Re: [RFC] x86/speculation: add L1 Terminal Fault / Foreshadow demo
From: Julian Stecklina
Date: Tue Jan 22 2019 - 09:34:29 EST
Kees Cook <keescook@xxxxxxxxxxxx> writes:
> On Tue, Jan 22, 2019 at 8:15 AM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>>
>> On Mon, Jan 21, 2019 at 10:36:18AM -0800, Andi Kleen wrote:
>> > > + /* Check the start address: needs to be page-aligned.. */
>> > > +- if (start & ~PAGE_MASK)
>> > > ++ if (start & ~PAGE_MASK) {
>> > > ++
>> > > ++ /*
>> > > ++ * XXX Hack
>> > > ++ *
>> > > ++ * We re-use this error case to show case a cache load gadget:
>> > > ++ * There is a mispredicted branch, which leads to prefetching
>> > > ++ * the cache with attacker controlled data.
>> > > ++ */
>> > > ++ asm volatile (
>> >
>> > Obviously that can never be added to a standard kernel.
>>
>> No, that's why it is a patch, right?
Yes, this is obviously only for experimenting.
>> People want to test things, it's nice to have a way to easily do
>> this.
>
> What about adding something like it to drivers/misc/lkdtm/ instead?
>
> It's not a "production" module, but it regularly get built for selftest builds.
For people who want to test L1TF hardening patches in the kernel (e.g.
XPFO) it's certainly nice to not have to manually patch the kernel to add
an easy to reach cache load gadget. It's also nice if you quickly want
to test whether a random Intel CPU has this vulnerability.
The cache load gadget as it is right now is mostly to show a reasonably
realistic scenario of speculatively executed code fetching memory into
the L1 cache. I didn't want to make this a completely crafted example
where I just literally execute a prefetch instruction.
But what I could do is add a bit of code in lkdtm that exposes a debugfs
file with this functionality.
Thoughts?
Julian