Linux 5.9 released

Linux 5.9 is out as the 2020 autumn kernel update. Linux 5.9 has a number of exciting improvements including initial support for upcoming Radeon RX 6000 “RDNA 2” graphics cards, initial Intel Rocket Lake graphics, NVMe zoned namespaces (ZNS) support, various storage improvements, IBM’s initial work on POWER10 CPU bring-up, the FSGSBASE instruction is now used, 32-bit x86 Clang build support, and more.

It will make its way to your distribution eventually, to your separate kernel repository, or, for the brave ones, to your compile command.

  1. 2020-10-12 11:52 pm
    Alfman

    It’s quite clear that the main reason to use x86 has to do with network effects, including myself, but man the architecture is full of legacy hacks and caveats these days…

    https://software.intel.com/security-software-guidance/best-practices/guidance-enabling-fsgsbase

    Historically, Linux used bit 63 of the GS base register to determine if the value was written by the kernel. This has been a safe assumption because the only way for an application to write to the GS base register was with the ARCH_SET_GS arch_prctl() system call. The kernel would return an error if an application attempted to set bit 63 of the GS base register.

    If the kernel failed to differentiate between its own GS base value and an application’s value, an application could trick the kernel into using the wrong data for its per-CPU data structures. These structures contain data, like stack pointers, which affect control flow and might be leveraged by an exploit for malicious purposes.

    The FSGSBASE architects anticipated these kinds of issues and included an opt-in as part of the architecture. System software, such as Linux, must first set a bit in a privileged control register (CR4.FSGSBASE) before the FSGSBASE feature will function. The inclusion of this bit allows each operating system to opt in to FSGSBASE only after it has removed any potentially unsafe assumptions, such as the value of GS base bit 63.

    However, some software projects that desire the functionality of FSGSBASE might manipulate CR4.FSGSBASE without also removing assumptions about the value of GS base bit 63. This could potentially allow malicious software to manipulate the GS base.

    Intel recommends that software projects that enable the FSGSBASE capability keep or add assumptions about the value of the GS base bit 63.

    Several experimental Library OS (LibOS) implementation projects aim to run unmodified Linux applications on Intel® Software Guard Extensions (Intel® SGX) by providing a POSIX runtime environment for applications. All such LibOSes run modified libraries inside the enclave along with the LibOS. GNU Library C relies on thread-local storage (TLS) to keep all thread-private variables. Thread-local storage on x86-64 architectures are maintained by FS/GS base registers. Because Intel SGX enclaves do not allow making system calls from an enclave, however, these systems can’t use the system calls provided by Linux.

    The FSGSBASE hardware feature provides an alternative to making these system calls, making it attractive to Library OSes. Several implementations have manipulated CR4.FSGSBASE without removing all OS assumptions about the values of the base registers:

    Graphene-SGX-Driver
    Occlum
    SGX-LKL

    Given the purpose of this bit, Intel recommends that it be used with caution and never in production environments unless accompanied by a complete OS implementation. Incomplete implementations, such as those listed above, can be exploited to gain privilege escalation.

    This is the kind of feature that will inevitably add to confusion especially for new young engineers about why the hell they did it this way in the coming decades. And as is tradition with x86 they will probably have to continue including these CPU quirks on x86 cpu dies for a long time. I realize the aforementioned network effects keeps x86 dominant, but it makes me wonder just how convoluted we’re going to allow our dominant architecture to become before finally choosing an alternative with less legacy baggage to take it’s place.

