Re: Re:How SLAT distinguish user-mode or super-mode

Zhuzhuzaizai · ‎06-30-2021

Hi,

As far as I know, for the code execution, x86 EPT uses XU and X to mark
the execution permission for user- and supervisor-mode linear
addresses, respectively. However, the user- and supervisor-mode
linear addresses are marked by the U/S bit of KPGT(kernel-level page table).

From a security perspective, if an attacker is able to modify KPGT, the page walk in EPT should be able to guarantee permission checks. But the attacker could change the U/Sbit easily if there are some exploits in the kernel.

Is there any other mechanism that allows EPT to distinguish between user-mode and supervisor-mode instead of relying on the unreliable KPGT's U/S bit?

David_G_Intel · ‎07-01-2021

Hello Zhuzhuzaizai

Thank you for posting on the Intel️® communities. To help with your request, we need more information from your system.

Please share with us the model of the Intel product used and the Intel® System Support Utility (Intel® SSU) results

Download the Intel SSU https://downloadcenter.intel.com/download/26735/Intel-System-Support-Utility-for-the-Linux-Operating-System
Open the application and select "Everything" click on "Scan" to see the system and device information. By default, Intel® SSU will take you to the "Summary View".
Click on the menu where it says "Summary" to change to "Detailed View".
To save your scan, click on "Next", then "Save".

Regards,

David G

Intel Customer Support Technician

Zhuzhuzaizai · ‎07-05-2021

I think it's an architecture-related question, and all CPUs that support VT-d should face this problem.

As far as I think, permission checking for EPT depends on the kernel's page tables, would that causes some security problems?

David_G_Intel · ‎07-05-2021

To answer your questions in the best possible way we need more information, please provide at least which operating system you are asking for.

Regards,

David G

Intel Customer Support Technician

Zhuzhuzaizai · ‎07-05-2021

We use Intel Xeon Silver 4210 with 10 cores, 40 threads, and 256GB RAM. The operating system on topis Ubuntu 20.04 with Linux kernel v5.4.61.

Zhuzhuzaizai · ‎07-12-2021

Hello? May I get another reply for details?

Thanks a lot.

David_G_Intel · ‎10-05-2021

@Zhuzhuzaizai we are still looking into this inquiry, we will provide an update by next Wed 10/6 end of day U.S. time.

Regards,

David G

Intel Customer Support Technician

David_G_Intel · ‎10-11-2021

Thank you for your patience. Upon further investigation you need to use your operating system's API where it can distinguish which operating system code is running. This is how you can distinguish user mode from super mode. For more details, you need to check with the operating system vendor/developer.

Please keep in mind that this thread will no longer be monitored by Intel. Thank you for your understanding.

Best regards,

David G

Intel Customer Support Technician