linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
To: Ingo Molnar <mingo@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	"H. Peter Anvin" <hpa@zytor.com>
Cc: linux-kernel@vger.kernel.org, x86@kernel.org,
	linux-doc@vger.kernel.org,
	Ricardo Neri <ricardo.neri-calderon@linux.intel.com>,
	Andy Lutomirski <luto@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Borislav Petkov <bp@suse.de>, Brian Gerst <brgerst@gmail.com>,
	Chen Yucong <slaoub@gmail.com>,
	Chris Metcalf <cmetcalf@mellanox.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Fenghua Yu <fenghua.yu@intel.com>, Huang Rui <ray.huang@amd.com>,
	Jiri Slaby <jslaby@suse.cz>, Jonathan Corbet <corbet@lwn.net>,
	"Michael S . Tsirkin" <mst@redhat.com>,
	Paul Gortmaker <paul.gortmaker@windriver.com>,
	Peter Zijlstra <peterz@infradead.org>,
	"Ravi V . Shankar" <ravi.v.shankar@intel.com>,
	Vlastimil Babka <vbabka@suse.cz>, Shuah Khan <shuah@kernel.org>
Subject: [PATCH 0/4] x86: enable User-Mode Instruction Prevention
Date: Mon,  7 Nov 2016 22:12:09 -0800	[thread overview]
Message-ID: <1478585533-19406-1-git-send-email-ricardo.neri-calderon@linux.intel.com> (raw)

User-Mode Instruction Prevention (UMIP) is a security feature present in
new Intel Processors. If enabled, it prevents the execution of certain
instructions if the Current Privilege Level (CPL) is greater than 0. If
these instructions were executed while in CPL > 0, user space applications
could have access to system-wide settings such as the global and local
descriptor tables, the task register and the interrupt descriptor table.

These are the instructions covered by UMIP:
* SGDT - Store Global Descriptor Table
* SIDT - Store Interrupt Descriptor Table
* SLDT - Store Local Descriptor Table
* SMSW - Store Machine Status Word
* STR - Store Task Register

If any of these instructions is executed with CPL > 0, a general protection
exception is issued when UMIP is enbled.

There is a caveat, however. Certain applications running in virtual-8086
mode, such as DOSEMU[1] and Wine[2], want to utilize the SGDT, SIDT and
SLDT instructions for legitimate reasons. In order to keep such
applications working, UMIP must be disabled/enabled when entering/exiting
virtual-8086 mode. We also disable/enable UMIP in context switch if we
detect that there is a valid virtual-8086 state structure. However,
unconditionally disabling UMIP for virtual-8086 tasks could be exploited
by malicious applications. Hence, disabling UMIP for such kind of tasks is
allowed only if the kernel parameter 'umip=novm86' is used.

Rather than using the more modern clearcpuid=1234 format for the
kernel parameters, we use umip={no|novm86}. This is because the former does
cannot cover the three configuration states of UMIP.

The virtual-8086 mode selftests are updated to ensure that the
aforementioned instructions can be executed without issue in such mode.

Thanks and BR,
Ricardo

Cc: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Chen Yucong <slaoub@gmail.com>
Cc: Chris Metcalf <cmetcalf@mellanox.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Huang Rui <ray.huang@amd.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ravi V. Shankar <ravi.v.shankar@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Shuah Khan <shuah@kernel.org>


[1]. http://www.dosemu.org/
[2]. https://wiki.winehq.org/Main_Page

Ricardo Neri (4):
  x86/cpufeature: Add User-Mode Instruction Prevention definitions
  x86: Prepare vm86 tasks to handle User-Mode Instruction Prevention
  x86: Enable User-Mode Instruction Prevention
  selftests/x86: Add tests for User-Mode Instruction Prevention

 Documentation/kernel-parameters.txt           |  5 +++
 arch/x86/Kconfig                              | 10 ++++++
 arch/x86/include/asm/cpufeatures.h            |  1 +
 arch/x86/include/asm/disabled-features.h      |  8 ++++-
 arch/x86/include/asm/vm86.h                   |  3 ++
 arch/x86/include/uapi/asm/processor-flags.h   |  2 ++
 arch/x86/kernel/cpu/common.c                  | 50 ++++++++++++++++++++++++++-
 arch/x86/kernel/process.c                     | 10 ++++++
 arch/x86/kernel/vm86_32.c                     | 20 +++++++++++
 tools/testing/selftests/x86/entry_from_vm86.c | 10 +++++-
 10 files changed, 116 insertions(+), 3 deletions(-)

-- 
2.7.4

             reply	other threads:[~2016-11-08  6:13 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-08  6:12 Ricardo Neri [this message]
2016-11-08  6:12 ` [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions Ricardo Neri
2016-11-08 15:32   ` Andy Lutomirski
2016-11-09  4:25     ` Ricardo Neri
2016-11-09 11:02       ` Andy Lutomirski
2016-11-10  3:24         ` Ricardo Neri
2016-11-10  8:58           ` Borislav Petkov
2016-11-11  4:08             ` Ricardo Neri
2016-11-11 10:22               ` Borislav Petkov
2016-11-12  1:24                 ` Ricardo Neri
2016-11-11 18:06               ` Dave Hansen
2016-11-10 17:09           ` Dave Hansen
2016-11-08  6:12 ` [PATCH 2/4] x86: Prepare vm86 tasks to handle User-Mode Instruction Prevention Ricardo Neri
2016-11-08 16:01   ` Andy Lutomirski
2016-11-08 17:00     ` Peter Zijlstra
2016-11-09  4:26       ` Ricardo Neri
2016-11-08  6:12 ` [PATCH 3/4] x86: Enable " Ricardo Neri
2016-11-08  6:12 ` [PATCH 4/4] selftests/x86: Add tests for " Ricardo Neri
2016-11-08 13:16 ` [PATCH 0/4] x86: enable " Peter Zijlstra
2016-11-08 15:34   ` Andy Lutomirski
2016-11-08 16:52     ` Thomas Gleixner
2016-11-09  4:26       ` Ricardo Neri
2016-11-09  4:31     ` Ricardo Neri
2016-11-09 11:05       ` Andy Lutomirski
2016-11-10  6:46         ` Ricardo Neri
2016-11-10  8:52           ` Stas Sergeev
2016-11-11  4:14             ` Ricardo Neri
2016-11-11 20:51               ` Stas Sergeev
2016-11-12  1:29                 ` Ricardo Neri
2016-11-14 10:59           ` One Thousand Gnomes
2016-11-14 18:36             ` Harald Arnesen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1478585533-19406-1-git-send-email-ricardo.neri-calderon@linux.intel.com \
    --to=ricardo.neri-calderon@linux.intel.com \
    --cc=akpm@linux-foundation.org \
    --cc=bp@suse.de \
    --cc=brgerst@gmail.com \
    --cc=cmetcalf@mellanox.com \
    --cc=corbet@lwn.net \
    --cc=dave.hansen@linux.intel.com \
    --cc=fenghua.yu@intel.com \
    --cc=hpa@zytor.com \
    --cc=jslaby@suse.cz \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@kernel.org \
    --cc=mst@redhat.com \
    --cc=paul.gortmaker@windriver.com \
    --cc=peterz@infradead.org \
    --cc=ravi.v.shankar@intel.com \
    --cc=ray.huang@amd.com \
    --cc=shuah@kernel.org \
    --cc=slaoub@gmail.com \
    --cc=tglx@linutronix.de \
    --cc=vbabka@suse.cz \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).