From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: multipart/mixed; boundary="===============7804133980871922671=="
MIME-Version: 1.0
From: Bjorge, Erik C <erik.c.bjorge@intel.com>
Subject: Re: chipsec: memlock module segmentation fault in VM
Date: Thu, 22 Aug 2019 22:57:43 +0000
Message-ID: <7FE3244EBB31F1449E4EC79CFE44E3F4C9770035@ORSMSX114.amr.corp.intel.com>
In-Reply-To: <SN1PR12MB2397D3C92EF508F941ABEAD6CDA50@SN1PR12MB2397.namprd12.prod.outlook.com>
List-Id: <oe-chipsec.lists.linux.dev>
To: chipsec@lists.01.org

--===============7804133980871922671==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

CHIPSEC is normally not intended to run in a virtual environment.  It is de=
signed to validate that hardware has been configured correctly to mitigate =
known vulnerabilities.  This does not translate well to the virtual environ=
ment.  In general CHIPSEC should be run directly on real hardware except in=
 a few special cases (CHIPSEC does have some support for fuzzing hypercalls=
 and UEFI variables).

When CHIPSEC runs it attempts to identify the platform and load chip specif=
ic configuration files.  These configuration files are needed so the tool c=
an reference the correct register/offset/bits in our test code.  This allow=
s for generic test code to support multiple versions of hardware.  It looks=
 like we do not have support for the Q35 chipset and this is why you got th=
e unsupported platform error.  In this case you will have limited reliable =
functionality.

I am not sure that the common.memlock test would be supported on the Q35 pl=
atform.  I would expect a seg. fault for any undefined MSR when running dir=
ectly on hardware.  I would also expect the hypervisor to handle the GP fau=
lt for a bad MSR access and allow the VM guest to continue.  This seems to =
support the results you obtained.

I hope this helps.

Thanks,
-Erik

-----Original Message-----
From: Jiandi An <jan@nvidia.com> =

Sent: Thursday, August 22, 2019 2:52 PM
To: chipsec(a)lists.01.org; obazhaniuk(a)gmail.com; Bjorge, Erik C <erik.c.=
bjorge@intel.com>
Subject: chipsec: memlock module segmentation fault in VM

Hi guys,

Our security experts recommended us to run chipsec in VM launched via libvi=
rt/qemu/kvm in Ubuntu 18.04 to understand attack model shift to VM firmware=
 and qualify VM security.  Several things we want to confirm to make sure w=
e are on the right track.

1. Is chipsec supposed to be run in a VM environment?

2. When running chipsec in VM, it gives unsupported platform error. =

ERROR: Unsupported Platform: VID =3D 0x8086, DID =3D 0x29C0, RID =3D 0x00 I=
s running with -i to ignore it the right thing to do?

root(a)test-system:/chipsec# python chipsec_main.py #######################=
#########################################
##                                                            ##
##  CHIPSEC: Platform Hardware Security Assessment Framework  ##
##                                   [240633.460404] chipsec cleanup_module=
 1786: Destroying chipsec device
                [240633.461509] chipsec cleanup_module 1788: exit ## ######=
##########################################################
[CHIPSEC] Version 1.4.0
[CHIPSEC] Arguments: =

[240633.492121] Chipsec module loaded
[240633.492723] ** This module exposes hardware & memory access, **
[240633.493634] ** which can effect the secure operation of      **
[240633.494631] ** production systems!! Use for research only!   **
****** Chipsec Linux Kernel module is licensed under GPL 2.0 [CHIPSEC] API =
mode: using CHIPSEC kernel module API
ERROR: Unsupported Platform: VID =3D 0x8086, DID =3D 0x29C0, RID =3D 0x00
ERROR: Platform is not supported (Unsupported Platform: VID =3D 0x8086, DID=
 =3D 0x29C0, RID =3D 0x00).
ERROR: To run anyways please use -i command-line option

root(a)test-system:/chipsec#

dmidecode show the following for the VM.

root(a)test-system:/chipsec# dmidecode -t 1 # dmidecode 3.1 Getting SMBIOS =
data from sysfs.
SMBIOS 2.8 present.

