Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI

From: Ingo Molnar
Date: Wed Jan 10 2018 - 10:45:23 EST

Next message: Arnd Bergmann: "Re: next/master build: 198 builds: 1 failed, 197 passed, 1 error, 148 warnings (next-20180110)"
Previous message: Jiri Olsa: "Re: [PATCH 09/12] perf script: Add support to display lost events"
In reply to: Willy Tarreau: "Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI"
Next in thread: Kees Cook: "Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Borislav Petkov <bp@xxxxxxxxx> wrote:

> On Wed, Jan 10, 2018 at 08:25:08AM +0100, Ingo Molnar wrote:
> > We could taint the kernel and warn prominently in the syslog when PTI is disabled
> > globally on the boot line though, if running on affected CPUs.
> >
> > Something like:
> >
> > "x86/intel: Page Table Isolation (PTI) is disabled globally. This allows unprivileged, untrusted code to exploit the Meltdown CPU bug to read kernel data."
> >
>
> I think we should warn in the per-mm disabling case too. Not the same
> text but a similar blurb about the trusted process becoming a high-value
> target.

Ok - that's fine by me too, as long as it's a one time warning only.

Thanks,

Ingo

Next message: Arnd Bergmann: "Re: next/master build: 198 builds: 1 failed, 197 passed, 1 error, 148 warnings (next-20180110)"
Previous message: Jiri Olsa: "Re: [PATCH 09/12] perf script: Add support to display lost events"
In reply to: Willy Tarreau: "Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI"
Next in thread: Kees Cook: "Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]