Date: Sun, 29 Oct 2017 21:45:28 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-virtualization@FreeBSD.org Subject: [Bug 218662] bhyve exposes CPU feature SDBG to guests, causing guest panic on OpenBSD 6.1 Message-ID: <bug-218662-27103-bBPYZOJblT@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-218662-27103@https.bugs.freebsd.org/bugzilla/> References: <bug-218662-27103@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218662 Brandon Bergren <freebsd@bdragon.rtk0.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |freebsd@bdragon.rtk0.net --- Comment #2 from Brandon Bergren <freebsd@bdragon.rtk0.net> --- Created attachment 187571 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=187571&action=edit VMM patch (from HardenedBSD) This affects me too. HardenedBSD has the most elegant fix at https://github.com/HardenedBSD/hardenedBSD/commit/e76fcb77ba82649bc6aed808af06d6d2184847d8 -- I have attached a copy of the patch. I can confirm that with just that patch I can successfully run OpenBSD 6.1 in bhyve on my machine that is otherwise affected by this problem. I believe it makes a lot more sense than emulating the MSR (i.e. what https://github.com/HardenedBSD/hardenedBSD/commit/cc91b57f4d1dabddfbf8b1e7655 does.) My SuperMicro C7Z170-OCE board actually has bios options for enabling and disabling the silicon debug status and lock bit, so if I were to misconfigure my bios, the countermeasure would have actually been effective (when applied to the host). I can verify though that with it disabled in the bios, it is indeed locked down, without needing the countermeasure. root@narwhal:~ # kldload cpuctl root@narwhal:~ # cpucontrol -m 0xc80 /dev/cpuctl0 MSR 0xc80: 0x00000000 0x40000000 I still think the countermeasure is a good idea though! https://github.com/HardenedBSD/hardenedBSD/commit/da28546280938e19e866d2e11a9ccda3c4ca82fa is a version of the countermeasure that checks the virtualization flag too so it will avoid tickling the bhyve limitation while still providing protection. But at the very least, filter the SDBG feature flag. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-218662-27103-bBPYZOJblT>