On Thu, Jan 11, 2018 at 10:38 AM, Dave Hansen
<[email protected]> wrote:
> On 01/11/2018 10:32 AM, Josh Poimboeuf wrote:
>>> hmm. Exposing cr3 to user space will make it trivial for user process
>>> to know whether kpti is active. Not sure how exploitable such
>>> information leak.
>> It's already trivial to detect PTI from user space.
>
> Do tell.
One way to do it is to just run the attack, and see if you get something.
So it's not really "is PTI enabled", but a "is meltdown there". Then
you just use that together with cpuinfo to decide if PTI is enabled.
So I think Josh is 100% right. Detecting PTI on/off is not hard.
But that does *not* mean that %cr3 isn't secret. %cr3 should
definitely never *ever* be accessible to user space.
Linus
