* RE: Initial process CPU state was Re: SSE related security hole
@ 2002-04-23 22:07 Saxena, Sunil
2002-04-24 19:18 ` Bill Davidsen
0 siblings, 1 reply; 4+ messages in thread
From: Saxena, Sunil @ 2002-04-23 22:07 UTC (permalink / raw)
To: 'Andi Kleen'; +Cc: linux-kernel
The correct sequence for initializing MMX/SSE/SSE2 CPU state (I exchanged
mail with Linus) is:
memset(&fxsave, 0, sizeof(struct i387_fxsave_struct));
fxsave.cwd = 0x37f;
fxsave.mxcsr = 0x1f80;
fxrstor(&fxsave);
The above is architectural feature and you can expect this to work in the
future. Intel will work to document this in our Monthly Specification
Updates and update "IA-32 Intel(R) Architecture Software Developer Manual"s.
Thanks
Sunil
-----Original Message-----
From: Andi Kleen [mailto:ak@muc.de]
Sent: Monday, April 22, 2002 3:51 PM
To: Saxena, Sunil
Cc: linux-kernel@vger.kernel.org
Subject: Initial process CPU state was Re: SSE related security hole
"Saxena, Sunil" <sunil.saxena@intel.com> writes:
Hallo Sunil,
> We recognized that there is a discrepancy in the individual instruction
> descriptions in Vol 2 where it is indicated that the instruction would
> generate a UD#. We will be rectifying this discrepancy in the next
revision
> of Vol 2 as well as via the monthly Specification Updates.
Could you quickly describe what the Intel recommended way is to clear
the whole CPU at the beginning of a process? Is there a better way
than "save state with fxsave at bootup and restore into each
new process"? After all it would be a bit unfortunate to have
instructions which are transparently tolerant to new CPU state
(fxsave/fxrstor
for context switching), but no matching way to clear the same state for
security reasons. Using the bootup FXSAVE image would make linux
depend on the BIOS for this (so in the worst case when the bios
doesn't clear e.g. the XMM registers or some future registers each
process could see the state of some previous boot after a warm boot)
Another way would be to do a fxsave after clearing of known state (x87,MMX,
SSE) at OS bootup and then afterwards set all the so far reserved parts of
the
FXSAVE image to zero. Then restore this image later into each new process.
This would avoid any BIOS/direct warmboot dependencies. It would work
assuming that all future IA32 state can be safely initialized with zeroes
via FXRSTOR. Is this a safe assumption?
Thanks,
-Andi
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Initial process CPU state was Re: SSE related security hole
2002-04-23 22:07 Initial process CPU state was Re: SSE related security hole Saxena, Sunil
@ 2002-04-24 19:18 ` Bill Davidsen
0 siblings, 0 replies; 4+ messages in thread
From: Bill Davidsen @ 2002-04-24 19:18 UTC (permalink / raw)
To: Saxena, Sunil; +Cc: 'Andi Kleen', linux-kernel
On Tue, 23 Apr 2002, Saxena, Sunil wrote:
> The correct sequence for initializing MMX/SSE/SSE2 CPU state (I exchanged
> mail with Linus) is:
>
> memset(&fxsave, 0, sizeof(struct i387_fxsave_struct));
> fxsave.cwd = 0x37f;
> fxsave.mxcsr = 0x1f80;
>
> fxrstor(&fxsave);
>
> The above is architectural feature and you can expect this to work in the
> future. Intel will work to document this in our Monthly Specification
> Updates and update "IA-32 Intel(R) Architecture Software Developer Manual"s.
Sure is nice to see some vendor support!
--
bill davidsen <davidsen@tmr.com>
CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Initial process CPU state was Re: SSE related security hole
2002-04-22 22:51 ` Initial process CPU state was " Andi Kleen
@ 2002-04-22 23:28 ` Linus Torvalds
0 siblings, 0 replies; 4+ messages in thread
From: Linus Torvalds @ 2002-04-22 23:28 UTC (permalink / raw)
To: linux-kernel
In article <m3ofgbcppe.fsf@averell.firstfloor.org>,
Andi Kleen <ak@muc.de> wrote:
>
>Could you quickly describe what the Intel recommended way is to clear
>the whole CPU at the beginning of a process? Is there a better way
>than "save state with fxsave at bootup and restore into each
>new process"?
Note that I will _not_ accept a patch that does the "fxsave at bootup"
thing, because since Linux doesn't actually control the bootup, and
since it gets more an dmore likely that the BIOS will actually use the
SSE etc registers, a boot-time "fxsave" will mean that different
machines will have potentially quite different process initialization.
In fact, even the same machine might act differently depending on how it
was booted up (ie warm vs cold vs resume boot, different BIOS path due
to different BIOS options etc).
Now, that wouldn't be a security hole per se, but it would be hell to
debug problems ("My other machine that is identical doesn't show that
bug").
Basically there _needs_ to be an architected way to ensure that the FP
data is in a known and valid state.
(The "fxsave early" approach results in a valid - but not known -
state).
>Another way would be to do a fxsave after clearing of known state (x87,MMX,
>SSE) at OS bootup and then afterwards set all the so far reserved parts of the
>FXSAVE image to zero.
This is basically what we do right now (ie as of 2.5.9, just released).
Except we set it to zero before, since the state we _do_ know about (ie
current x87, MMX, SSE) is initialized to exactly the state you mention
(by hand), and then the rest is just initialized to zero.
Linus
^ permalink raw reply [flat|nested] 4+ messages in thread
* Initial process CPU state was Re: SSE related security hole
2002-04-22 22:24 Saxena, Sunil
@ 2002-04-22 22:51 ` Andi Kleen
2002-04-22 23:28 ` Linus Torvalds
0 siblings, 1 reply; 4+ messages in thread
From: Andi Kleen @ 2002-04-22 22:51 UTC (permalink / raw)
To: Saxena, Sunil; +Cc: linux-kernel
"Saxena, Sunil" <sunil.saxena@intel.com> writes:
Hallo Sunil,
> We recognized that there is a discrepancy in the individual instruction
> descriptions in Vol 2 where it is indicated that the instruction would
> generate a UD#. We will be rectifying this discrepancy in the next revision
> of Vol 2 as well as via the monthly Specification Updates.
Could you quickly describe what the Intel recommended way is to clear
the whole CPU at the beginning of a process? Is there a better way
than "save state with fxsave at bootup and restore into each
new process"? After all it would be a bit unfortunate to have
instructions which are transparently tolerant to new CPU state (fxsave/fxrstor
for context switching), but no matching way to clear the same state for
security reasons. Using the bootup FXSAVE image would make linux
depend on the BIOS for this (so in the worst case when the bios
doesn't clear e.g. the XMM registers or some future registers each
process could see the state of some previous boot after a warm boot)
Another way would be to do a fxsave after clearing of known state (x87,MMX,
SSE) at OS bootup and then afterwards set all the so far reserved parts of the
FXSAVE image to zero. Then restore this image later into each new process.
This would avoid any BIOS/direct warmboot dependencies. It would work
assuming that all future IA32 state can be safely initialized with zeroes
via FXRSTOR. Is this a safe assumption?
Thanks,
-Andi
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-04-24 19:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-04-23 22:07 Initial process CPU state was Re: SSE related security hole Saxena, Sunil
2002-04-24 19:18 ` Bill Davidsen
-- strict thread matches above, loose matches on Subject: below --
2002-04-22 22:24 Saxena, Sunil
2002-04-22 22:51 ` Initial process CPU state was " Andi Kleen
2002-04-22 23:28 ` Linus Torvalds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).