Re: [PATCH RFC v2 4/6] x86: Disable PTI on compatibility mode

[Linus Torvalds]

On Thu, Feb 15, 2018 at 4:22 PM, Nadav Amit <nadav.amit@xxxxxxxxx> wrote:
>
> It is not too pretty, I agree, but it should do the work. There is only one
> problematic descriptor that can be used to switch from compatibility-mode to
> long-mode in the GDT (LDT descriptors always have the L-bit cleared).
> Changing the descriptor's present bit on context switch when needed can do
> the work.

Sure, I can see it working, but it's some really shady stuff, and now
the scheduler needs to save/restore/check one more subtle bit.

And if you get it wrong, things will happily work, except you've now
defeated PTI. But you'll never notice, because you won't be testing
for it, and the only people who will are the black hats.

This is exactly the "security depends on it being in sync" thing that
makes me go "eww" about the whole model. Get one thing wrong, and
you'll blow all the PTI code out of the water.

So now you tried to optimize one small case that most people won't
use, but the downside is that you may make all our PTI work (and all
the overhead for all the _normal_ cases) pointless.

                 Linus