User-Mode Instruction Prevention (UMIP) is a security feature present in new Intel Processors. If enabled, it prevents the execution of certain instructions if the Current Privilege Level (CPL) is greater than 0. If these instructions were executed while in CPL > 0, user space applications could have access to system-wide settings such as the global and local descriptor tables, the task register and the interrupt descriptor table. These are the instructions covered by UMIP: * SGDT - Store Global Descriptor Table * SIDT - Store Interrupt Descriptor Table * SLDT - Store Local Descriptor Table * SMSW - Store Machine Status Word * STR - Store Task Register If any of these instructions is executed with CPL > 0, a general protection exception is issued when UMIP is enbled. There is a caveat, however. Certain applications running in virtual-8086 mode, such as DOSEMU[1] and Wine[2], want to utilize the SGDT, SIDT and SLDT instructions for legitimate reasons. In order to keep such applications working, UMIP must be disabled/enabled when entering/exiting virtual-8086 mode. We also disable/enable UMIP in context switch if we detect that there is a valid virtual-8086 state structure. However, unconditionally disabling UMIP for virtual-8086 tasks could be exploited by malicious applications. Hence, disabling UMIP for such kind of tasks is allowed only if the kernel parameter 'umip=novm86' is used. Rather than using the more modern clearcpuid=1234 format for the kernel parameters, we use umip={no|novm86}. This is because the former does cannot cover the three configuration states of UMIP. The virtual-8086 mode selftests are updated to ensure that the aforementioned instructions can be executed without issue in such mode. Thanks and BR, Ricardo Cc: Andy Lutomirski <luto@xxxxxxxxxx> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Cc: Borislav Petkov <bp@xxxxxxx> Cc: Brian Gerst <brgerst@xxxxxxxxx> Cc: Chen Yucong <slaoub@xxxxxxxxx> Cc: Chris Metcalf <cmetcalf@xxxxxxxxxxxx> Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> Cc: Fenghua Yu <fenghua.yu@xxxxxxxxx> Cc: Huang Rui <ray.huang@xxxxxxx> Cc: Jiri Slaby <jslaby@xxxxxxx> Cc: Jonathan Corbet <corbet@xxxxxxx> Cc: Michael S. Tsirkin <mst@xxxxxxxxxx> Cc: Paul Gortmaker <paul.gortmaker@xxxxxxxxxxxxx> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx> Cc: Ravi V. Shankar <ravi.v.shankar@xxxxxxxxx> Cc: Vlastimil Babka <vbabka@xxxxxxx> Cc: Shuah Khan <shuah@xxxxxxxxxx> [1]. http://www.dosemu.org/ [2]. https://wiki.winehq.org/Main_Page Ricardo Neri (4): x86/cpufeature: Add User-Mode Instruction Prevention definitions x86: Prepare vm86 tasks to handle User-Mode Instruction Prevention x86: Enable User-Mode Instruction Prevention selftests/x86: Add tests for User-Mode Instruction Prevention Documentation/kernel-parameters.txt | 5 +++ arch/x86/Kconfig | 10 ++++++ arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/disabled-features.h | 8 ++++- arch/x86/include/asm/vm86.h | 3 ++ arch/x86/include/uapi/asm/processor-flags.h | 2 ++ arch/x86/kernel/cpu/common.c | 50 ++++++++++++++++++++++++++- arch/x86/kernel/process.c | 10 ++++++ arch/x86/kernel/vm86_32.c | 20 +++++++++++ tools/testing/selftests/x86/entry_from_vm86.c | 10 +++++- 10 files changed, 116 insertions(+), 3 deletions(-) -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html