|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [kernel-hardening] Re: [PATCH] x86: make IDT read-only
On Tue, Apr 9, 2013 at 2:23 AM, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > On Mon, 8 Apr 2013, H. Peter Anvin wrote: > >> On 04/08/2013 03:43 PM, Kees Cook wrote: >> > This makes the IDT unconditionally read-only. This primarily removes >> > the IDT from being a target for arbitrary memory write attacks. It has >> > an added benefit of also not leaking (via the "sidt" instruction) the >> > kernel base offset, if it has been relocated. >> > >> > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> >> > Cc: Eric Northup <digitaleric@xxxxxxxxxx> >> >> Also, tglx: does this interfere with your per-cpu IDT efforts? > > I don't think so. And it's on the backburner at the moment. What would be a good way to do something similar for the GDT? sgdt leaks GDT location as well, and even though it's percpu, it should be trivial to figure out a kernel base address, IIUC. $ ./sgdt ffff88001fc04000 # cat /sys/kernel/debug/kernel_page_tables ... ---[ Low Kernel Mapping ]--- ... 0xffff880001e00000-0xffff88001fe00000 480M RW PSE GLB NX pmd With the IDT patch, things look good for sidt: $ ./sidt ffffffffff579000 # cat /sys/kernel/debug/kernel_page_tables ... ---[ End Modules ]--- 0xffffffffff579000-0xffffffffff57a000 4K ro GLB NX pte Can we create a RO fixed per-cpu area? -Kees -- Kees Cook Chrome OS Security _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |