Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set

From: Linus Torvalds
Date: Thu Jan 11 2018 - 13:52:02 EST

Next message: Markus: "Re: objtool segfault with ORC unwinder enabled"
Previous message: Adam Ford: "Re: [PATCH v5 01/44] dt-bindings: clock: Add new bindings for TI Davinci PLL clocks"
In reply to: Dave Hansen: "Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set"
Next in thread: Dave Hansen: "Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 11, 2018 at 10:38 AM, Dave Hansen
<dave.hansen@xxxxxxxxxxxxxxx> wrote:
> On 01/11/2018 10:32 AM, Josh Poimboeuf wrote:
>>> hmm. Exposing cr3 to user space will make it trivial for user process
>>> to know whether kpti is active. Not sure how exploitable such
>>> information leak.
>> It's already trivial to detect PTI from user space.
>
> Do tell.

One way to do it is to just run the attack, and see if you get something.

So it's not really "is PTI enabled", but a "is meltdown there". Then
you just use that together with cpuinfo to decide if PTI is enabled.

So I think Josh is 100% right. Detecting PTI on/off is not hard.

But that does *not* mean that %cr3 isn't secret. %cr3 should
definitely never *ever* be accessible to user space.

Linus

Next message: Markus: "Re: objtool segfault with ORC unwinder enabled"
Previous message: Adam Ford: "Re: [PATCH v5 01/44] dt-bindings: clock: Add new bindings for TI Davinci PLL clocks"
In reply to: Dave Hansen: "Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set"
Next in thread: Dave Hansen: "Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]