On Tue, May 26, 2020 at 08:56:18AM +0200, Greg KH wrote: > On Mon, May 25, 2020 at 10:28:48PM -0700, Andi Kleen wrote: > > From: Andi Kleen <ak@xxxxxxxxxxxxxxx> > > > > Since there seem to be kernel modules floating around that set > > FSGSBASE incorrectly, prevent this in the CR4 pinning. Currently > > CR4 pinning just checks that bits are set, this also checks > > that the FSGSBASE bit is not set, and if it is clears it again. > > So we are trying to "protect" ourselves from broken out-of-tree kernel > modules now? Why stop with this type of check, why not just forbid them > entirely if we don't trust them? :) Oh, I have a bunch of patches pending for that :-) It will basically decode the module text and refuse to load the module for most CPL0 instruction.
