Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set
From: Linus Torvalds
Date: Thu Jan 11 2018 - 13:52:02 EST
On Thu, Jan 11, 2018 at 10:38 AM, Dave Hansen
<dave.hansen@xxxxxxxxxxxxxxx> wrote:
> On 01/11/2018 10:32 AM, Josh Poimboeuf wrote:
>>> hmm. Exposing cr3 to user space will make it trivial for user process
>>> to know whether kpti is active. Not sure how exploitable such
>>> information leak.
>> It's already trivial to detect PTI from user space.
>
> Do tell.
One way to do it is to just run the attack, and see if you get something.
So it's not really "is PTI enabled", but a "is meltdown there". Then
you just use that together with cpuinfo to decide if PTI is enabled.
So I think Josh is 100% right. Detecting PTI on/off is not hard.
But that does *not* mean that %cr3 isn't secret. %cr3 should
definitely never *ever* be accessible to user space.
Linus