Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On Tue, Jul 14, 2020 at 09:41:29PM -0700, Sean Christopherson wrote:
> On Tue, Jul 14, 2020 at 05:39:30AM +, Andersen, John wrote:
> > With regards to FSGSBASE, are we open to validating and adding that to the
> > DEFAULT set as a part of a separate patchset? This patchset is focused on
> > replicating the functionality we already have natively.
>
> Kees added FSGSBASE pinning in commit a13b9d0b97211 ("x86/cpu: Use pinning
> mask for CR4 bits needing to be 0"), so I believe it's a done deal already.
Ah my bad. Thanks, I'll look into it.
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On Tue, Jul 14, 2020 at 05:39:30AM +, Andersen, John wrote:
> With regards to FSGSBASE, are we open to validating and adding that to the
> DEFAULT set as a part of a separate patchset? This patchset is focused on
> replicating the functionality we already have natively.
Kees added FSGSBASE pinning in commit a13b9d0b97211 ("x86/cpu: Use pinning
mask for CR4 bits needing to be 0"), so I believe it's a done deal already.
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On Thu, Jul 09, 2020 at 09:27:43AM -0700, Andy Lutomirski wrote: > On Thu, Jul 9, 2020 at 9:22 AM Dave Hansen wrote: > > > > On 7/9/20 9:07 AM, Andy Lutomirski wrote: > > > On Thu, Jul 9, 2020 at 8:56 AM Dave Hansen wrote: > > >> On 7/9/20 8:44 AM, Andersen, John wrote: > > >>> Bits which are allowed to be pinned default to WP for CR0 and > > >>> SMEP, > > >>> SMAP, and UMIP for CR4. > > >> I think it also makes sense to have FSGSBASE in this set. > > >> > > >> I know it hasn't been tested, but I think we should do the legwork to > > >> test it. If not in this set, can we agree that it's a logical next step? > > > I have no objection to pinning FSGSBASE, but is there a clear > > > description of the threat model that this whole series is meant to > > > address? The idea is to provide a degree of protection against an > > > attacker who is able to convince a guest kernel to write something > > > inappropriate to CR4, right? How realistic is this? > > > > If a quick search can find this: > > > > > https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html > > > > I'd pretty confident that the guys doing actual bad things have it in > > their toolbox too. > > > > True, but we have the existing software CR4 pinning. I suppose the > virtualization version is stronger. > Yes, as Kees said this will be stronger because it stops ROP and other gadget based techniques which avoid the use of native_write_cr0/4(). With regards to what should be done in this patchset and what in other patchsets. I have a fix for kexec thanks to Arvind's note about TRAMPOLINE_32BIT_CODE_SIZE. The physical host boots fine now and the virtual one can kexec fine. What remains to be done on that front is to add some identifying information to the kernel image to declare that it supports paravirtualized control register pinning or not. Liran suggested adding a section to the built image acting as a flag to signify support for being kexec'd by a kernel with pinning enabled. If anyone has any opinions on how they'd like to see this implemented please let me know. Otherwise I'll just take a stab at it and you'll all see it hopefully in the next version. With regards to FSGSBASE, are we open to validating and adding that to the DEFAULT set as a part of a separate patchset? This patchset is focused on replicating the functionality we already have natively. (If anyone got this email twice, sorry I messed up the From: field the first time around)
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On Thu, Jul 09, 2020 at 09:27:43AM -0700, Andy Lutomirski wrote: > On Thu, Jul 9, 2020 at 9:22 AM Dave Hansen wrote: > > > > On 7/9/20 9:07 AM, Andy Lutomirski wrote: > > > On Thu, Jul 9, 2020 at 8:56 AM Dave Hansen wrote: > > >> On 7/9/20 8:44 AM, Andersen, John wrote: > > >>> Bits which are allowed to be pinned default to WP for CR0 and > > >>> SMEP, > > >>> SMAP, and UMIP for CR4. > > >> I think it also makes sense to have FSGSBASE in this set. > > >> > > >> I know it hasn't been tested, but I think we should do the legwork to > > >> test it. If not in this set, can we agree that it's a logical next step? > > > I have no objection to pinning FSGSBASE, but is there a clear > > > description of the threat model that this whole series is meant to > > > address? The idea is to provide a degree of protection against an > > > attacker who is able to convince a guest kernel to write something > > > inappropriate to CR4, right? How realistic is this? > > > > If a quick search can find this: > > > > > https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html > > > > I'd pretty confident that the guys doing actual bad things have it in > > their toolbox too. > > > > True, but we have the existing software CR4 pinning. I suppose the > virtualization version is stronger. > Yes, as Kees said this will be stronger because it stops ROP and other gadget based techniques which avoid the use of native_write_cr0/4(). With regards to what should be done in this patchset and what in other patchsets. I have a fix for kexec thanks to Arvind's note about TRAMPOLINE_32BIT_CODE_SIZE. The physical host boots fine now and the virtual one can kexec fine. What remains to be done on that front is to add some identifying information to the kernel image to declare that it supports paravirtualized control register pinning or not. Liran suggested adding a section to the built image acting as a flag to signify support for being kexec'd by a kernel with pinning enabled. If anyone has any opinions on how they'd like to see this implemented please let me know. Otherwise I'll just take a stab at it and you'll all see it hopefully in the next version. With regards to FSGSBASE, are we open to validating and adding that to the DEFAULT set as a part of a separate patchset? This patchset is focused on replicating the functionality we already have natively.
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On Thu, Jul 09, 2020 at 09:22:09AM -0700, Dave Hansen wrote: > On 7/9/20 9:07 AM, Andy Lutomirski wrote: > > On Thu, Jul 9, 2020 at 8:56 AM Dave Hansen wrote: > >> On 7/9/20 8:44 AM, Andersen, John wrote: > >>> Bits which are allowed to be pinned default to WP for CR0 and > >>> SMEP, > >>> SMAP, and UMIP for CR4. > >> I think it also makes sense to have FSGSBASE in this set. > >> > >> I know it hasn't been tested, but I think we should do the legwork to > >> test it. If not in this set, can we agree that it's a logical next step? > > I have no objection to pinning FSGSBASE, but is there a clear > > description of the threat model that this whole series is meant to > > address? The idea is to provide a degree of protection against an > > attacker who is able to convince a guest kernel to write something > > inappropriate to CR4, right? How realistic is this? > > If a quick search can find this: > > > https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html > > I'd pretty confident that the guys doing actual bad things have it in > their toolbox too. Right, it's common (see my commit log in 873d50d58f67), and having this enforced by the hypervisor is WAY better since it'll block gadgets or ROP. -- Kees Cook
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On 7/9/20 9:07 AM, Andy Lutomirski wrote: > On Thu, Jul 9, 2020 at 8:56 AM Dave Hansen wrote: >> On 7/9/20 8:44 AM, Andersen, John wrote: >>> Bits which are allowed to be pinned default to WP for CR0 and SMEP, >>> SMAP, and UMIP for CR4. >> I think it also makes sense to have FSGSBASE in this set. >> >> I know it hasn't been tested, but I think we should do the legwork to >> test it. If not in this set, can we agree that it's a logical next step? > I have no objection to pinning FSGSBASE, but is there a clear > description of the threat model that this whole series is meant to > address? The idea is to provide a degree of protection against an > attacker who is able to convince a guest kernel to write something > inappropriate to CR4, right? How realistic is this? If a quick search can find this: > https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html I'd pretty confident that the guys doing actual bad things have it in their toolbox too.
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On 7/9/20 8:44 AM, Andersen, John wrote: > > Bits which are allowed to be pinned default to WP for CR0 and SMEP, > SMAP, and UMIP for CR4. I think it also makes sense to have FSGSBASE in this set. I know it hasn't been tested, but I think we should do the legwork to test it. If not in this set, can we agree that it's a logical next step?
