Re: [PATCH] KVM: x86: zero IDT limit on entry to SMM

From: Radim KrÄmÃÅ
Date: Mon Aug 10 2015 - 11:31:26 EST

2015-08-07 12:54+0200, Paolo Bonzini:
> The recent BlackHat 2015 presentation "The Memory Sinkhole"
> mentions that the IDT limit is zeroed on entry to SMM.

Slide 64 of

> This is not documented, and must have changed some time after 2010
> (see
> KVM was not doing it, but the fix is easy.

This patch also clears the IDT base. Fetching original IDT is better
done from SMM saved state (and an anti-exploit based on comparing those
two seems unlikely) so it should be fine,

Reviewed-by: Radim KrÄmÃÅ <rkrcmar@xxxxxxxxxx>

> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> ---

That takes care of Attack 1.
KVM is likely not vulnerable to attack 2 and 3 because of an emergent
security feature. (A simple modification of kvm-unit-tests show that
mapping APIC base on top of real code/data makes the APIC page hidden
and I expect SMM memslot to behave similarly.)
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at