Re: [tip:x86/urgent] x86/entry/32: Add an ASM_CLAC to entry_SYSENTER_32

From: Andy Lutomirski <luto@amacapital.net>
To: Brian Gerst <brgerst@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	"linux-tip-commits@vger.kernel.org" 
	<linux-tip-commits@vger.kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Borislav Petkov <bp@alien8.de>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@kernel.org>,
	Denys Vlasenko <dvlasenk@redhat.com>
Subject: Re: [tip:x86/urgent] x86/entry/32: Add an ASM_CLAC to entry_SYSENTER_32
Date: Thu, 25 Feb 2016 11:52:51 -0800	[thread overview]
Message-ID: <CALCETrWTU6LZn+j=Nz_mkDyjaLkPhFLcpjk7Zc2TGotPoUn0Vw@mail.gmail.com> (raw)
In-Reply-To: <CAMzpN2jqP74br2+pSP-X_WCpRTgK4Q6eV4N2_ZWCLkw9u4symQ@mail.gmail.com>

On Thu, Feb 25, 2016 at 11:49 AM, Brian Gerst <brgerst@gmail.com> wrote:
> On Thu, Feb 25, 2016 at 2:39 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>> On Thu, Feb 25, 2016 at 11:31 AM, Brian Gerst <brgerst@gmail.com> wrote:
>>> On Thu, Feb 25, 2016 at 1:30 PM, Linus Torvalds
>>> <torvalds@linux-foundation.org> wrote:
>>>> On Thu, Feb 25, 2016 at 10:20 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>>>>>
>>>>> Ideally we'd fix this up and restore flags on sysexit.  At least
>>>>> failing to restore arithmetic flags isn't an info leak because the
>>>>> exit code clobbers them with entirely predictable data.  I doubt
>>>>> anyone cares all that much if we clobber AC.
>>>>
>>>> As long as the "clobber AC" is purely about clearing it, it's probably fine.
>>>>
>>>> Although there may be programs that set AC in order to actually get
>>>> notified about alignment issues (perhaps for portability reasons,
>>>> perhaps for small performance reasons). Clearing it will make those
>>>> programs still work, but they lose the checking.
>>>>
>>>>> I wrote a test for NT and the test fails for a different reason: our
>>>>> TF handling appears broken as well.  (Our sysenter TF handling is
>>>>> *crap*, but it seems to work on 64-bit kernels at least.)
>>>>
>>>> TF should be entirely immaterial for system calls. Why would we care?
>>>> We need it for correct handling of real traps, but not for the system
>>>> call case afaik. Returning with TF clear is the right thing, since
>>>> we're not returning *to* the system call instruction, but the
>>>> instruction after.
>>>>
>>>>> My personal preference would be to add the missing popf.
>>>>
>>>> I don't mind adding the popf, but it won't help for iopl. Only iret
>>>> restores iopl, if I recall correctly (but maybe I don't, and I'm too
>>>> lazy to take the 30 seconds to look it up).
>>>>
>>>>                Linus
>>>
>>> According to the SDM, popf will change IOPL only at CPL0, which is why
>>> Xen (which runs at CPL1 on 32-bit) has a paravirt hook for it.
>>
>> But maybe we can ditch that paravirt hook and just modify regs->flags
>> in sys_iopl.  Xen never uses sysexit at all:
>>
>>     /* XEN PV guests always use IRET path */
>>     ALTERNATIVE "testl %eax, %eax; jz .Lsyscall_32_done", \
>>             "jmp .Lsyscall_32_done", X86_FEATURE_XENPV
>>
>> and if we add the missing popf, we should be good to go.
>
> IRET won't change IOPL either at CPL != 0, so Xen still needs that hook.

But xen_iret isn't the same thing as IRET at all.  We don't use a real
IRET instruction to switch between kernel and user mode on Xen PV.

--Andy

>
> --
> Brian Gerst

-- 
Andy Lutomirski
AMA Capital Management, LLC