* [PATCH -v2] x86/msr: Filter MSR writes
@ 2020-06-22 14:22 Gyan Gupta
2020-06-22 15:19 ` Borislav Petkov
0 siblings, 1 reply; 3+ messages in thread
From: Gyan Gupta @ 2020-06-22 14:22 UTC (permalink / raw)
To: gyan.gupta, x86-ml
Cc: Borislav Petkov, Linus Torvalds, lkml, Sean Christopherson, Tony Luck
From: Borislav Petkov <bp@alien8.de>
> The whitelist is still TBD, I might be able to remove it competely and defer the
> whole whitelisting to the future. when people start reporting MSRs (see
> pr_err_ratelimited() call below).
I am also working on a similar functionality where we allow specific MSRs(whitelisted MSRs) to be allowed to read & write.
Additionally, writes are subjected to checks where only certain bits can be allowed to be modified. This is to increase security & safety of system.
For example, MCi_CTL can be used to enable/disable error reporting of hw unit. So in our use case once error reporting is enabled, it must
not be disabled. Also we want to have restrictions on rdmsr for security purposes.
- Gyan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH -v2] x86/msr: Filter MSR writes
2020-06-22 14:22 [PATCH -v2] x86/msr: Filter MSR writes Gyan Gupta
@ 2020-06-22 15:19 ` Borislav Petkov
0 siblings, 0 replies; 3+ messages in thread
From: Borislav Petkov @ 2020-06-22 15:19 UTC (permalink / raw)
To: Gyan Gupta; +Cc: x86-ml, Linus Torvalds, lkml, Sean Christopherson, Tony Luck
On Mon, Jun 22, 2020 at 07:52:28PM +0530, Gyan Gupta wrote:
> I am also working on a similar functionality where we allow specific
> MSRs(whitelisted MSRs) to be allowed to read & write. Additionally,
> writes are subjected to checks where only certain bits can be allowed
> to be modified. This is to increase security & safety of system.
>
> For example, MCi_CTL can be used to enable/disable error reporting
> of hw unit. So in our use case once error reporting is enabled, it
> must not be disabled. Also we want to have restrictions on rdmsr for
> security purposes.
IInstead of defining whitelists, you should design proper interfaces
through sysfs or so which control the functionality you want.
If you want to do some internal testing, you don't need the whitelists
either - you simply enable writing to all MSRs like it is the case now.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH -v2] x86/msr: Filter MSR writes
2020-06-12 10:50 [RFC PATCH] " Borislav Petkov
@ 2020-06-13 15:48 ` Borislav Petkov
0 siblings, 0 replies; 3+ messages in thread
From: Borislav Petkov @ 2020-06-13 15:48 UTC (permalink / raw)
To: x86-ml; +Cc: Linus Torvalds, lkml, Sean Christopherson, Tony Luck
Hi,
here's v2 with the requested changes.
The whitelist is still TBD, I might be able to remove it competely and
defer the whole whitelisting to the future. when people start reporting
MSRs (see pr_err_ratelimited() call below).
---
Disable writing to MSRs from userspace by default. Writes can still be
allowed by supplying the allow_writes=1 module parameter and the kernel
will be tainted so that it shows in oopses.
Having unfettered access to all MSRs on a system is and has always been
a disaster waiting to happen. Think performance counter MSRs, MSRs with
sticky or locked bits, MSRs making major system changes like loading
microcode, MTRRs, PAT configuration, TSC counter, security mitigations
MSRs, you name it.
This also destroys all the kernel's caching of MSR values for
performance, as the recent case with MSR_AMD64_LS_CFG showed.
Another example is writing MSRs by mistake by simply typing the wrong
MSR address. System freezes have been experienced that way.
In general, poking at MSRs under the kernel's feet is a bad bad idea.
So disable poking directly at the MSRs by default. If userspace still
wants to do that, then proper interfaces should be defined which
are under the kernel's control and accesses to those MSRs can be
synchronized and sanitized properly.
Changelog:
- taint before WRMSR, all
- make param 0600, Sean.
- do not deny but log writes by default, Linus.
Signed-off-by: Borislav Petkov <bp@suse.de>
---
arch/x86/kernel/msr.c | 68 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
index 1547be359d7f..1a4f8b30fb09 100644
--- a/arch/x86/kernel/msr.c
+++ b/arch/x86/kernel/msr.c
@@ -42,6 +42,14 @@
static struct class *msr_class;
static enum cpuhp_state cpuhp_msr_state;
+enum allow_write_msrs {
+ MSR_WRITES_ON,
+ MSR_WRITES_OFF,
+ MSR_WRITES_DEFAULT,
+};
+
+static enum allow_write_msrs allow_writes = MSR_WRITES_DEFAULT;
+
static ssize_t msr_read(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
@@ -70,6 +78,24 @@ static ssize_t msr_read(struct file *file, char __user *buf,
return bytes ? bytes : err;
}
+static int filter_write(u32 reg)
+{
+ switch (allow_writes) {
+ case MSR_WRITES_ON: return 0; break;
+ case MSR_WRITES_OFF: return -EPERM; break;
+ default: fallthrough;
+ }
+
+ if (reg == MSR_IA32_ENERGY_PERF_BIAS)
+ return 0;
+
+ pr_err_ratelimited("Write to unrecognized MSR 0x%x by %s\n"
+ "Please report to x86@kernel.org\n",
+ reg, current->comm);
+
+ return 0;
+}
+
static ssize_t msr_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
@@ -84,6 +110,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
if (err)
return err;
+ err = filter_write(reg);
+ if (err)
+ return err;
+
if (count % 8)
return -EINVAL; /* Invalid chunk size */
@@ -92,9 +122,13 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
err = -EFAULT;
break;
}
+
+ add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK);
+
err = wrmsr_safe_on_cpu(cpu, reg, data[0], data[1]);
if (err)
break;
+
tmp += 2;
bytes += 8;
}
@@ -242,6 +276,40 @@ static void __exit msr_exit(void)
}
module_exit(msr_exit)
+static int set_allow_writes(const char *val, const struct kernel_param *cp)
+{
+ char *s = strstrip(val);
+
+ if (!strcmp(s, "on"))
+ allow_writes = MSR_WRITES_ON;
+ else if (!strcmp(s, "off"))
+ allow_writes = MSR_WRITES_OFF;
+ else
+ allow_writes = MSR_WRITES_DEFAULT;
+
+ return 0;
+}
+
+static int get_allow_writes(char *buf, const struct kernel_param *kp)
+{
+ const char *res;
+
+ switch (allow_writes) {
+ case MSR_WRITES_ON: res = "on"; break;
+ case MSR_WRITES_OFF: res = "off"; break;
+ default: res = "default"; break;
+ }
+
+ return sprintf(buf, "%s\n", res);
+}
+
+static const struct kernel_param_ops allow_writes_ops = {
+ .set = set_allow_writes,
+ .get = get_allow_writes
+};
+
+module_param_cb(allow_writes, &allow_writes_ops, NULL, 0600);
+
MODULE_AUTHOR("H. Peter Anvin <hpa@zytor.com>");
MODULE_DESCRIPTION("x86 generic MSR driver");
MODULE_LICENSE("GPL");
--
2.21.0
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-22 15:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-22 14:22 [PATCH -v2] x86/msr: Filter MSR writes Gyan Gupta
2020-06-22 15:19 ` Borislav Petkov
-- strict thread matches above, loose matches on Subject: below --
2020-06-12 10:50 [RFC PATCH] " Borislav Petkov
2020-06-13 15:48 ` [PATCH -v2] " Borislav Petkov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).