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On Tue, Jul 07, 2020 at 11:51:54PM +0200, Paolo Bonzini wrote: > On 07/07/20 23:48, Dave Hansen wrote: > > On 7/7/20 2:12 PM, Sean Christopherson wrote: > > Let's say Intel loses its marbles and adds a CR4 bit that lets userspace > > write to kernel memory. Linux won't set it, but an attacker would go > > after it, first thing. > >> That's an orthogonal to pinning. KVM never lets the guest set CR4 bits > >> that > >> are unknown to KVM. Supporting CR4.NO_MARBLES would require an explicit > >> KVM > >> change to allow it to be set by the guest, and would also require a > >> userspace > >> VMM to expose NO_MARBLES to the guest. > >> > >> That being said, this series should supporting pinning as much as possible, > >> i.e. if the bit can be exposed to the guest and doesn't require special > >> handling in KVM, allow it to be pinned. E.g. TS is a special case because > >> pinning would require additional emulator support and IMO isn't interesting > >> enough to justify the extra complexity. At a glance, I don't see anything > >> that would prevent pinning FSGSBASE. > > > > Thanks for filling in the KVM picture. > > > > If we're supporting as much pinning as possible, can we also add > > something to make it inconvenient for someone to both make a CR4 bit > > known to KVM *and* ignore the pinning aspects? > > > > We should really make folks think about it. Something like: > > > > #define KVM_CR4_KNOWN 0xff > > #define KVM_CR4_PIN_ALLOWED 0xf0 > > #define KVM_CR4_PIN_NOT_ALLOWED 0x0f > > > > BUILD_BUG_ON(KVM_CR4_KNOWN != > > (KVM_CR4_PIN_ALLOWED|KVM_CR4_PIN_NOT_ALLOWED)); > > > > So someone *MUST* make an active declaration about new bits being pinned > > or not? > > I would just make all unknown bits pinnable (or perhaps all CR4 bits in > general). > Sounds good. I'll make it this way in the next revision. I'll do the same for CR0 (unless I hear otherwise). I've added the last paragraph here under the ALLOWED MSRs data section. data: Bits which may be pinned. Attempting to pin bits other than these will result in a failure when writing to the respective CR pinned MSR. Bits which are allowed to be pinned default to WP for CR0 and SMEP, SMAP, and UMIP for CR4. The host VMM may modify the set of allowed bits. However, only the above have been tested to work. Allowing the guest to pin other bits may or may not be compatible with KVM.
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On 07/07/20 23:48, Dave Hansen wrote: > On 7/7/20 2:12 PM, Sean Christopherson wrote: > Let's say Intel loses its marbles and adds a CR4 bit that lets userspace > write to kernel memory. Linux won't set it, but an attacker would go > after it, first thing. >> That's an orthogonal to pinning. KVM never lets the guest set CR4 bits that >> are unknown to KVM. Supporting CR4.NO_MARBLES would require an explicit KVM >> change to allow it to be set by the guest, and would also require a userspace >> VMM to expose NO_MARBLES to the guest. >> >> That being said, this series should supporting pinning as much as possible, >> i.e. if the bit can be exposed to the guest and doesn't require special >> handling in KVM, allow it to be pinned. E.g. TS is a special case because >> pinning would require additional emulator support and IMO isn't interesting >> enough to justify the extra complexity. At a glance, I don't see anything >> that would prevent pinning FSGSBASE. > > Thanks for filling in the KVM picture. > > If we're supporting as much pinning as possible, can we also add > something to make it inconvenient for someone to both make a CR4 bit > known to KVM *and* ignore the pinning aspects? > > We should really make folks think about it. Something like: > > #define KVM_CR4_KNOWN 0xff > #define KVM_CR4_PIN_ALLOWED 0xf0 > #define KVM_CR4_PIN_NOT_ALLOWED 0x0f > > BUILD_BUG_ON(KVM_CR4_KNOWN != > (KVM_CR4_PIN_ALLOWED|KVM_CR4_PIN_NOT_ALLOWED)); > > So someone *MUST* make an active declaration about new bits being pinned > or not? I would just make all unknown bits pinnable (or perhaps all CR4 bits in general). Paolo