Handle 0x0100, DMI type 1, 27 bytes
System Information
	Manufacturer: QEMU
	Product Name: Standard PC (Q35 + ICH9, 2009)
	Version: pc-q35-2.11
	Serial Number: Not Specified
	UUID: 0F289AD4-E57B-4C7B-80DB-7AAF35B5A4B8
	Wake-up Type: Power Switch
	SKU Number: Not Specified
	Family: Not Specified

root(a)test-system:/chipsec#

3.  Is running the memlock module test the right thing to do for VM?  It's =
accessing LT_LOCK_MEMORY MSR and segmentation faults.  LT_LOCK_MEMORY canno=
t be accessed from VM.  But if running chipsec_main.py, it goes through and=
 runs memlock module.

root(a)test-system:/chipsec# python chipsec_main.py -i -m common.memlock [*=
] Ignoring unsupported platform warning and continue execution ############=
####################################################
##                                                            ##
##  CHIPSEC: Platform Hardware Security Assessment Framework  ##
##                                                            ##
################################################################
[CHIPSEC] Version 1.4.0
[CHIPSEC] Arguments: -i -m common.memlock [70795.749859] Chipsec module loa=
ded [70795.750466] ** This module exposes hardware & memory access, **
[70795.751292] ** which can effect the secure operation of      **
[70795.752181] ** production systems!! Use for research only!   **
****** Chipsec Linux Kernel module is licensed under GPL 2.0 [CHIPSEC] API =
mode: using CHIPSEC kernel module API
ERROR: Unsupported Platform: VID =3D 0x8086, DID =3D 0x29C0, RID =3D 0x00
ERROR: Platform is not supported (Unsupported Platform: VID =3D 0x8086, DID=
 =3D 0x29C0, RID =3D 0x00).
WARNING: Platform dependent functionality is likely to be incorrect
[CHIPSEC] OS      : Linux 4.15.0-50-generic #54-Ubuntu SMP Mon May 6 18:46:=
08 UTC 2019 x86_64
[CHIPSEC] Platform: UnknownPlatform
[CHIPSEC]      VID: 8086
[CHIPSEC]      DID: 29C0
[CHIPSEC]      RID: 00
[CHIPSEC] PCH     : Default PCH
[[CH7IP0SE7C]9  6  .  5VI50299] general protection fault: 0000 [#2] SMP PTI=
 [70796.551162] Modules linked in: chipsec(OE) ipt_REJECT nf_reject_ipv4 xt=
_multiport msr cachefiles fscache ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_=
conntrack_netlink nfnetlink xfrm_user iptable_nat nf_conntrack_ipv4 nf_defr=
ag_ipv4 nf_nat_ipv4 xt_addrtype xt_conntrack nf_nat nf_conntrack br_netfilt=
er bridge stp llc aufs nv_peer_mem(OE) overlay rdma_ucm(OE) ib_ucm(OE) ib_i=
poib(OE) ib_uverbs(OE) ib_umad(OE) esp6_offload esp6 esp4_offload esp4 xfrm=
_algo mlx5_fpga_tools(OE) mlx5_ib(OE) mlx5_core(OE) mlxfw(OE) mlx4_en(OE) p=
tp pps_core mlx4_ib(OE) mlx4_core(OE) devlink iptable_filter joydev input_l=
eds serio_raw lpc_ich shpchp qemu_fw_cfg mac_hid nvidia_uvm(OE) sch_fq_code=
l ib_iser(OE) rdma_cm(OE) iw_cm(OE) ib_cm(OE) ib_core(OE) mlx_compat(OE) is=
csi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi sunrpc knem(OE) [70796.5=
60458]  ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async=
_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32=
c raid1 raid0 multipath linear nvidia_drm(POE) nvidia_modeset(POE) crct10di=
f_pclmul crc32_pclmul ghash_clmulni_intel pcbc nvidia(POE) drm_kms_helper a=
esni_intel syscopyarea sysfillrect aes_x86_64 sysimgblt crypto_simd fb_sys_=
fops glue_helper drm cryptd psmouse ahci ipmi_devintf libahci ipmi_msghandl=
er virtio_blk virtio_net [last unloaded: chipsec]
D[: 7800867
9[C6HI.PS5E66046] CPU: 0 PID: 23328 Comm: python Tainted: P      D    OE   =
 4.15.0-50-generic #54-Ubuntu
[70796.567304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.1=
