Re: [PATCH] efi/x86: use naked RET on mixed mode call wrapper

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18/07/2022 17:38, Peter Zijlstra wrote:
> On Mon, Jul 18, 2022 at 06:28:27PM +0200, Borislav Petkov wrote:
>> On Mon, Jul 18, 2022 at 01:41:37PM +0200, Peter Zijlstra wrote:
>>> diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
>>> index 10a3bfc1eb23..f934dcdb7c0d 100644
>>> --- a/arch/x86/include/asm/nospec-branch.h
>>> +++ b/arch/x86/include/asm/nospec-branch.h
>>> @@ -297,6 +297,8 @@ do {									\
>>>  	alternative_msr_write(MSR_IA32_SPEC_CTRL,			\
>>>  			      spec_ctrl_current() | SPEC_CTRL_IBRS,	\
>>>  			      X86_FEATURE_USE_IBRS_FW);			\
>>> +	altnerative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB,		\
>>> +			      X86_FEATURE_USE_IBPB_FW);			\
>>>  } while (0)
>> So I'm being told we need to untrain on return from EFI to protect the
>> kernel from it. Ontop of yours.
> I don't think there's any credible way we can protect against EFI taking
> over the system if it wants to. It runs at CPL0 and has access to the
> direct map. If EFI wants it can take over the system without trying.

I don't think an untrain is needed either.  EFI RS can do anything it
wants, architecturally speaking, so the only threat is it acting as a
confused deputy.

The IBPB on the way in mitigates any BTC attacks against EFI-RS.

The "safe" BTB entry can be evicted due to competition or an alias, both
in kernel code or EFI code, but neither of these contexts will be
deliberately creating a malicious entry.

~Andrew




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux