervisor-specific", but a mere enabling of UMIP doesn't immediately make the use of SLDT instruction a legacy IMHO. > I'll ponder this a bit more. So if we are to invent something new, it would be nice to also think up a clear terminology for it. Maybe something like "X86_FEATURE_xxx_MASK" or alike.
next prev parent reply other threads:[~2017-03-10 20:54 UTC|newest] Thread overview: 222+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-03-08 0:32 [v6 PATCH 00/21] x86: Enable User-Mode Instruction Prevention Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 01/21] x86/mpx: Use signed variables to compute effective addresses Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-11 21:56 ` Borislav Petkov 2017-04-11 21:56 ` Borislav Petkov 2017-04-26 1:40 ` Ricardo Neri 2017-04-26 1:40 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 02/21] x86/mpx: Do not use SIB index if index points to R/ESP Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-11 11:31 ` Borislav Petkov 2017-04-11 11:31 ` Borislav Petkov 2017-04-26 1:39 ` Ricardo Neri 2017-04-26 1:39 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 03/21] x86/mpx: Do not use R/EBP as base in the SIB byte with Mod = 0 Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-11 22:08 ` Borislav Petkov 2017-04-11 22:08 ` Borislav Petkov 2017-04-26 2:04 ` Ricardo Neri 2017-04-26 2:04 ` Ricardo Neri 2017-04-26 8:05 ` Borislav Petkov 2017-04-26 8:05 ` Borislav Petkov 2017-04-27 22:49 ` Ricardo Neri 2017-04-27 22:49 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 04/21] x86/mpx, x86/insn: Relocate insn util functions to a new insn-kernel Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-12 10:03 ` Borislav Petkov 2017-04-12 10:03 ` Borislav Petkov 2017-04-26 2:05 ` Ricardo Neri 2017-04-26 2:05 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 05/21] x86/insn-eval: Add utility functions to get register offsets Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-12 16:28 ` Borislav Petkov 2017-04-12 16:28 ` Borislav Petkov 2017-04-26 18:13 ` Ricardo Neri 2017-04-26 18:13 ` Ricardo Neri 2017-04-28 10:40 ` Borislav Petkov 2017-04-28 10:40 ` Borislav Petkov 2017-03-08 0:32 ` [v6 PATCH 06/21] x86/insn-eval: Add utility functions to get segment selector Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-18 9:42 ` Borislav Petkov 2017-04-18 9:42 ` Borislav Petkov 2017-04-26 20:44 ` Ricardo Neri 2017-04-26 20:44 ` Ricardo Neri 2017-04-26 20:47 ` Ricardo Neri 2017-04-26 20:47 ` Ricardo Neri 2017-04-30 17:15 ` Borislav Petkov 2017-04-30 17:15 ` Borislav Petkov 2017-05-05 18:31 ` Ricardo Neri 2017-05-05 18:31 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 07/21] x86/insn-eval: Add utility function to get segment descriptor Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-19 10:26 ` Borislav Petkov 2017-04-19 10:26 ` Borislav Petkov 2017-04-26 21:51 ` Ricardo Neri 2017-04-26 21:51 ` Ricardo Neri 2017-05-04 11:02 ` Borislav Petkov 2017-05-04 11:02 ` Borislav Petkov 2017-05-12 2:13 ` Ricardo Neri 2017-05-12 2:13 ` Ricardo Neri 2017-05-15 17:27 ` Borislav Petkov 2017-05-15 17:27 ` Borislav Petkov 2017-03-08 0:32 ` [v6 PATCH 08/21] x86/insn-eval: Add utility function to get segment descriptor base address Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-20 8:25 ` Borislav Petkov 2017-04-20 8:25 ` Borislav Petkov 2017-04-26 22:37 ` Ricardo Neri 2017-04-26 22:37 ` Ricardo Neri 2017-05-05 17:19 ` Borislav Petkov 