[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime

To: Borislav Petkov <bp@xxxxxxxxx>
From: Willy Tarreau <w@xxxxxx>
Date: Tue, 4 Aug 2015 08:00:54 +0200
Cc: "security@xxxxxxxxxx" <security@xxxxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, Steven Rostedt <rostedt@xxxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Sasha Levin <sasha.levin@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Tue, 04 Aug 2015 06:01:46 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Tue, Aug 04, 2015 at 05:54:51AM +0200, Borislav Petkov wrote:
> On Mon, Aug 03, 2015 at 11:45:24AM -0700, Andy Lutomirski wrote:
> > P.P.P.S.  Who thought that IRET faults unmasking NMIs made any sense
> > whatsoever when NMIs run on an IST stack?  Seriously, people?
> 
> What happened with asking Intel for a sane IRET-NG?
> 
> Should be relatively easy - take the current IRET microcode, get rid
> of the nasty crap, allocate a new opcode and done. Validation should
> actually have *less* to do and can reuse all current test cases.

Even easier, just add a few flags (probably 2 or 3 only) that IRET can
check to adjust its behaviour. Basically "don't re-enable NMIs yet",
maybe something to adjust the behaviour on bad CS/SS/SP/IP and a few
such things could possibly help. Maybe all of this could be summarized
as a single flag "I'm in a fault handler".

Willy

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH 0/2] x86: allow to enable/disable modify_ldt at run time
  - From: Willy Tarreau
- [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime
  - From: Willy Tarreau
- Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime
  - From: Borislav Petkov

Prev by Date: Re: [Xen-devel] [PATCH] xen-netback: Allocate fraglist early to avoid complex rollback
Next by Date: Re: [Xen-devel] [PATCH v5 12/22] xen/arm: ITS: Add GICR register emulation
Previous by thread: Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime
Next by thread: Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.