Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Fri, 2016-11-11 at 11:22 +0100, Borislav Petkov wrote: > On Thu, Nov 10, 2016 at 08:08:07PM -0800, Ricardo Neri wrote: > > UMIP is enabled by setting a bit in CR4. If that bit is not supposed > > to be set, that could cause a #GP fault. > > Yeah, you do check CPUID first, AFAICT, so you should

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Fri, 2016-11-11 at 11:22 +0100, Borislav Petkov wrote: > On Thu, Nov 10, 2016 at 08:08:07PM -0800, Ricardo Neri wrote: > > UMIP is enabled by setting a bit in CR4. If that bit is not supposed > > to be set, that could cause a #GP fault. > > Yeah, you do check CPUID first, AFAICT, so you should

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On 11/10/2016 08:08 PM, Ricardo Neri wrote: > Thanks for the suggestions. Perhaps I can include these metrics in my > V2. On th other hand, Dave Hansen gave a good argument on potential > conflicts when, of instance running on an AMD CPU. UMIP is enabled by > setting a bit in CR4. If that bit is

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On 11/10/2016 08:08 PM, Ricardo Neri wrote: > Thanks for the suggestions. Perhaps I can include these metrics in my > V2. On th other hand, Dave Hansen gave a good argument on potential > conflicts when, of instance running on an AMD CPU. UMIP is enabled by > setting a bit in CR4. If that bit is

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Thu, Nov 10, 2016 at 08:08:07PM -0800, Ricardo Neri wrote: > UMIP is enabled by setting a bit in CR4. If that bit is not supposed > to be set, that could cause a #GP fault. Yeah, you do check CPUID first, AFAICT, so you should be ok... -- Regards/Gruss, Boris. SUSE Linux GmbH, GF: Felix

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Thu, Nov 10, 2016 at 08:08:07PM -0800, Ricardo Neri wrote: > UMIP is enabled by setting a bit in CR4. If that bit is not supposed > to be set, that could cause a #GP fault. Yeah, you do check CPUID first, AFAICT, so you should be ok... -- Regards/Gruss, Boris. SUSE Linux GmbH, GF: Felix

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Thu, 2016-11-10 at 09:58 +0100, Borislav Petkov wrote: > On Wed, Nov 09, 2016 at 07:24:43PM -0800, Ricardo Neri wrote: > > I intended this feature to be configurable at build time in case someone > > wants to build a kernel without it; similar to other features such as > > SMAP. Is this not

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Thu, 2016-11-10 at 09:58 +0100, Borislav Petkov wrote: > On Wed, Nov 09, 2016 at 07:24:43PM -0800, Ricardo Neri wrote: > > I intended this feature to be configurable at build time in case someone > > wants to build a kernel without it; similar to other features such as > > SMAP. Is this not

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On 11/09/2016 07:24 PM, Ricardo Neri wrote: > On Wed, 2016-11-09 at 03:02 -0800, Andy Lutomirski wrote: ... >> > What I mean is: why does this need a config option at all? > I intended this feature to be configurable at build time in case someone > wants to build a kernel without it; similar to

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On 11/09/2016 07:24 PM, Ricardo Neri wrote: > On Wed, 2016-11-09 at 03:02 -0800, Andy Lutomirski wrote: ... >> > What I mean is: why does this need a config option at all? > I intended this feature to be configurable at build time in case someone > wants to build a kernel without it; similar to

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Wed, Nov 09, 2016 at 07:24:43PM -0800, Ricardo Neri wrote: > I intended this feature to be configurable at build time in case someone > wants to build a kernel without it; similar to other features such as > SMAP. Is this not needed? Should Linux be built with this feature always > enabled? >

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Wed, Nov 09, 2016 at 07:24:43PM -0800, Ricardo Neri wrote: > I intended this feature to be configurable at build time in case someone > wants to build a kernel without it; similar to other features such as > SMAP. Is this not needed? Should Linux be built with this feature always > enabled? >

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Wed, 2016-11-09 at 03:02 -0800, Andy Lutomirski wrote: > On Tue, Nov 8, 2016 at 8:25 PM, Ricardo Neri > wrote: > > On Tue, 2016-11-08 at 07:32 -0800, Andy Lutomirski wrote: > >> > diff --git a/arch/x86/include/asm/disabled-features.h > >>

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Wed, 2016-11-09 at 03:02 -0800, Andy Lutomirski wrote: > On Tue, Nov 8, 2016 at 8:25 PM, Ricardo Neri > wrote: > > On Tue, 2016-11-08 at 07:32 -0800, Andy Lutomirski wrote: > >> > diff --git a/arch/x86/include/asm/disabled-features.h > >> b/arch/x86/include/asm/disabled-features.h > >> > index

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Tue, Nov 8, 2016 at 8:25 PM, Ricardo Neri wrote: > On Tue, 2016-11-08 at 07:32 -0800, Andy Lutomirski wrote: >> > diff --git a/arch/x86/include/asm/disabled-features.h >> b/arch/x86/include/asm/disabled-features.h >> > index 85599ad..4707445 100644 >> >

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Tue, Nov 8, 2016 at 8:25 PM, Ricardo Neri wrote: > On Tue, 2016-11-08 at 07:32 -0800, Andy Lutomirski wrote: >> > diff --git a/arch/x86/include/asm/disabled-features.h >> b/arch/x86/include/asm/disabled-features.h >> > index 85599ad..4707445 100644 >> > ---

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Tue, 2016-11-08 at 07:32 -0800, Andy Lutomirski wrote: > > diff --git a/arch/x86/include/asm/disabled-features.h > b/arch/x86/include/asm/disabled-features.h > > index 85599ad..4707445 100644 > > --- a/arch/x86/include/asm/disabled-features.h > > +++ b/arch/x86/include/asm/disabled-features.h >

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Tue, 2016-11-08 at 07:32 -0800, Andy Lutomirski wrote: > > diff --git a/arch/x86/include/asm/disabled-features.h > b/arch/x86/include/asm/disabled-features.h > > index 85599ad..4707445 100644 > > --- a/arch/x86/include/asm/disabled-features.h > > +++ b/arch/x86/include/asm/disabled-features.h >

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Mon, Nov 7, 2016 at 10:12 PM, Ricardo Neri wrote: > User-Mode Instruction Prevention (UMIP) is a security feature present in > new Intel Processors. If enabled, it prevents the execution of certain > instructions if the Current Privilege Level (CPL) is

Re: [PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

On Mon, Nov 7, 2016 at 10:12 PM, Ricardo Neri wrote: > User-Mode Instruction Prevention (UMIP) is a security feature present in > new Intel Processors. If enabled, it prevents the execution of certain > instructions if the Current Privilege Level (CPL) is greater than 0. If > these instructions

[PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

User-Mode Instruction Prevention (UMIP) is a security feature present in new Intel Processors. If enabled, it prevents the execution of certain instructions if the Current Privilege Level (CPL) is greater than 0. If these instructions were executed while in CPL > 0, user space applications could

[PATCH 1/4] x86/cpufeature: Add User-Mode Instruction Prevention definitions

User-Mode Instruction Prevention (UMIP) is a security feature present in new Intel Processors. If enabled, it prevents the execution of certain instructions if the Current Privilege Level (CPL) is greater than 0. If these instructions were executed while in CPL > 0, user space applications could