2017-05-05 17:19 ` Borislav Petkov 2017-05-12 2:09 ` Ricardo Neri 2017-05-12 2:09 ` Ricardo Neri 2017-04-26 22:52 ` Ricardo Neri 2017-04-26 22:52 ` Ricardo Neri 2017-05-05 17:28 ` Borislav Petkov 2017-05-05 17:28 ` Borislav Petkov 2017-05-12 2:06 ` Ricardo Neri 2017-05-12 2:06 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 09/21] x86/insn-eval: Add functions to get default operand and address sizes Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-20 13:06 ` Borislav Petkov 2017-04-20 13:06 ` Borislav Petkov 2017-04-27 1:07 ` Ricardo Neri 2017-04-27 1:07 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 10/21] x86/insn-eval: Do not use R/EBP as base if mod in ModRM is zero Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-21 10:52 ` Borislav Petkov 2017-04-21 10:52 ` Borislav Petkov 2017-04-27 1:29 ` Ricardo Neri 2017-04-27 1:29 ` Ricardo Neri 2017-05-07 17:20 ` Borislav Petkov 2017-05-07 17:20 ` Borislav Petkov 2017-05-12 1:57 ` Ricardo Neri 2017-05-12 1:57 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 11/21] insn/eval: Incorporate segment base in address computation Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-21 14:55 ` Borislav Petkov 2017-04-21 14:55 ` Borislav Petkov 2017-04-27 1:31 ` Ricardo Neri 2017-04-27 1:31 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 12/21] x86/insn: Support both signed 32-bit and 64-bit effective addresses Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-04-25 13:51 ` Borislav Petkov 2017-04-25 13:51 ` Borislav Petkov 2017-04-27 3:33 ` Ricardo Neri 2017-04-27 3:33 ` Ricardo Neri 2017-05-08 11:42 ` Borislav Petkov 2017-05-08 11:42 ` Borislav Petkov 2017-05-12 1:55 ` Ricardo Neri 2017-05-12 1:55 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 13/21] x86/insn-eval: Add support to resolve 16-bit addressing encodings Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 14/21] x86/insn-eval: Add wrapper function for 16-bit and 32-bit address encodings Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 15/21] x86/mm: Relocate page fault error codes to traps.h Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 16:08 ` Andy Lutomirski 2017-03-08 16:08 ` Andy Lutomirski 2017-03-08 0:32 ` [v6 PATCH 16/21] x86/cpufeature: Add User-Mode Instruction Prevention definitions Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 17/21] x86: Add emulation code for UMIP instructions Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 18/21] x86/umip: Force a page fault when unable to copy emulated result to user Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 19/21] x86/traps: Fixup general protection faults caused by UMIP Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 15:54 ` Andy Lutomirski 2017-03-08 15:54 ` Andy Lutomirski 2017-03-08 0:32 ` [v6 PATCH 20/21] x86: Enable User-Mode Instruction Prevention Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 0:32 ` [v6 PATCH 21/21] selftests/x86: Add tests for " Ricardo Neri 2017-03-08 0:32 ` Ricardo Neri 2017-03-08 15:56 ` Andy Lutomirski 2017-03-08 15:56 ` Andy Lutomirski 2017-03-10 23:38 ` Ricardo Neri 2017-03-10 23:38 ` Ricardo Neri 2017-03-08 14:08 ` [v6 PATCH 00/21] x86: Enable " Stas Sergeev 2017-03-08 14:08 ` Stas Sergeev 2017-03-08 16:06 ` Andy Lutomirski 2017-03-08 16:06 ` Andy Lutomirski 2017-03-08 16:29 ` Stas Sergeev 2017-03-08 16:29 ` Stas Sergeev 2017-03-08 16:46 ` Andy Lutomirski 2017-03-08 16:46 ` Andy Lutomirski 2017-03-08 16:53 ` Stas