marcan changed the topic of #asahi to: Asahi Linux: porting Linux to Apple Silicon macs | General project discussion | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Topics: #asahi-dev #asahi-re #asahi-gpu #asahi-offtopic | Keep things on topic | Logs: https://alx.sh/l/asahi
emilazy has joined #asahi
Z750 has joined #asahi
aquijoule_ has joined #asahi
bgb has joined #asahi
PhilippvK has joined #asahi
phiologe has quit [Ping timeout: 480 seconds]
aquijoule__ has quit [Ping timeout: 480 seconds]
<marcan> there, the silly thing is out: https://twitter.com/marcan42/status/1397387066044911618
<marcan> :p
marvin24 has joined #asahi
marvin24_ has quit [Ping timeout: 480 seconds]
<marcan> maz: I was just thinking, what does KVM do with impdef traps? I know it does set TIDCP
<marcan> if it just kills the VM, then this thing turns into a DoS vuln in KVM, so it'd have to handle it and ignore reads/writes instead
<marcan> (which is what Hypervisor.framework does)
<marcan> or perhaps just re-inject the exception as an unknown into the guest (which would then handle it as a userspace fault)
<marcan> looks like Freenode just purged all channels with the word "libera" in the topic
<marcan> seems we were spared by choosing OFTC instead, but I'm still going to just purge the asahi channels
klange has joined #asahi
tertu has joined #asahi
VinDuv has joined #asahi
<rkjnsn[m]> While not usable from VMs, would M1RACLES allow two containers that are supposed to be isolated / sandboxed to communicate?
<marcan> OS-based containers (e.g. docker on linux) yes, unfortunately
<thunfisch> ouch, that's brutal. thanks for disclosing that.
<marcan> but there are probably many ways of doing that anyway, with other CPU side channels and such (just this one is a particularly trivial one)
<marcan> e.g. I bet someone can come up with something funky with cache timing attacks on vDSO pages, or stuff like that
mulderje[m] has joined #asahi
mulderje[m] is now known as mulderje
mulderje has quit []
mulderje has joined #asahi
<rkjnsn[m]> Sure, but compared to timing attacks, this appears to be relatively easy, fast, and reliable. (No statistical analysis necessary.)
<rkjnsn[m]> Almost certainly still not a concern for anything I plan on doing, but good to be aware of.
<thunfisch> yeah, to me this rules out any possibility of trying to isolate stuff on m1 with containers. :[ way too easy to explit apparently.
<thunfisch> not that containers are a good choice for security, sure, but in some cases it was "enough"
<emilazy> you can still isolate them in many ways
<emilazy> you just can't stop two malicious, collaborating ones from communicating
<phire> is two containers voulterally communicating really a threat model?
<emilazy> it certainly breaks a sufficiently strict sandboxing discipline, including the one the OS is meant to provide
<emilazy> but yeah it's unlikely to be the dealbreaker for most
<emilazy> if you were expecting a standard linux system with containers to provide this kind of isolation you probably already lost
<thunfisch> yeah :)
<emilazy> like, it's basically granting certain kinds of IPC privilege to every running process, but it has to be one both ends deliberately use, so the potential for exploits beyond two exploited components negotiating data exfiltration is probably low
<marcan> exactly, the use cases for "I want to run two containers but talking to each other breaks my security model" are very few
<marcan> this is veering on the malware analysis side of things, and you are quite frankly insane if you are doing that with containers; that needs a VM
<phire> it's only going to matter if you have some containers which have network privlages and others which have other diffrent privaliages and there are collaberating malicious containers in each domain
<marcan> I consider containers to be a security technology for, a priori, non-malicious software
<marcan> I would not deliberately run fully untrusted, presumed-malicious code in containers as policy
<marcan> and certainly not in scenarios sensitive enough where this kind of covert channel is an issue
cptcobalt has joined #asahi
<rkjnsn[m]> I was thinking along the lines of, if I knew some target of value spun up containers for specific activities,
<rkjnsn[m]> one with network access and one of particular interest was explicitly run without network access,
<rkjnsn[m]> perhaps I find a way to compromise the base image they use for both and use M1RACLES to pass the data.
<rkjnsn[m]> Not an attack I personally have to worry about, but folks have gone to greater lengths than that for some high-value targets.
<marcan> yeah, but APTs like that have better exploits anyway, as I said in the faq... :)
VinDuv has quit [Quit: Leaving.]