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On 7/7/20 2:12 PM, Sean Christopherson wrote: Let's say Intel loses its marbles and adds a CR4 bit that lets userspace write to kernel memory. Linux won't set it, but an attacker would go after it, first thing. > That's an orthogonal to pinning. KVM never lets the guest set CR4 bits that > are unknown to KVM. Supporting CR4.NO_MARBLES would require an explicit KVM > change to allow it to be set by the guest, and would also require a userspace > VMM to expose NO_MARBLES to the guest. > > That being said, this series should supporting pinning as much as possible, > i.e. if the bit can be exposed to the guest and doesn't require special > handling in KVM, allow it to be pinned. E.g. TS is a special case because > pinning would require additional emulator support and IMO isn't interesting > enough to justify the extra complexity. At a glance, I don't see anything > that would prevent pinning FSGSBASE. Thanks for filling in the KVM picture. If we're supporting as much pinning as possible, can we also add something to make it inconvenient for someone to both make a CR4 bit known to KVM *and* ignore the pinning aspects? We should really make folks think about it. Something like: #define KVM_CR4_KNOWN 0xff #define KVM_CR4_PIN_ALLOWED 0xf0 #define KVM_CR4_PIN_NOT_ALLOWED 0x0f BUILD_BUG_ON(KVM_CR4_KNOWN != (KVM_CR4_PIN_ALLOWED|KVM_CR4_PIN_NOT_ALLOWED)); So someone *MUST* make an active declaration about new bits being pinned or not?
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On Thu, Jun 18, 2020 at 07:51:10AM -0700, Dave Hansen wrote: > On 6/18/20 7:43 AM, Andersen, John wrote: > > On Thu, Jun 18, 2020 at 07:18:09AM -0700, Dave Hansen wrote: > >> On 6/17/20 12:07 PM, John Andersen wrote: > >>> +#define KVM_CR0_PIN_ALLOWED (X86_CR0_WP) > >>> +#define KVM_CR4_PIN_ALLOWED (X86_CR4_SMEP | X86_CR4_SMAP | > >>> X86_CR4_UMIP) > >> > >> Why *is* there an allowed set? Why don't we just allow everything? > >> > >> Shouldn't we also pin any unknown bits? The CR4.FSGSBASE bit is an > >> example of something that showed up CPUs without Linux knowing about it. > >> If set, it causes problems. This set couldn't have helped FSGSBASE > >> because it is not in the allowed set. > >> > >> Let's say Intel loses its marbles and adds a CR4 bit that lets userspace > >> write to kernel memory. Linux won't set it, but an attacker would go > >> after it, first thing. That's an orthogonal to pinning. KVM never lets the guest set CR4 bits that are unknown to KVM. Supporting CR4.NO_MARBLES would require an explicit KVM change to allow it to be set by the guest, and would also require a userspace VMM to expose NO_MARBLES to the guest. That being said, this series should supporting pinning as much as possible, i.e. if the bit can be exposed to the guest and doesn't require special handling in KVM, allow it to be pinned. E.g. TS is a special case because pinning would require additional emulator support and IMO isn't interesting enough to justify the extra complexity. At a glance, I don't see anything that would prevent pinning FSGSBASE.
