From: Andy Lutomirski <luto@kernel.org>
To: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Cc: Stas Sergeev <stsp@list.ru>, Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Peter Zijlstra <peterz@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Brian Gerst <brgerst@gmail.com>,
Chris Metcalf <cmetcalf@mellanox.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Huang Rui <ray.huang@amd.com>, Jiri Slaby <jslaby@suse.cz>,
Jonathan Corbet <corbet@lwn.net>,
"Michael S. Tsirkin" <mst@redhat.com>,
Paul Gortmaker <paul.gortmaker@windriver.com>,
Vlastimil Babka <vbabka@suse.cz>, Chen Yucong <slaoub@gmail.com>,
Alexandre Julliard <julliard@winehq.org>,
Fenghua Yu <fenghua.yu@intel.com>,
"Ravi V. Shankar" <ravi.v.shankar@intel.com>,
Shuah Khan <shuah@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
X86 ML <x86@kernel.org>,
linux-msdos@vger.kernel.org, wine-devel@winehq.org
Subject: Re: [v6 PATCH 00/21] x86: Enable User-Mode Instruction Prevention
Date: Thu, 9 Mar 2017 18:41:43 -0800 [thread overview]
Message-ID: <CALCETrX3WnnKGJUT7sXCD8Ynq58CCHS4fgi-D-bLQR5r-6Z_RQ@mail.gmail.com> (raw)
In-Reply-To: <1489021909.131264.30.camel@ranerica-desktop>
On Wed, Mar 8, 2017 at 5:11 PM, Ricardo Neri
<ricardo.neri-calderon@linux.intel.com> wrote:
> On Wed, 2017-03-08 at 19:53 +0300, Stas Sergeev wrote:
>> 08.03.2017 19:46, Andy Lutomirski пишет:
>> >> No no, since I meant prot mode, this is not what I need.
>> >> I would never need to disable UMIP as to allow the
>> >> prot mode apps to do SLDT. Instead it would be good
>> >> to have an ability to provide a replacement for the dummy
>> >> emulation that is currently being proposed for kernel.
>> >> All is needed for this, is just to deliver a SIGSEGV.
>> > That's what I meant. Turning off FIXUP_UMIP would leave UMIP on but
>> > turn off the fixup, so you'd get a SIGSEGV indicating #GP (or a vm86
>> > GP exit).
>> But then I am confused with the word "compat" in
>> your "COMPAT_MASK0_X86_UMIP_FIXUP" and
>> "sys_adjust_compat_mask(int op, int word, u32 mask);"
>>
>> Leaving UMIP on and only disabling a fixup doesn't
>> sound like a compat option to me. I would expect
>> compat to disable it completely.
>
> I guess that the _UMIP_FIXUP part makes it clear that emulation, not
> UMIP is disabled, allowing the SIGSEGV be delivered to the user space
> program.
>
> Would having a COMPAT_MASK0_X86_UMIP_FIXUP to disable emulation and a
> COMPAT_MASK0_X86_UMIP to disable UMIP make sense?
>
> Also, wouldn't having a COMPAT_MASK0_X86_UMIP to disable UMIP defeat its
> purpose? Applications could simply use this compat mask to bypass UMIP
> and gain access to the instructions it protects.
>
I was obviously extremely unclear. The point of the proposed syscall
is to let programs opt out of legacy features. So there would be a
bit to disable emulation of UMIP-blocked instructions (this giving the
unadulterated #GP). There would not be a bit to disable UMIP itself.
There's also a flaw in my proposal. Disable-vsyscall would be per-mm
and disable-umip-emulation would be per-task, so they'd need to be in
separate words to make any sense. I'll ponder this a bit more.