Sergeev 2017-03-08 16:53 ` Stas Sergeev 2017-03-09 1:11 ` Ricardo Neri 2017-03-09 1:11 ` Ricardo Neri 2017-03-09 22:05 ` Stas Sergeev 2017-03-09 22:05 ` Stas Sergeev 2017-03-10 2:41 ` Andy Lutomirski 2017-03-10 2:41 ` Andy Lutomirski 2017-03-10 10:30 ` Stas Sergeev [this message] 2017-03-10 10:30 ` Stas Sergeev 2017-03-10 21:04 ` Andy Lutomirski 2017-03-10 21:04 ` Andy Lutomirski 2017-03-10 21:37 ` Stas Sergeev 2017-03-10 21:37 ` Stas Sergeev 2017-03-09 1:15 ` Ricardo Neri 2017-03-09 1:15 ` Ricardo Neri 2017-03-09 22:10 ` Stas Sergeev 2017-03-09 22:10 ` Stas Sergeev 2017-03-10 2:39 ` Andy Lutomirski 2017-03-10 2:39 ` Andy Lutomirski 2017-03-10 11:33 ` Stas Sergeev 2017-03-10 11:33 ` Stas Sergeev 2017-03-10 14:17 ` Andy Lutomirski 2017-03-10 14:17 ` Andy Lutomirski 2017-03-11 1:22 ` Ricardo Neri 2017-03-11 1:22 ` Ricardo Neri 2017-03-10 23:59 ` Ricardo Neri 2017-03-10 23:59 ` Ricardo Neri 2017-03-13 21:25 ` Stas Sergeev 2017-03-13 21:25 ` Stas Sergeev 2017-03-27 23:46 ` Ricardo Neri 2017-03-27 23:46 ` Ricardo Neri 2017-03-28 9:38 ` Stas Sergeev 2017-03-28 9:38 ` Stas Sergeev 2017-03-29 4:38 ` Ricardo Neri 2017-03-29 4:38 ` Ricardo Neri 2017-03-29 20:55 ` Stas Sergeev 2017-03-29 20:55 ` Stas Sergeev 2017-03-30 5:14 ` Ricardo Neri 2017-03-30 5:14 ` Ricardo Neri 2017-03-30 10:10 ` Stas Sergeev 2017-03-30 10:10 ` Stas Sergeev 2017-03-31 1:33 ` Ricardo Neri 2017-03-31 1:33 ` Ricardo Neri 2017-03-31 14:11 ` Alexandre Julliard 2017-03-31 14:11 ` Alexandre Julliard 2017-03-31 21:26 ` Stas Sergeev 2017-03-31 21:26 ` Stas Sergeev 2017-04-01 2:18 ` Andy Lutomirski 2017-04-01 2:18 ` Andy Lutomirski 2017-04-04 2:02 ` Ricardo Neri 2017-04-04 2:02 ` Ricardo Neri 2017-04-04 6:08 ` Alexandre Julliard 2017-04-04 6:08 ` Alexandre Julliard 2017-04-01 13:08 ` Stas Sergeev 2017-04-01 13:08 ` Stas Sergeev 2017-04-01 17:49 ` H. Peter Anvin 2017-04-01 17:49 ` H. Peter Anvin 2017-04-02 15:52 ` Andy Lutomirski 2017-04-04 9:59 ` Stas Sergeev 2017-04-04 2:05 ` Ricardo Neri 2017-04-04 2:05 ` Ricardo Neri 2017-04-04 8:03 ` Stas Sergeev 2017-04-04 8:03 ` Stas Sergeev 2017-03-10 23:58 ` Ricardo Neri 2017-03-10 23:58 ` Ricardo Neri 2017-03-09 0:46 ` Ricardo Neri 2017-03-09 0:46 ` Ricardo Neri 2017-03-09 22:01 ` Stas Sergeev 2017-03-09 22:01 ` Stas Sergeev 2017-03-10 23:47 ` Ricardo Neri 2017-03-10 23:47 ` Ricardo Neri 2017-03-10 23:58 ` Stas Sergeev 2017-03-10 23:58 ` Stas Sergeev 2017-03-11 0:13 ` Ricardo Neri 2017-03-11 0:13 ` Ricardo Neri 2017-03-08 16:07 ` Andy Lutomirski 2017-03-08 16:07 ` Andy Lutomirski
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=7ea39103-c193-4d6d-572f-a1bdb27c3627@list.ru \ --to=stsp@list.ru \ --cc=akpm@linux-foundation.org \ --cc=bp@suse.de \ --cc=brgerst@gmail.com \ --cc=cmetcalf@mellanox.com \ --cc=corbet@lwn.net \ --cc=dave.hansen@linux.intel.com \ --cc=fenghua.yu@intel.com \ --cc=hpa@zytor.com \ --cc=jslaby@suse.cz \ --cc=julliard@winehq.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-msdos@vger.kernel.org \ --cc=luto@kernel.org \ --cc=mhiramat@kernel.org \ --cc=mingo@redhat.com \ --cc=mst@redhat.com \ --cc=paul.gortmaker@windriver.com \ --cc=pbonzini@redhat.com \ --cc=peterz@infradead.org \ --cc=ravi.v.shankar@intel.com \ --cc=ray.huang@amd.com \ --cc=ricardo.neri-calderon@linux.intel.com \ --cc=shuah@kernel.org \ --cc=slaoub@gmail.com \ --cc=tglx@linutronix.de \ --cc=vbabka@suse.cz \ --cc=wine-devel@winehq.org \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.