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On 6/18/20 7:43 AM, Andersen, John wrote: > On Thu, Jun 18, 2020 at 07:18:09AM -0700, Dave Hansen wrote: >> On 6/17/20 12:07 PM, John Andersen wrote: >>> +#define KVM_CR0_PIN_ALLOWED(X86_CR0_WP) >>> +#define KVM_CR4_PIN_ALLOWED(X86_CR4_SMEP | X86_CR4_SMAP | >>> X86_CR4_UMIP) >> >> Why *is* there an allowed set? Why don't we just allow everything? >> >> Shouldn't we also pin any unknown bits? The CR4.FSGSBASE bit is an >> example of something that showed up CPUs without Linux knowing about it. >> If set, it causes problems. This set couldn't have helped FSGSBASE >> because it is not in the allowed set. >> >> Let's say Intel loses its marbles and adds a CR4 bit that lets userspace >> write to kernel memory. Linux won't set it, but an attacker would go >> after it, first thing. > > The allowed set came about because there were comments from internal review > where it was said that allowing the guest to pin TS and MP adds unnecessary > complexity. That would have been a great design point to include in the changelog. Could you make sure it shows up in future versions. > Also because KVM always intercepts these bits via the CR0/4_GUEST_HOST_MASK. > If > we allow setting of any bits, then we have to add some infrastructure for > modifying the mask when pinned bits are updated. I have a patch for that if we > want to go that route, but it doesn't account for the added complexity > mentioned above. Well, we have a current, known issue (FSGSBASE) which shows how dealing with guest-unknown bits is required. To me, that overrules complexity arguments to a large degree.
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On Thu, Jun 18, 2020 at 07:18:09AM -0700, Dave Hansen wrote: > On 6/17/20 12:07 PM, John Andersen wrote: > > +#define KVM_CR0_PIN_ALLOWED(X86_CR0_WP) > > +#define KVM_CR4_PIN_ALLOWED(X86_CR4_SMEP | X86_CR4_SMAP | > > X86_CR4_UMIP) > > Why *is* there an allowed set? Why don't we just allow everything? > > Shouldn't we also pin any unknown bits? The CR4.FSGSBASE bit is an > example of something that showed up CPUs without Linux knowing about it. > If set, it causes problems. This set couldn't have helped FSGSBASE > because it is not in the allowed set. > > Let's say Intel loses its marbles and adds a CR4 bit that lets userspace > write to kernel memory. Linux won't set it, but an attacker would go > after it, first thing. The allowed set came about because there were comments from internal review where it was said that allowing the guest to pin TS and MP adds unnecessary complexity. Also because KVM always intercepts these bits via the CR0/4_GUEST_HOST_MASK. If we allow setting of any bits, then we have to add some infrastructure for modifying the mask when pinned bits are updated. I have a patch for that if we want to go that route, but it doesn't account for the added complexity mentioned above.
Re: [PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
On 6/17/20 12:07 PM, John Andersen wrote: > +#define KVM_CR0_PIN_ALLOWED (X86_CR0_WP) > +#define KVM_CR4_PIN_ALLOWED (X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_UMIP) Why *is* there an allowed set? Why don't we just allow everything? Shouldn't we also pin any unknown bits? The CR4.FSGSBASE bit is an example of something that showed up CPUs without Linux knowing about it. If set, it causes problems. This set couldn't have helped FSGSBASE because it is not in the allowed set. Let's say Intel loses its marbles and adds a CR4 bit that lets userspace write to kernel memory. Linux won't set it, but an attacker would go after it, first thing.