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto@kernel.org>
To: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Cc: Stas Sergeev <stsp@list.ru>, Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Peter Zijlstra <peterz@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Brian Gerst <brgerst@gmail.com>,
Chris Metcalf <cmetcalf@mellanox.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Huang Rui <ray.huang@amd.com>, Jiri Slaby <jslaby@suse.cz>,
Jonathan Corbet <corbet@lwn.net>,
"Michael S. Tsirkin" <mst@redhat.com>,
Paul Gortmaker <paul.gortmaker@windriver.com>,
Vlastimil Babka <vbabka@suse.cz>, Chen Yucong <slaoub@gmail.com>,
Alexandre Julliard <julliard@wineh>
Subject: Re: [v6 PATCH 00/21] x86: Enable User-Mode Instruction Prevention
Date: Thu, 9 Mar 2017 18:41:43 -0800 [thread overview]
Message-ID: <CALCETrX3WnnKGJUT7sXCD8Ynq58CCHS4fgi-D-bLQR5r-6Z_RQ@mail.gmail.com> (raw)
In-Reply-To: <1489021909.131264.30.camel@ranerica-desktop>
On Wed, Mar 8, 2017 at 5:11 PM, Ricardo Neri
<ricardo.neri-calderon@linux.intel.com> wrote:
> On Wed, 2017-03-08 at 19:53 +0300, Stas Sergeev wrote:
>> 08.03.2017 19:46, Andy Lutomirski пишет:
>> >> No no, since I meant prot mode, this is not what I need.
>> >> I would never need to disable UMIP as to allow the
>> >> prot mode apps to do SLDT. Instead it would be good
>> >> to have an ability to provide a replacement for the dummy
>> >> emulation that is currently being proposed for kernel.
>> >> All is needed for this, is just to deliver a SIGSEGV.
>> > That's what I meant. Turning off FIXUP_UMIP would leave UMIP on but
>> > turn off the fixup, so you'd get a SIGSEGV indicating #GP (or a vm86
>> > GP exit).
>> But then I am confused with the word "compat" in
>> your "COMPAT_MASK0_X86_UMIP_FIXUP" and
>> "sys_adjust_compat_mask(int op, int word, u32 mask);"
>>
>> Leaving UMIP on and only disabling a fixup doesn't
>> sound like a compat option to me. I would expect
>> compat to disable it completely.
>
> I guess that the _UMIP_FIXUP part makes it clear that emulation, not
> UMIP is disabled, allowing the SIGSEGV be delivered to the user space
> program.
>
> Would having a COMPAT_MASK0_X86_UMIP_FIXUP to disable emulation and a
> COMPAT_MASK0_X86_UMIP to disable UMIP make sense?
>
> Also, wouldn't having a COMPAT_MASK0_X86_UMIP to disable UMIP defeat its
> purpose? Applications could simply use this compat mask to bypass UMIP
> and gain access to the instructions it protects.
>
I was obviously extremely unclear. The point of the proposed syscall
is to let programs opt out of legacy features. So there would be a
bit to disable emulation of UMIP-blocked instructions (this giving the
unadulterated #GP). There would not be a bit to disable UMIP itself.
There's also a flaw in my proposal. Disable-vsyscall would be per-mm
and disable-umip-emulation would be per-task, so they'd need to be in
separate words to make any sense. I'll ponder this a bit more.
