Re: [coypu%sdf.org@localhost: VIA C3 backdoor]

To: maya%netbsd.org@localhost
Subject: Re: [coypu%sdf.org@localhost: VIA C3 backdoor]
From: Andrius V <vezhlys%gmail.com@localhost>
Date: Sat, 18 Aug 2018 13:15:31 +0300

Hi,

Patched kernel booted without issues on VIA Eden-N CPU. However, after
trying resonbridge tools (on Linux) it seems this CPU is not affected
anyway (even running unlock tool didn't have any effect, check utility
still reported that no backdoor was detected).
On Fri, Aug 10, 2018 at 5:58 PM <maya%netbsd.org@localhost> wrote:
>
> Forwarding to correct list, thanks ball.
> I've uploaded a -current kernel with this patch here:
> https://ftp.netbsd.org/pub/NetBSD/misc/maya/VIA-ALTINST-DISABLE
>
> SHA1 (/home/fly/i386/sys/arch/i386/compile/GENERIC/netbsd) = 15282e698480b0453dee601959dec098a29eebf6
>
> ----- Forwarded message from coypu%sdf.org@localhost -----
>
> Date: Fri, 10 Aug 2018 14:15:17 +0000
> From: coypu%sdf.org@localhost
> To: port-amd64%netbsd.org@localhost
> Subject: VIA C3 backdoor
> User-Agent: Mutt/1.9.1 (2017-09-22)
>
> Anyone watching this?
> https://github.com/xoreaxeaxeax/rosenbridge
> Looks like we'll want to disable ALTINST on VIA CPUs if it happens to be on already.
>
> docs:
> http://datasheets.chipdb.org/VIA/Nehemiah/VIA%20C3%20Nehemiah%20Datasheet%20R113.pdf
> (page 82)
>
> I'm guessing something like this (untested, I have no VIA CPUs), the
> function is called cpu_probe_c3, but I'm not sure if it matches too
> many VIA CPUs.
>
> cpu_probe_winchip also looks like it would match the same CPUs...?
> maybe move the VIA Eden cmpxchg8b instruction enable code from the
> probe_winchip function to probe_c3 and make it only for family == 5?
>
>
>
> Index: include/specialreg.h
> ===================================================================
> RCS file: /cvsroot/src/sys/arch/x86/include/specialreg.h,v
> retrieving revision 1.129
> diff -u -r1.129 specialreg.h
> --- include/specialreg.h        7 Aug 2018 10:50:12 -0000       1.129
> +++ include/specialreg.h        10 Aug 2018 14:08:05 -0000
> @@ -792,6 +792,7 @@
>  #define MSR_VIA_RNG_NOISE_B    0x00000100
>  #define MSR_VIA_RNG_2NOISE     0x00000300
>  #define MSR_VIA_ACE            0x00001107
> +#define MSR_VIA_ACE_ALTINST    0x00000001
>  #define MSR_VIA_ACE_ENABLE     0x10000000
>
>  /*
> Index: x86/identcpu.c
> ===================================================================
> RCS file: /cvsroot/src/sys/arch/x86/x86/identcpu.c,v
> retrieving revision 1.79
> diff -u -r1.79 identcpu.c
> --- x86/identcpu.c      4 Jul 2018 07:55:57 -0000       1.79
> +++ x86/identcpu.c      10 Aug 2018 14:08:05 -0000
> @@ -601,10 +601,13 @@
>                         msr = rdmsr(MSR_VIA_ACE);
>                         wrmsr(MSR_VIA_ACE, msr | MSR_VIA_ACE_ENABLE);
>                     }
> -
>                 }
>         }
>
> +       /* Disable unsafe ALTINST mode if it's accidentally on */
> +       msr = rdmsr(MSR_VIA_ACE);
> +       wrmsr(MSR_VIA_ACE, msr & ~MSR_VIA_ACE_ALTINST);
> +
>         /*
>          * Determine L1 cache/TLB info.
>          */
>
>
> ----- End forwarded message -----

References:
- [coypu%sdf.org@localhost: VIA C3 backdoor]
  - From: maya

Prev by Date: [coypu%sdf.org@localhost: VIA C3 backdoor]
Next by Date: Microsoft Outlook
Previous by Thread: [coypu%sdf.org@localhost: VIA C3 backdoor]
Next by Thread: Microsoft Outlook
Indexes:

Home | Main Index | Thread Index | Old Index