oe-chipsec.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
* Re: chipsec: memlock module segmentation fault in VM
       [not found] <SN1PR12MB2397D3C92EF508F941ABEAD6CDA50@SN1PR12MB2397.namprd12.prod.outlook.com>
@ 2019-08-22 22:57 ` Bjorge, Erik C
  0 siblings, 0 replies; only message in thread
From: Bjorge, Erik C @ 2019-08-22 22:57 UTC (permalink / raw)
  To: chipsec

[-- Attachment #1: Type: text/plain, Size: 10475 bytes --]

CHIPSEC is normally not intended to run in a virtual environment.  It is designed to validate that hardware has been configured correctly to mitigate known vulnerabilities.  This does not translate well to the virtual environment.  In general CHIPSEC should be run directly on real hardware except in a few special cases (CHIPSEC does have some support for fuzzing hypercalls and UEFI variables).

When CHIPSEC runs it attempts to identify the platform and load chip specific configuration files.  These configuration files are needed so the tool can reference the correct register/offset/bits in our test code.  This allows for generic test code to support multiple versions of hardware.  It looks like we do not have support for the Q35 chipset and this is why you got the unsupported platform error.  In this case you will have limited reliable functionality.

I am not sure that the common.memlock test would be supported on the Q35 platform.  I would expect a seg. fault for any undefined MSR when running directly on hardware.  I would also expect the hypervisor to handle the GP fault for a bad MSR access and allow the VM guest to continue.  This seems to support the results you obtained.

I hope this helps.

Thanks,
-Erik

-----Original Message-----
From: Jiandi An <jan@nvidia.com> 
Sent: Thursday, August 22, 2019 2:52 PM
To: chipsec(a)lists.01.org; obazhaniuk(a)gmail.com; Bjorge, Erik C <erik.c.bjorge@intel.com>
Subject: chipsec: memlock module segmentation fault in VM

Hi guys,

Our security experts recommended us to run chipsec in VM launched via libvirt/qemu/kvm in Ubuntu 18.04 to understand attack model shift to VM firmware and qualify VM security.  Several things we want to confirm to make sure we are on the right track.

1. Is chipsec supposed to be run in a VM environment?

2. When running chipsec in VM, it gives unsupported platform error. 
ERROR: Unsupported Platform: VID = 0x8086, DID = 0x29C0, RID = 0x00 Is running with -i to ignore it the right thing to do?

root(a)test-system:/chipsec# python chipsec_main.py ################################################################
##                                                            ##
##  CHIPSEC: Platform Hardware Security Assessment Framework  ##
##                                   [240633.460404] chipsec cleanup_module 1786: Destroying chipsec device
                [240633.461509] chipsec cleanup_module 1788: exit ## ################################################################
[CHIPSEC] Version 1.4.0
[CHIPSEC] Arguments: 
[240633.492121] Chipsec module loaded
[240633.492723] ** This module exposes hardware & memory access, **
[240633.493634] ** which can effect the secure operation of      **
[240633.494631] ** production systems!! Use for research only!   **
****** Chipsec Linux Kernel module is licensed under GPL 2.0 [CHIPSEC] API mode: using CHIPSEC kernel module API
ERROR: Unsupported Platform: VID = 0x8086, DID = 0x29C0, RID = 0x00
ERROR: Platform is not supported (Unsupported Platform: VID = 0x8086, DID = 0x29C0, RID = 0x00).
ERROR: To run anyways please use -i command-line option

root(a)test-system:/chipsec#

dmidecode show the following for the VM.

root(a)test-system:/chipsec# dmidecode -t 1 # dmidecode 3.1 Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.