next prev parent reply other threads:[~2017-03-10 2:42 UTC|newest]
Thread overview: 222+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-08 0:32 [v6 PATCH 00/21] x86: Enable User-Mode Instruction Prevention Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 01/21] x86/mpx: Use signed variables to compute effective addresses Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-11 21:56 ` Borislav Petkov
2017-04-11 21:56 ` Borislav Petkov
2017-04-26 1:40 ` Ricardo Neri
2017-04-26 1:40 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 02/21] x86/mpx: Do not use SIB index if index points to R/ESP Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-11 11:31 ` Borislav Petkov
2017-04-11 11:31 ` Borislav Petkov
2017-04-26 1:39 ` Ricardo Neri
2017-04-26 1:39 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 03/21] x86/mpx: Do not use R/EBP as base in the SIB byte with Mod = 0 Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-11 22:08 ` Borislav Petkov
2017-04-11 22:08 ` Borislav Petkov
2017-04-26 2:04 ` Ricardo Neri
2017-04-26 2:04 ` Ricardo Neri
2017-04-26 8:05 ` Borislav Petkov
2017-04-26 8:05 ` Borislav Petkov
2017-04-27 22:49 ` Ricardo Neri
2017-04-27 22:49 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 04/21] x86/mpx, x86/insn: Relocate insn util functions to a new insn-kernel Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-12 10:03 ` Borislav Petkov
2017-04-12 10:03 ` Borislav Petkov
2017-04-26 2:05 ` Ricardo Neri
2017-04-26 2:05 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 05/21] x86/insn-eval: Add utility functions to get register offsets Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-12 16:28 ` Borislav Petkov
2017-04-12 16:28 ` Borislav Petkov
2017-04-26 18:13 ` Ricardo Neri
2017-04-26 18:13 ` Ricardo Neri
2017-04-28 10:40 ` Borislav Petkov
2017-04-28 10:40 ` Borislav Petkov
2017-03-08 0:32 ` [v6 PATCH 06/21] x86/insn-eval: Add utility functions to get segment selector Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-18 9:42 ` Borislav Petkov
2017-04-18 9:42 ` Borislav Petkov
2017-04-26 20:44 ` Ricardo Neri
2017-04-26 20:44 ` Ricardo Neri
2017-04-26 20:47 ` Ricardo Neri
2017-04-26 20:47 ` Ricardo Neri
2017-04-30 17:15 ` Borislav Petkov
2017-04-30 17:15 ` Borislav Petkov
2017-05-05 18:31 ` Ricardo Neri
2017-05-05 18:31 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 07/21] x86/insn-eval: Add utility function to get segment descriptor Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-19 10:26 ` Borislav Petkov
2017-04-19 10:26 ` Borislav Petkov
2017-04-26 21:51 ` Ricardo Neri
2017-04-26 21:51 ` Ricardo Neri
2017-05-04 11:02 ` Borislav Petkov
2017-05-04 11:02 ` Borislav Petkov
2017-05-12 2:13 ` Ricardo Neri
2017-05-12 2:13 ` Ricardo Neri
2017-05-15 17:27 ` Borislav Petkov
2017-05-15 17:27 ` Borislav Petkov
2017-03-08 0:32 ` [v6 PATCH 08/21] x86/insn-eval: Add utility function to get segment descriptor base address Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-20 8:25 ` Borislav Petkov
2017-04-20 8:25 ` Borislav Petkov
2017-04-26 22:37 ` Ricardo Neri
2017-04-26 22:37 ` Ricardo Neri
2017-05-05 17:19 ` Borislav Petkov
2017-05-05 17:19 ` Borislav Petkov
2017-05-12 2:09 ` Ricardo Neri
2017-05-12 2:09 ` Ricardo Neri
2017-04-26 22:52 ` Ricardo Neri
2017-04-26 22:52 ` Ricardo Neri
2017-05-05 17:28 ` Borislav Petkov