0.2-1ubuntu1 04/01/2014 [70796.568539] RIP: 0010:_rdmsr+0xf/0x1e [chipsec] =
[70796.569129] RSP: 0018:ffffbe434647bd18 EFLAGS: 00010246 [70796.569823] R=
AX: ffffbe434647bd90 RBX: 00007fff2b7949c0 RCX: 00000000000002e7 [70796.570=
770] RDX: ffffbe434647bda0 RSI: ffffbe434647bda8 RDI: 00000000000002e7 [707=
96.571674] RBP: ffffbe434647be50 R08: 0000000000000000 R09: 000000002271080=
1 [70796.572675] R10: ffffbe434647bda8 R11: ffffbe434647bda0 R12: 00007fff2=
b7949c0 [70796.573598] R13: ffff9c59b28cf700 R14: 00000000c0084305 R15: 000=
07fff2b7949c0 [70796.574500] FS:  00007fe2b5505740(0000) GS:ffff9c59ffc0000=
0(0000) knlGS:0000000000000000 [70796.575545] CS:  0010 DS: 0000 ES: 0000 C=
R0: 0000000080050033 [70796.576339] CR2: 000055fc26fe7f50 CR3: 0000000eb37e=
e001 CR4: 00000000003606f0 [70796.577242] DR0: 0000000000000000 DR1: 000000=
0000000000 DR2: 0000000000000000 [70796.578165] DR3: 0000000000000000 DR6: =
00000000fffe0ff0 DR7: 0000000000000400 [70796.579105] Call Trace:
[70796.579445]  ? d_ioctl+0x748/0x13c0 [chipsec] [70796.580074]  ? handle_p=
te_fault+0x632/0xce0 [70796.580678]  ? __handle_mm_fault+0x478/0x5c0 [70796=
.581338]  do_vfs_ioctl+0xa8/0x630 [70796.581904]  ? print_stat+0x170/0x170 =
[chipsec] [70796.582493]  ? do_vfs_ioctl+0xa8/0x630 [70796.583003]  ? __do_=
page_fault+0x270/0x4d0 [70796.583559]  SyS_ioctl+0x79/0x90 [70796.584024]  =
do_syscall_64+0x73/0x130 C][  7  0  7DI9D:6 2.91584531]  entry_SYSCALL_64_a=
fter_hwframe+0x3d/0xa2
[70796.585308] RIP: 0033:0x7fe2b50155d7
[70796.585823] RSP: 002b:00007fff2b794998 EFLAGS: 00000246 ORIG_RAX: 000000=
0000000010 [70796.586784] RAX: ffffffffffffffda RBX: 00007fe2b1fa3c30 RCX: =
00007fe2b50155d7 [70796.587747] RDX: 00007fff2b7949c0 RSI: 00000000c0084305=
 RDI: 0000000000000003 [70796.588746] RBP: 00007fff2b7949ac R08: 00007fff2b=
7948d0 R09: 0000000022710801 [70796.589653] R10: 000055fc26f79e01 R11: 0000=
000000000246 R12: 0000000000000020 [70796.590636] R13: 000055fc276a22f0 R14=
: 00007fff2b7949c0 R15: 000055fc276ba538 [70796.591606] Code: 0f 01 0f c3 0=
f 01 1f c3 0f 01 07 c3 0f 01 17 c3 0f 00 07 c3 c3 0f 01 07 0f 01 17 c3 41 5=
2 41 53 50 52 48 89 f9 49 89 f2 49 89 d3 <0f> 32 41 89 02 41 89 13 5a 58 41=
 5b 41 5a c3 50 51 48 89 f9 48 8[
707[9CH6IP.SE5C]9  4  061] RIP: _rdmsr+0xf/0x1e [chipsec] RSP: ffffbe434647=
bd18 [70796.595009] ---[ end trace 54b5b27ee646eea0 ]---
  RID: 02
[+] loaded chipsec.modules.common.memlock [*] running loaded modules ..
 =

[*] running module: chipsec.modules.common.memlock [x][ =3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[x][ Module: Check MSR_LT_LOCK_MEMORY
[x][ =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[X] Checking MSR_LT_LOCK_MEMORY status
Segmentation fault
root(a)test-system:/chipsec#


>>From VM, running msr-tools to read LT_LOCK_MEMORY at 0x2E7 does not crash =
but gives error and exit gracefully.

root(a)test-system:/chipsec# modprobe msr
root(a)test-system:/chipsec# rdmsr 0x1b
fee00d00
root(a)test-system:/chipsec# rdmsr 0x2e7
rdmsr: CPU 0 cannot read MSR 0x000002e7
root(a)test-system:/chipsec#

Thanks
- Jiandi


---------------------------------------------------------------------------=
--------
This email message is for the sole use of the intended recipient(s) and may=
 contain confidential information.  Any unauthorized review, use, disclosur=
e or distribution is prohibited.  If you are not the intended recipient, pl=
ease contact the sender by reply email and destroy all copies of the origin=
al message.
---------------------------------------------------------------------------=
--------

--===============7804133980871922671==--