Handle 0x0100, DMI type 1, 27 bytes
System Information
	Manufacturer: QEMU
	Product Name: Standard PC (Q35 + ICH9, 2009)
	Version: pc-q35-2.11
	Serial Number: Not Specified
	UUID: 0F289AD4-E57B-4C7B-80DB-7AAF35B5A4B8
	Wake-up Type: Power Switch
	SKU Number: Not Specified
	Family: Not Specified

root(a)test-system:/chipsec#

3.  Is running the memlock module test the right thing to do for VM?  It's accessing LT_LOCK_MEMORY MSR and segmentation faults.  LT_LOCK_MEMORY cannot be accessed from VM.  But if running chipsec_main.py, it goes through and runs memlock module.

root(a)test-system:/chipsec# python chipsec_main.py -i -m common.memlock [*] Ignoring unsupported platform warning and continue execution ################################################################
##                                                            ##
##  CHIPSEC: Platform Hardware Security Assessment Framework  ##
##                                                            ##
################################################################
[CHIPSEC] Version 1.4.0
[CHIPSEC] Arguments: -i -m common.memlock [70795.749859] Chipsec module loaded [70795.750466] ** This module exposes hardware & memory access, **
[70795.751292] ** which can effect the secure operation of      **
[70795.752181] ** production systems!! Use for research only!   **
****** Chipsec Linux Kernel module is licensed under GPL 2.0 [CHIPSEC] API mode: using CHIPSEC kernel module API
ERROR: Unsupported Platform: VID = 0x8086, DID = 0x29C0, RID = 0x00
ERROR: Platform is not supported (Unsupported Platform: VID = 0x8086, DID = 0x29C0, RID = 0x00).
WARNING: Platform dependent functionality is likely to be incorrect
[CHIPSEC] OS      : Linux 4.15.0-50-generic #54-Ubuntu SMP Mon May 6 18:46:08 UTC 2019 x86_64
[CHIPSEC] Platform: UnknownPlatform
[CHIPSEC]      VID: 8086
[CHIPSEC]      DID: 29C0
[CHIPSEC]      RID: 00
[CHIPSEC] PCH     : Default PCH
[[CH7IP0SE7C]9  6  .  5VI50299] general protection fault: 0000 [#2] SMP PTI [70796.551162] Modules linked in: chipsec(OE) ipt_REJECT nf_reject_ipv4 xt_multiport msr cachefiles fscache ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype xt_conntrack nf_nat nf_conntrack br_netfilter bridge stp llc aufs nv_peer_mem(OE) overlay rdma_ucm(OE) ib_ucm(OE) ib_ipoib(OE) ib_uverbs(OE) ib_umad(OE) esp6_offload esp6 esp4_offload esp4 xfrm_algo mlx5_fpga_tools(OE) mlx5_ib(OE) mlx5_core(OE) mlxfw(OE) mlx4_en(OE) ptp pps_core mlx4_ib(OE) mlx4_core(OE) devlink iptable_filter joydev input_leds serio_raw lpc_ich shpchp qemu_fw_cfg mac_hid nvidia_uvm(OE) sch_fq_codel ib_iser(OE) rdma_cm(OE) iw_cm(OE) ib_cm(OE) ib_core(OE) mlx_compat(OE) iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi sunrpc knem(OE) [70796.560458]  ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear nvidia_drm(POE) nvidia_modeset(POE) crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc nvidia(POE) drm_kms_helper aesni_intel syscopyarea sysfillrect aes_x86_64 sysimgblt crypto_simd fb_sys_fops glue_helper drm cryptd psmouse ahci ipmi_devintf libahci ipmi_msghandler virtio_blk virtio_net [last unloaded: chipsec]
D[: 7800867
9[C6HI.PS5E66046] CPU: 0 PID: 23328 Comm: python Tainted: P      D    OE    4.15.0-50-generic #54-Ubuntu