2017-05-05 17:28 ` Borislav Petkov
2017-05-12 2:06 ` Ricardo Neri
2017-05-12 2:06 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 09/21] x86/insn-eval: Add functions to get default operand and address sizes Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-20 13:06 ` Borislav Petkov
2017-04-20 13:06 ` Borislav Petkov
2017-04-27 1:07 ` Ricardo Neri
2017-04-27 1:07 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 10/21] x86/insn-eval: Do not use R/EBP as base if mod in ModRM is zero Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-21 10:52 ` Borislav Petkov
2017-04-21 10:52 ` Borislav Petkov
2017-04-27 1:29 ` Ricardo Neri
2017-04-27 1:29 ` Ricardo Neri
2017-05-07 17:20 ` Borislav Petkov
2017-05-07 17:20 ` Borislav Petkov
2017-05-12 1:57 ` Ricardo Neri
2017-05-12 1:57 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 11/21] insn/eval: Incorporate segment base in address computation Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-21 14:55 ` Borislav Petkov
2017-04-21 14:55 ` Borislav Petkov
2017-04-27 1:31 ` Ricardo Neri
2017-04-27 1:31 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 12/21] x86/insn: Support both signed 32-bit and 64-bit effective addresses Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-04-25 13:51 ` Borislav Petkov
2017-04-25 13:51 ` Borislav Petkov
2017-04-27 3:33 ` Ricardo Neri
2017-04-27 3:33 ` Ricardo Neri
2017-05-08 11:42 ` Borislav Petkov
2017-05-08 11:42 ` Borislav Petkov
2017-05-12 1:55 ` Ricardo Neri
2017-05-12 1:55 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 13/21] x86/insn-eval: Add support to resolve 16-bit addressing encodings Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 14/21] x86/insn-eval: Add wrapper function for 16-bit and 32-bit address encodings Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 15/21] x86/mm: Relocate page fault error codes to traps.h Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 16:08 ` Andy Lutomirski
2017-03-08 16:08 ` Andy Lutomirski
2017-03-08 0:32 ` [v6 PATCH 16/21] x86/cpufeature: Add User-Mode Instruction Prevention definitions Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 17/21] x86: Add emulation code for UMIP instructions Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 18/21] x86/umip: Force a page fault when unable to copy emulated result to user Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 19/21] x86/traps: Fixup general protection faults caused by UMIP Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 15:54 ` Andy Lutomirski
2017-03-08 15:54 ` Andy Lutomirski
2017-03-08 0:32 ` [v6 PATCH 20/21] x86: Enable User-Mode Instruction Prevention Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 0:32 ` [v6 PATCH 21/21] selftests/x86: Add tests for " Ricardo Neri
2017-03-08 0:32 ` Ricardo Neri
2017-03-08 15:56 ` Andy Lutomirski
2017-03-08 15:56 ` Andy Lutomirski
2017-03-10 23:38 ` Ricardo Neri
2017-03-10 23:38 ` Ricardo Neri
2017-03-08 14:08 ` [v6 PATCH 00/21] x86: Enable " Stas Sergeev
2017-03-08 14:08 ` Stas Sergeev
2017-03-08 16:06 ` Andy Lutomirski
2017-03-08 16:06 ` Andy Lutomirski
2017-03-08 16:29 ` Stas Sergeev
2017-03-08 16:29 ` Stas Sergeev
2017-03-08 16:46 ` Andy Lutomirski
2017-03-08 16:46 ` Andy Lutomirski
2017-03-08 16:53 ` Stas Sergeev
2017-03-08 16:53 ` Stas Sergeev
2017-03-09 1:11 ` Ricardo Neri
