From: Matt Parnell <email@example.com> To: Matthew Garrett <firstname.lastname@example.org> Cc: Kees Cook <email@example.com>, LSM List <firstname.lastname@example.org>, David Howells <email@example.com>, firstname.lastname@example.org Subject: Re: [PATCH] Kernel Lockdown: Add an option to allow raw MSR access even, in confidentiality mode. Date: Mon, 2 Dec 2019 21:57:11 -0600 Message-ID: <email@example.com> (raw) In-Reply-To: <firstname.lastname@example.org> ...possibly a bug on my older 4790k system, on my 8550u this doesn't seem to happen. Strange. Either way, I can stop bugging you if you'd like. On 12/2/19 8:50 PM, Matt Parnell wrote: > Correction: I'm out of caffeine, tired, and it has made me an idiot. > > That message triggers regardless, it seems. I apologize. > > On 12/2/19 8:24 PM, Matt Parnell wrote: >> For what it is worth, this doesn't happen with lockdown disabled. >> >> That message and the code that checks for mitigations is in >> arch/x86/kvm/vmx/vmx.c - for some reason locking down the MSRs is even >> making the kernel think that the MSR for the mitigation isn't there, >> meaning that it is also likely not mitigating the bug. >> >> On 12/2/19 8:16 PM, Matthew Garrett wrote: >>> On Mon, Dec 2, 2019 at 6:01 PM Matt Parnell <email@example.com> wrote: >>>> I should also mention the kernel itself thinks it is vulnerable with the >>>> MSRs locked down: >>>> >>>> [ 7.367922] L1TF CPU bug present and SMT on, data leak possible. See >>>> CVE-2018-3646 and >>>> https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for >>>> details. >>> The lockdown code doesn't touch any of the codepaths the kernel uses >>> to access MSRs itself (a *lot* would break in that case), so if the >>> kernel is asserting this inappropriately then that seems like a kernel >>> bug.
next prev parent reply index Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-11-30 6:49 Matt Parnell 2019-11-30 18:36 ` Kees Cook 2019-11-30 19:09 ` Matt Parnell 2019-12-01 20:53 ` Matt Parnell 2019-12-02 18:29 ` Matt Parnell 2019-12-02 22:55 ` Jordan Glover 2019-12-02 23:13 ` Matt Parnell 2019-12-02 23:29 ` Matthew Garrett 2019-12-02 23:31 ` Matt Parnell 2019-12-03 2:13 ` Matt Parnell 2019-12-03 2:16 ` Matthew Garrett 2019-12-03 2:24 ` Matt Parnell 2019-12-03 2:50 ` Matt Parnell 2019-12-03 3:57 ` Matt Parnell [this message] 2019-12-02 19:43 ` Matthew Garrett 2019-12-02 20:39 ` Matt Parnell
Reply instructions: You may reply publically to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Security-Module Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \ email@example.com public-inbox-index linux-security-module Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module AGPL code for this site: git clone https://public-inbox.org/public-inbox.git