[PATCH 2/4] KVM: x86: Introduce paravirt feature CR0/CR4 pinning
Add a CR pin feature bit to the KVM cpuid. Add read only MSRs to KVM which guests use to identify which bits they may request be pinned. Add CR pinned MSRs to KVM. Allow guests to request that KVM pin certain bits within control register 0 or 4 via the CR pinned MSRs. Writes to the MSRs fail if they include bits which aren't allowed. Host userspace may clear or modify pinned bits at any time. Once pinned bits are set, the guest may pin additional allowed bits, but not clear any. Clear pinning on vCPU reset. In the event that the guest vCPU attempts to disable any of the pinned bits, send that vCPU a general protection fault, and leave the register unchanged. Clear pinning on vCPU reset to avoid faulting non-boot CPUs when they are disabled and then re-enabled, which is done when hibernating. Pinning is not active when running in SMM. Entering SMM disables pinned bits. Writes to control registers within SMM would therefore trigger general protection faults if pinning was enforced. Upon exit from SMM, SMRAM is modified to ensure the values of CR0/4 that will be restored contain the correct values for pinned bits. CR0/4 values are then restored from SMRAM as usual. When running with nested virtualization, should pinned bits be cleared from host VMCS / VMCB, on VM-Exit, they will be silently restored. Should userspace expose the CR pinning CPUID feature bit, it must zero CR pinned MSRs on reboot. If it does not, it runs the risk of having the guest enable pinning and subsequently cause general protection faults on next boot due to early boot code setting control registers to values which do not contain the pinned bits. Userspace is responsible for migrating the contents of the CR* pinned MSRs. If userspace fails to migrate the MSRs the protection will no longer be active. Pinning of sensitive CR bits has already been implemented to protect against exploits directly calling native_write_cr*(). The current protection cannot stop ROP attacks which jump directly to a MOV CR instruction. https://web.archive.org/web/20171029060939/http://www.blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/ Guests running with paravirtualized CR pinning can now be protected against the use of ROP to disable CR bits. The same bits that are being pinned natively may be pinned via the CR pinned MSRs. These bits are WP in CR0, and SMEP, SMAP, and UMIP in CR4. Other hypervisors such as HyperV have implemented similar protections for Control Registers and MSRs; which security researchers have found effective. https://www.abatchy.com/2018/01/kernel-exploitation-4 Future work could implement similar MSRs to protect bits elsewhere, such as MSRs. The NXE bit of the EFER MSR is a prime candidate. Changes for QEMU are required to expose the CR pin cpuid feature bit. As well as clear the MSRs on reboot and enable migration. https://github.com/qemu/qemu/commit/1b26f03653669c97dd8729f9f59be561d68e2b2d https://github.com/qemu/qemu/commit/3af36d57457892c3088ee88de759d4f258c159a7 Signed-off-by: John Andersen --- Documentation/virt/kvm/msr.rst | 53 ++ arch/x86/include/asm/kvm_host.h | 7 ++ arch/x86/include/uapi/asm/kvm_para.h | 7 ++ arch/x86/kvm/cpuid.c | 3 +- arch/x86/kvm/emulate.c | 3 +- arch/x86/kvm/kvm_emulate.h | 2 +- arch/x86/kvm/svm/nested.c| 11 ++- arch/x86/kvm/vmx/nested.c| 10 ++- arch/x86/kvm/x86.c | 106 ++- 9 files changed, 193 insertions(+), 9 deletions(-) diff --git a/Documentation/virt/kvm/msr.rst b/Documentation/virt/kvm/msr.rst index e37a14c323d2..9fa43c4a5895 100644 --- a/Documentation/virt/kvm/msr.rst +++ b/Documentation/virt/kvm/msr.rst @@ -376,3 +376,56 @@ data: write '1' to bit 0 of the MSR, this causes the host to re-scan its queue and check if there are more notifications pending. The MSR is available if KVM_FEATURE_ASYNC_PF_INT is present in CPUID. + +MSR_KVM_CR0_PIN_ALLOWED: + 0x4b564d08 +MSR_KVM_CR4_PIN_ALLOWED: + 0x4b564d09 + + Read only registers informing the guest which bits may be pinned for + each control register respectively via the CR pinned MSRs. + +data: + Bits which may be pinned. + + Attempting to pin bits other than these will result in a failure when + writing to the respective CR pinned MSR. + + Bits which are allowed to be pinned are WP for CR0 and SMEP, SMAP, and + UMIP for CR4. + +MSR_KVM_CR0_PINNED_LOW: + 0x4b564d0a +MSR_KVM_CR0_PINNED_HIGH: + 0x4b564d0b +MSR_KVM_CR4_PINNED_LOW: + 0x4b564d0c +MSR_KVM_CR4_PINNED_HIGH: + 0x4b564d0d + + Used to configure pinned bits in control registers + +data: + Bits to be pinned. + + Fails if data contains bits which are not allowed to be pinned. Or if + attempting to pin bits high that are already pinned low, or vice versa. + Bits which are allowed to be pinned