2017-03-09 1:11 ` Ricardo Neri
2017-03-09 22:05 ` Stas Sergeev
2017-03-09 22:05 ` Stas Sergeev
2017-03-10 2:41 ` Andy Lutomirski [this message]
2017-03-10 2:41 ` Andy Lutomirski
2017-03-10 10:30 ` Stas Sergeev
2017-03-10 10:30 ` Stas Sergeev
2017-03-10 21:04 ` Andy Lutomirski
2017-03-10 21:04 ` Andy Lutomirski
2017-03-10 21:37 ` Stas Sergeev
2017-03-10 21:37 ` Stas Sergeev
2017-03-09 1:15 ` Ricardo Neri
2017-03-09 1:15 ` Ricardo Neri
2017-03-09 22:10 ` Stas Sergeev
2017-03-09 22:10 ` Stas Sergeev
2017-03-10 2:39 ` Andy Lutomirski
2017-03-10 2:39 ` Andy Lutomirski
2017-03-10 11:33 ` Stas Sergeev
2017-03-10 11:33 ` Stas Sergeev
2017-03-10 14:17 ` Andy Lutomirski
2017-03-10 14:17 ` Andy Lutomirski
2017-03-11 1:22 ` Ricardo Neri
2017-03-11 1:22 ` Ricardo Neri
2017-03-10 23:59 ` Ricardo Neri
2017-03-10 23:59 ` Ricardo Neri
2017-03-13 21:25 ` Stas Sergeev
2017-03-13 21:25 ` Stas Sergeev
2017-03-27 23:46 ` Ricardo Neri
2017-03-27 23:46 ` Ricardo Neri
2017-03-28 9:38 ` Stas Sergeev
2017-03-28 9:38 ` Stas Sergeev
2017-03-29 4:38 ` Ricardo Neri
2017-03-29 4:38 ` Ricardo Neri
2017-03-29 20:55 ` Stas Sergeev
2017-03-29 20:55 ` Stas Sergeev
2017-03-30 5:14 ` Ricardo Neri
2017-03-30 5:14 ` Ricardo Neri
2017-03-30 10:10 ` Stas Sergeev
2017-03-30 10:10 ` Stas Sergeev
2017-03-31 1:33 ` Ricardo Neri
2017-03-31 1:33 ` Ricardo Neri
2017-03-31 14:11 ` Alexandre Julliard
2017-03-31 14:11 ` Alexandre Julliard
2017-03-31 21:26 ` Stas Sergeev
2017-03-31 21:26 ` Stas Sergeev
2017-04-01 2:18 ` Andy Lutomirski
2017-04-01 2:18 ` Andy Lutomirski
2017-04-04 2:02 ` Ricardo Neri
2017-04-04 2:02 ` Ricardo Neri
2017-04-04 6:08 ` Alexandre Julliard
2017-04-04 6:08 ` Alexandre Julliard
2017-04-01 13:08 ` Stas Sergeev
2017-04-01 13:08 ` Stas Sergeev
2017-04-01 17:49 ` H. Peter Anvin
2017-04-01 17:49 ` H. Peter Anvin
2017-04-02 15:52 ` Andy Lutomirski
2017-04-04 9:59 ` Stas Sergeev
2017-04-04 2:05 ` Ricardo Neri
2017-04-04 2:05 ` Ricardo Neri
2017-04-04 8:03 ` Stas Sergeev
2017-04-04 8:03 ` Stas Sergeev
2017-03-10 23:58 ` Ricardo Neri
2017-03-10 23:58 ` Ricardo Neri
2017-03-09 0:46 ` Ricardo Neri
2017-03-09 0:46 ` Ricardo Neri
2017-03-09 22:01 ` Stas Sergeev
2017-03-09 22:01 ` Stas Sergeev
2017-03-10 23:47 ` Ricardo Neri
2017-03-10 23:47 ` Ricardo Neri
2017-03-10 23:58 ` Stas Sergeev
2017-03-10 23:58 ` Stas Sergeev
2017-03-11 0:13 ` Ricardo Neri
2017-03-11 0:13 ` Ricardo Neri
2017-03-08 16:07 ` Andy Lutomirski
2017-03-08 16:07 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrX3WnnKGJUT7sXCD8Ynq58CCHS4fgi-D-bLQR5r-6Z_RQ@mail.gmail.com \
--to=luto@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=bp@suse.de \
--cc=brgerst@gmail.com \
--cc=cmetcalf@mellanox.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=fenghua.yu@intel.com \
--cc=hpa@zytor.com \
--cc=jslaby@suse.cz \
--cc=julliard@winehq.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-msdos@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=mst@redhat.com \
--cc=paul.gortmaker@windriver.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=ravi.v.shankar@intel.com \
--cc=ray.huang@amd.com \
--cc=ricardo.neri-calderon@linux.intel.com \
--cc=shuah@kernel.org \
--cc=slaoub@gmail.com \
--cc=stsp@list.ru \
--cc=tglx@linutronix.de \
--cc=vbabka@suse.cz \
--cc=wine-devel@winehq.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.