[PATCH 4/8] x86/coco: Disable 32-bit emulation by default on TDX and SEV

Yuxuan Luo yuxuan.luo at canonical.com
Mon Aug 26 15:01:21 UTC 2024 

From: "Kirill A. Shutemov" <kirill.shutemov at linux.intel.com>

The INT 0x80 instruction is used for 32-bit x86 Linux syscalls. The
kernel expects to receive a software interrupt as a result of the INT
0x80 instruction. However, an external interrupt on the same vector
triggers the same handler.

The kernel interprets an external interrupt on vector 0x80 as a 32-bit
system call that came from userspace.

A VMM can inject external interrupts on any arbitrary vector at any
time.  This remains true even for TDX and SEV guests where the VMM is
untrusted.

Put together, this allows an untrusted VMM to trigger int80 syscall
handling at any given point. The content of the guest register file at
that moment defines what syscall is triggered and its arguments. It
opens the guest OS to manipulation from the VMM side.

Disable 32-bit emulation by default for TDX and SEV. User can override
it with the ia32_emulation=y command line option.

[ dhansen: reword the changelog ]

Reported-by: Supraja Sridhara <supraja.sridhara at inf.ethz.ch>
Reported-by: Benedict Schlüter <benedict.schlueter at inf.ethz.ch>
Reported-by: Mark Kuhne <mark.kuhne at inf.ethz.ch>
Reported-by: Andrin Bertschi <andrin.bertschi at inf.ethz.ch>
Reported-by: Shweta Shinde <shweta.shinde at inf.ethz.ch>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov at linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen at linux.intel.com>
Reviewed-by: Thomas Gleixner <tglx at linutronix.de>
Reviewed-by: Borislav Petkov (AMD) <bp at alien8.de>
Cc: <stable at vger.kernel.org> # v6.0+: 1da5c9b x86: Introduce ia32_enabled()
Cc: <stable at vger.kernel.org> # v6.0+
(backported from commit b82a8dbd3d2f4563156f7150c6f2ecab6e960b30)
[yuxuan.luo:
- mem_encrypt_amd.c:
  - two trivial conflicts are hard to solve, ignore them and apply the
    fix.

- tdx.c:
  - Drop the change since TDX is not supported in the tree.
]
CVE-2024-25744
Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
---
 arch/x86/include/asm/ia32.h   |  7 +++++++
 arch/x86/mm/mem_encrypt_amd.c | 11 +++++++++++
 2 files changed, 18 insertions(+)

diff --git a/arch/x86/include/asm/ia32.h b/arch/x86/include/asm/ia32.h
index 5a2ae24b1204f..9805629479d96 100644
--- a/arch/x86/include/asm/ia32.h
+++ b/arch/x86/include/asm/ia32.h
@@ -75,6 +75,11 @@ static inline bool ia32_enabled(void)
 	return __ia32_enabled;
 }
 
+static inline void ia32_disable(void)
+{
+	__ia32_enabled = false;
+}
+
 #else /* !CONFIG_IA32_EMULATION */
 
 static inline bool ia32_enabled(void)
@@ -82,6 +87,8 @@ static inline bool ia32_enabled(void)
 	return IS_ENABLED(CONFIG_X86_32);
 }
 
+static inline void ia32_disable(void) {}
+
 #endif
 
 #endif /* _ASM_X86_IA32_H */
diff --git a/arch/x86/mm/mem_encrypt_amd.c b/arch/x86/mm/mem_encrypt_amd.c
index e29b1418d00c7..20a96183ae7ec 100644
--- a/arch/x86/mm/mem_encrypt_amd.c
+++ b/arch/x86/mm/mem_encrypt_amd.c
@@ -31,6 +31,7 @@
 #include <asm/processor-flags.h>
 #include <asm/msr.h>
 #include <asm/cmdline.h>
+#include <asm/ia32.h>
 
 #include "mm_internal.h"
 
@@ -196,6 +197,16 @@ void __init sme_early_init(void)
 
 	if (sev_active())
 		swiotlb_force = SWIOTLB_FORCE;
+
+	/*
+	 * The VMM is capable of injecting interrupt 0x80 and triggering the
+	 * compatibility syscall path.
+	 *
+	 * By default, the 32-bit emulation is disabled in order to ensure
+	 * the safety of the VM.
+	 */
+	if (sev_status & MSR_AMD64_SEV_ENABLED)
+		ia32_disable();
 }
 
 void __init sev_setup_arch(void)
-- 
2.34.1

More information about the kernel-team mailing list