Re: [PATCH 3/3] x86: Disable running 32bit processes if ia32_disabled is passed

From: Andrew Cooper
Date: Thu Jun 08 2023 - 07:26:03 EST

Next message: Bagas Sanjaya: "Re: [PATCH 5.15 000/159] 5.15.116-rc1 review"
Previous message: kirill.shutemov@xxxxxxxxxxxxxxx: "Re: [PATCH] x86/kexec: Add a comment to relocate_kernel() for better readability"
In reply to: Jiri Slaby: "Re: [PATCH 3/3] x86: Disable running 32bit processes if ia32_disabled is passed"
Next in thread: Thomas Gleixner: "Re: [PATCH 3/3] x86: Disable running 32bit processes if ia32_disabled is passed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08/06/2023 1:25 am, Thomas Gleixner wrote:
> On Thu, Jun 08 2023 at 00:43, Andrew Cooper wrote:
>> And yes, wiring this into SIGSEGV/etc would be a sensible move.
> The only option is to wire it into die_hard_crash_and_burn(). There is
> no sane way to deliver a signal to the process which managed to run into
> this. Appropriate info to parent or ptracer will still be delivered.

Hmm yeah. Something has already gone seriously wrong to end up here, so
terminating it is probably best.

> I really wish that we could disable syscall32 reliably on AMD and make
> it raise #UD as it does on Intal.

You know that's changing in FRED, and will follow the AMD model?

The SYSCALL instruction is lower latency if it doesn't need to check %cs
to conditionally #UD.

>> Furthermore, despite CET-SS explicitly trying to account for and protect
>> against accidental mismatches, there are errata in some parts which let
>> userspace forge legal return addresses on the shadow stack by dropping
>> into 32bit mode because, there's a #GP check missing in a microflow.
> Didn't we assume that there are no CPU bugs? :)

Tell me, is such a CPU delivered with or without a complimentary unicorn? :)

>> For usecases where there ought not to be any 32bit code at all (and
>> there absolutely are), it would be lovely if this could be enforced,
>> rather than relying on blind hope that it doesn't happen.
> I think it's rather clear what needs to be done here to achieve that,
> but that's completely orthogonal to the intent of the patch series in
> question which aims to make CONFIG_IA32_EMULATION a boot time decision.

Fully inhibiting 32bit mode is stronger, because it impacts code which
would otherwise operate in CONFIG_IA32_EMULATION=n configuration.

Which is fine, but I agree that it doesn't want to be confused with
being a "runtime CONFIG_IA32_EMULATION" knob.

If the runtime form could also come with an equivalent Kconfig form,
that would be awesome too.

~Andrew

Next message: Bagas Sanjaya: "Re: [PATCH 5.15 000/159] 5.15.116-rc1 review"
Previous message: kirill.shutemov@xxxxxxxxxxxxxxx: "Re: [PATCH] x86/kexec: Add a comment to relocate_kernel() for better readability"
In reply to: Jiri Slaby: "Re: [PATCH 3/3] x86: Disable running 32bit processes if ia32_disabled is passed"
Next in thread: Thomas Gleixner: "Re: [PATCH 3/3] x86: Disable running 32bit processes if ia32_disabled is passed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]