[70796.567304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1 04/01/2014 [70796.568539] RIP: 0010:_rdmsr+0xf/0x1e [chipsec] [70796.569129] RSP: 0018:ffffbe434647bd18 EFLAGS: 00010246 [70796.569823] RAX: ffffbe434647bd90 RBX: 00007fff2b7949c0 RCX: 00000000000002e7 [70796.570770] RDX: ffffbe434647bda0 RSI: ffffbe434647bda8 RDI: 00000000000002e7 [70796.571674] RBP: ffffbe434647be50 R08: 0000000000000000 R09: 0000000022710801 [70796.572675] R10: ffffbe434647bda8 R11: ffffbe434647bda0 R12: 00007fff2b7949c0 [70796.573598] R13: ffff9c59b28cf700 R14: 00000000c0084305 R15: 00007fff2b7949c0 [70796.574500] FS:  00007fe2b5505740(0000) GS:ffff9c59ffc00000(0000) knlGS:0000000000000000 [70796.575545] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [70796.576339] CR2: 000055fc26fe7f50 CR3: 0000000eb37ee001 CR4: 00000000003606f0 [70796.577242] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [70796.578165] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [70796.579105] Call Trace:
[70796.579445]  ? d_ioctl+0x748/0x13c0 [chipsec] [70796.580074]  ? handle_pte_fault+0x632/0xce0 [70796.580678]  ? __handle_mm_fault+0x478/0x5c0 [70796.581338]  do_vfs_ioctl+0xa8/0x630 [70796.581904]  ? print_stat+0x170/0x170 [chipsec] [70796.582493]  ? do_vfs_ioctl+0xa8/0x630 [70796.583003]  ? __do_page_fault+0x270/0x4d0 [70796.583559]  SyS_ioctl+0x79/0x90 [70796.584024]  do_syscall_64+0x73/0x130 C][  7  0  7DI9D:6 2.91584531]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[70796.585308] RIP: 0033:0x7fe2b50155d7
[70796.585823] RSP: 002b:00007fff2b794998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [70796.586784] RAX: ffffffffffffffda RBX: 00007fe2b1fa3c30 RCX: 00007fe2b50155d7 [70796.587747] RDX: 00007fff2b7949c0 RSI: 00000000c0084305 RDI: 0000000000000003 [70796.588746] RBP: 00007fff2b7949ac R08: 00007fff2b7948d0 R09: 0000000022710801 [70796.589653] R10: 000055fc26f79e01 R11: 0000000000000246 R12: 0000000000000020 [70796.590636] R13: 000055fc276a22f0 R14: 00007fff2b7949c0 R15: 000055fc276ba538 [70796.591606] Code: 0f 01 0f c3 0f 01 1f c3 0f 01 07 c3 0f 01 17 c3 0f 00 07 c3 c3 0f 01 07 0f 01 17 c3 41 52 41 53 50 52 48 89 f9 49 89 f2 49 89 d3 <0f> 32 41 89 02 41 89 13 5a 58 41 5b 41 5a c3 50 51 48 89 f9 48 8[
707[9CH6IP.SE5C]9  4  061] RIP: _rdmsr+0xf/0x1e [chipsec] RSP: ffffbe434647bd18 [70796.595009] ---[ end trace 54b5b27ee646eea0 ]---
  RID: 02
[+] loaded chipsec.modules.common.memlock [*] running loaded modules ..
 
[*] running module: chipsec.modules.common.memlock [x][ =======================================================================
[x][ Module: Check MSR_LT_LOCK_MEMORY
[x][ =======================================================================
[X] Checking MSR_LT_LOCK_MEMORY status
Segmentation fault
root(a)test-system:/chipsec#


>From VM, running msr-tools to read LT_LOCK_MEMORY at 0x2E7 does not crash but gives error and exit gracefully.

root(a)test-system:/chipsec# modprobe msr
root(a)test-system:/chipsec# rdmsr 0x1b
fee00d00
root(a)test-system:/chipsec# rdmsr 0x2e7
rdmsr: CPU 0 cannot read MSR 0x000002e7
root(a)test-system:/chipsec#

Thanks
- Jiandi


-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain confidential information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2019-08-22 22:57 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <SN1PR12MB2397D3C92EF508F941ABEAD6CDA50@SN1PR12MB2397.namprd12.prod.outlook.com>
2019-08-22 22:57 ` chipsec: memlock module segmentation fault in VM Bjorge, Erik C

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).