From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933520AbdCJUyM (ORCPT <rfc822;w@1wt.eu>);
        Fri, 10 Mar 2017 15:54:12 -0500
Received: from fallback8.mail.ru ([94.100.181.110]:59932 "EHLO
        fallback8.mail.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932482AbdCJUyJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 10 Mar 2017 15:54:09 -0500
Subject: Re: [v6 PATCH 00/21] x86: Enable User-Mode Instruction Prevention
To: Andy Lutomirski <luto@kernel.org>,
        Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
References: <20170308003254.27833-1-ricardo.neri-calderon@linux.intel.com>
 <79ba0fff-4c01-2bfa-06cb-5cfc98dd710c@list.ru>
 <CALCETrX4D13Q4LRxGrQzXQCWvaRpq7sG0ws8CpB_bM4rKQ4W_A@mail.gmail.com>
 <997ba581-ecfa-b773-a48e-85b92a439836@list.ru>
 <CALCETrX87_RyEscDLLscNaE33=FEpzW0JVphZaWoJSBL5VhN0w@mail.gmail.com>
 <bef08268-238b-c5e9-1737-a2675f453b8e@list.ru>
 <1489021909.131264.30.camel@ranerica-desktop>
 <CALCETrX3WnnKGJUT7sXCD8Ynq58CCHS4fgi-D-bLQR5r-6Z_RQ@mail.gmail.com>
Cc: Ingo Molnar <mingo@redhat.com>, Thomas Gleixner <tglx@linutronix.de>,
        "H. Peter Anvin" <hpa@zytor.com>, Borislav Petkov <bp@suse.de>,
        Peter Zijlstra <peterz@infradead.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Brian Gerst <brgerst@gmail.com>, Chris Metcalf <cmetcalf@mellanox.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Masami Hiramatsu <mhiramat@kernel.org>, Huang Rui <ray.huang@amd.com>,
        Jiri Slaby <jslaby@suse.cz>, Jonathan Corbet <corbet@lwn.net>,
        "Michael S. Tsirkin" <mst@redhat.com>,
        Paul Gortmaker <paul.gortmaker@windriver.com>,
        Vlastimil Babka <vbabka@suse.cz>, Chen Yucong <slaoub@gmail.com>,
        Alexandre Julliard <julliard@winehq.org>,
        Fenghua Yu <fenghua.yu@intel.com>,
        "Ravi V. Shankar" <ravi.v.shankar@intel.com>,
        Shuah Khan <shuah@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        X86 ML <x86@kernel.org>, linux-msdos@vger.kernel.org,
        wine-devel@winehq.org
From: Stas Sergeev <stsp@list.ru>
Message-ID: <7ea39103-c193-4d6d-572f-a1bdb27c3627@list.ru>
Date: Fri, 10 Mar 2017 13:30:06 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CALCETrX3WnnKGJUT7sXCD8Ynq58CCHS4fgi-D-bLQR5r-6Z_RQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Authentication-Results: smtp16.mail.ru; auth=pass smtp.auth=stsp@list.ru smtp.mailfrom=stsp@list.ru
X-7FA49CB5: 0D63561A33F958A5598FDBE8F77FA28DF1245A1D2CC61CF060CBF9396C135F9E9F18ECD7E95F35E929AFE063DF4C541C4C04AADEF42A4C8B1AEDC4AA10D128540BF2EBBBDD9D6B0FAEAACC865B01FC22
X-Mailru-Sender: F1845AB6CCC9920DF7838D61D4D05C423354F3AB136584EEED135E947ADFD047F87EFF7066E81F1F1653177920737CA72999BEE114A20FF4278B2D54D4112F244F0A872F021F905956A8FB0C6EBA5FCCEAB4BC95F72C04283CDA0F3B3F5B9367
X-Mras: OK
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

10.03.2017 05:41, Andy Lutomirski пишет:
> On Wed, Mar 8, 2017 at 5:11 PM, Ricardo Neri
> <ricardo.neri-calderon@linux.intel.com> wrote:
>> On Wed, 2017-03-08 at 19:53 +0300, Stas Sergeev wrote:
>>> 08.03.2017 19:46, Andy Lutomirski пишет:
>>>>> No no, since I meant prot mode, this is not what I need.
>>>>> I would never need to disable UMIP as to allow the
>>>>> prot mode apps to do SLDT. Instead it would be good
>>>>> to have an ability to provide a replacement for the dummy
>>>>> emulation that is currently being proposed for kernel.
>>>>> All is needed for this, is just to deliver a SIGSEGV.
>>>> That's what I meant.  Turning off FIXUP_UMIP would leave UMIP on but
>>>> turn off the fixup, so you'd get a SIGSEGV indicating #GP (or a vm86
>>>> GP exit).
>>> But then I am confused with the word "compat" in
>>> your "COMPAT_MASK0_X86_UMIP_FIXUP" and
>>> "sys_adjust_compat_mask(int op, int word, u32 mask);"
>>>
>>> Leaving UMIP on and only disabling a fixup doesn't
>>> sound like a compat option to me. I would expect
>>> compat to disable it completely.
>> I guess that the _UMIP_FIXUP part makes it clear that emulation, not
>> UMIP is disabled, allowing the SIGSEGV be delivered to the user space
>> program.
>>
>> Would having a COMPAT_MASK0_X86_UMIP_FIXUP to disable emulation and a
>> COMPAT_MASK0_X86_UMIP to disable UMIP make sense?
>>
>> Also, wouldn't having a COMPAT_MASK0_X86_UMIP to disable UMIP defeat its
>> purpose? Applications could simply use this compat mask to bypass UMIP
>> and gain access to the instructions it protects.
>>
> I was obviously extremely unclear.  The point of the proposed syscall
> is to let programs opt out of legacy features.
I guess both "compat" and "legacy" are misleading
here. Maybe these are "x86-specific" or "hypervisor-specific",
but a mere enabling of UMIP doesn't immediately make
the use of SLDT instruction a legacy IMHO.

>   I'll ponder this a bit more.
So if we are to invent something new, it would be nice to
also think up a clear terminology for it. Maybe something
like "X86_FEATURE_xxx_MASK" or alike.