Re: [PATCH 4/4] x86,module: Detect CRn and DRn manipulation

[Jan Kiszka]

On 08.04.20 11:13, Peter Zijlstra wrote:
> On Wed, Apr 08, 2020 at 10:51:38AM +0200, Peter Zijlstra wrote:
> > On Wed, Apr 08, 2020 at 07:58:53AM +0200, Jan Kiszka wrote:
> > > On 07.04.20 23:48, Steven Rostedt wrote:
> >
> > > > Hmm, wont this break jailhouse?
> >
> > Breaking it isn't a problem, it's out of tree and it should be fixable.
> >
> > > Yes, possibly. We load the hypervisor binary via request_firmware into
> > > executable memory and then jump into it. So most of the "suspicious" code is
> >
> > W.T.H. does the firmware loader have the ability to give executable
> > memory? We need to kill that too. /me goes find.
>
> AFAICT the firmware loader only provides PAGE_KERNEL_RO, so how do you
> get it executable?

memcpy(ioremapped_exec_region, firmware_image)

We only use the loader for getting the blob, not for running it. It has 
to be put at a location that Linux will lose control over anyway.

> I'm thinking the patches Christoph has lined up will take care of this.

It would make sense from a certain POV...

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux