Re: [PATCH] x86/msr: Filter MSR writes
From: Borislav Petkov
Date: Wed Nov 18 2020 - 12:51:22 EST
On Wed, Nov 18, 2020 at 03:04:27PM +0100, Mathieu Chouquet-Stringer wrote:
> TAINT_CPU_OUT_OF_SPEC now means what it says. Historically it was for
> SMP kernel oops on an officially SMP incapable processor but now it also
> covers CPUs whose MSRs have been incorrectly poked at. Update
> documentation and script to reflect that.
>
> Signed-off-by: Mathieu Chouquet-Stringer <me@mathieu.digital>
> ---
> Documentation/admin-guide/tainted-kernels.rst | 11 ++++++-----
> tools/debugging/kernel-chktaint | 2 +-
> 2 files changed, 7 insertions(+), 6 deletions(-)
Please fix the text in Documentation/admin-guide/sysctl/kernel.rst also.
> diff --git a/Documentation/admin-guide/tainted-kernels.rst b/Documentation/admin-guide/tainted-kernels.rst
> index f718a2eaf1f6..95f432c43ba0 100644
> --- a/Documentation/admin-guide/tainted-kernels.rst
> +++ b/Documentation/admin-guide/tainted-kernels.rst
> @@ -84,7 +84,7 @@ Bit Log Number Reason that got the kernel tainted
> === === ====== ========================================================
> 0 G/P 1 proprietary module was loaded
> 1 _/F 2 module was force loaded
> - 2 _/S 4 SMP kernel oops on an officially SMP incapable processor
> + 2 _/S 4 kernel running on out of spec processor
> 3 _/R 8 module was force unloaded
> 4 _/M 16 processor reported a Machine Check Exception (MCE)
> 5 _/B 32 bad page referenced or some unexpected page flags
> @@ -116,10 +116,11 @@ More detailed explanation for tainting
> 1) ``F`` if any module was force loaded by ``insmod -f``, ``' '`` if all
> modules were loaded normally.
>
> - 2) ``S`` if the oops occurred on an SMP kernel running on hardware that
> - hasn't been certified as safe to run multiprocessor.
> - Currently this occurs only on various Athlons that are not
> - SMP capable.
> + 2) ``S`` if the kernel is running on any processor that is out of
> + specifications (writing to MSRs will trigger this behavior).
People might wonder what "out of specifications" means. I'd say
something along the lines of "the CPU has been put into a not supported
configuration, therefore proper execution cannot be guaranteed". Grep
the tree for TAINT_CPU_OUT_OF_SPEC to see when this gets set, might give
you a better idea of what to say.
> + Historically, it could also be if an oops occured on a kernel running on
> + hardware that hasn't been certified as safe to run multiprocessor, such
> + as various Athlons that are not SMP capable.
And here you can expand on the examples by saying that poking at random
MSRs from userspace is one possible way to mis-configure it.
> 3) ``R`` if a module was force unloaded by ``rmmod -f``, ``' '`` if all
> modules were unloaded normally.
> diff --git a/tools/debugging/kernel-chktaint b/tools/debugging/kernel-chktaint
> index 2240cb56e6e5..0b9d93e27910 100755
> --- a/tools/debugging/kernel-chktaint
> +++ b/tools/debugging/kernel-chktaint
> @@ -72,7 +72,7 @@ if [ `expr $T % 2` -eq 0 ]; then
> addout " "
> else
> addout "S"
> - echo " * SMP kernel oops on an officially SMP incapable processor (#2)"
> + echo " * kernel running on out of spec processor (#2)"
Yeah, can you think of a better formulation than "out of spec
processor"?
The CPU is fine, only its current configuration is not.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette