Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set

From: Josh Poimboeuf
Date: Thu Jan 11 2018 - 14:06:17 EST


On Thu, Jan 11, 2018 at 10:57:51AM -0800, Dave Hansen wrote:
> On 01/11/2018 10:51 AM, Linus Torvalds wrote:
> > On Thu, Jan 11, 2018 at 10:38 AM, Dave Hansen
> > <dave.hansen@xxxxxxxxxxxxxxx> wrote:
> >> On 01/11/2018 10:32 AM, Josh Poimboeuf wrote:
> >>>> hmm. Exposing cr3 to user space will make it trivial for user process
> >>>> to know whether kpti is active. Not sure how exploitable such
> >>>> information leak.
> >>> It's already trivial to detect PTI from user space.
> >> Do tell.
> > One way to do it is to just run the attack, and see if you get something.
>
> Not judging how trivial (or not) the attack is, I was hoping for
> something that was *not* the attack itself. :)
>
> I'd love to have a tool that tells you for sure "KPTI enabled or not",
> but I'd also love to have it be something I can easily distribute
> without it being handled like a WMD.

Instead of the meltdown attack, why not just run the KASLR attack, with
prefetches + cache timing?

Something like this (I haven't tested it though):

https://github.com/IAIK/prefetch/blob/master/addrspace/addrspace.c

Andrea also created such a tool, but IIRC, it requires knowing a kernel
address, so it wouldn't work with KASLR. It could probably be extended
to scan kernel space until it finds something.

We could maybe even add such a tool to the kernel tree.

--
Josh