<dottedmag> Spinning untrusted containers on high-value targets...
pugguu has joined #asahi
<dottedmag> BTW, it means that no amount of userspace trickery can be applied to work around it, so e.g. gVisor doesn't help, right?
<pugguu> Are those suppose to be like that marcan all i see is 2 question marks in sideways squuares
<pugguu> They are more like diamonds
<emilazy> it sounds like your software or font is missing support for some Unicode characters
<emilazy> and showing � instead
<emilazy> though I'm not seeing where the non-ASCII characters in marcan's recent messages are
sirn has joined #asahi
<pugguu> Hmm interesting im on a ascii supported client and is running in android so shouldnt have any issues
pugguu has quit [Ping timeout: 480 seconds]
<Misthios> my webclient also shows the diamonds
bgb has quit [Ping timeout: 480 seconds]
tbodt_ is now known as tbodt
tbodt has quit [Quit: ZNC 1.7.5+deb4 - https://znc.in]
tbodt has joined #asahi
tbodt has quit []
tbodt has joined #asahi
rcombs has joined #asahi
<j_ey> marcan: lol u registeed a domain for the cve, cute
<maz> marcan: we just inject an UNDEF into the guest.
<maz> marcan: as far as a KVM guest is concerned, IMDEP encoding are never implemented, so at least we're consistent.
<maz> marcan: I don't see how that's a DoS though.
mjg59 has joined #asahi
ave has quit [Quit: o/ https://thelounge.lasagna.dev]
linuxgemini has quit [Quit: o/ https://thelounge.lasagna.dev]
linuxgemini has joined #asahi
ave has joined #asahi
skali has joined #asahi
EER has joined #asahi
arnd has joined #asahi
skali has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<marcan> maz: it isn't if you inject UNDEF
<marcan> it would if you terminated the VM instead or something
<marcan> so no problem then :)
<maz> marcan: no. the guest has done something that was never advertised as supported.
<maz> marcan: you execute an UNDEF, you take an exception. that's what the architecture says.
<marcan> Misthios: I guess your webclient is missing the Hypervisor Progress Glyphs unicode page
<marcan> maz: sure, though normally those UNDEFs are sent straight to EL1, which is different from these which trap to EL2 and have to be reinjected, so I wasn't sure what the behavior was :)
<marcan> but of course this all makes sense, I just wanted to double check
<maz> marcan: thankfully, from the guest PoV, it cannot make the difference. we just emulate that part of the architecture (and the NV support requires that at all times anyway).
<marcan> ah, right :)
<maz> (without NV)
<marcan> yup, makes sense
<marcan> and I guess anything not trap-and-emulate ends up calling into that
<maz> marcan: yup, UNDEF is the default handler.
verybasic has joined #asahi
NekomimiScience has joined #asahi
<jn> nice work on m1racles.com! :D
Tom has joined #asahi
Thomas____ has quit [Ping timeout: 480 seconds]
grange_c has joined #asahi
bgb has joined #asahi
bfredl[m] has joined #asahi
bgb_ has joined #asahi
bgb has quit [Ping timeout: 480 seconds]
perigoso[m] has joined #asahi
hell__ has joined #asahi
Tom has quit [Ping timeout: 480 seconds]
hell__ has quit [Quit: CPU triple-faulted.]
hell__ has joined #asahi
<yrlf> wow, that m1racles acronym is absolutely wonderful!
Raito_Bezarius has quit [Quit: WeeChat 3.0]
Raito_Bezarius has joined #asahi
Raito_Bezarius has quit [Remote host closed the connection]
<jn> playing Bad Apple to demo an Apple M1 bug is also... just 200% marcan
<jn> so cool :)
Raito_Bezarius has joined #asahi
<marcan> :D
<JTL> marcan: Bad Apple (M1)
<JTL> (Sorry I couldn't resist)
<hell__> (Bad Apple)^2
<mini> hey, it's a catchy song with an interesting video
minecrell has joined #asahi
riatre has joined #asahi
choozy has joined #asahi
bgb has joined #asahi
bgb_ has quit [Ping timeout: 480 seconds]
tomw has joined #asahi
tomw is now known as to-mw
to-mw is now known as tom-w
rann has quit [Quit: Updating details, brb]
rann has joined #asahi
apetresc has joined #asahi
cadubentzen has joined #asahi
artemist has quit [Quit: artemist]
artemist has joined #asahi
facez[m] has joined #asahi
pugguu has joined #asahi
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
null has joined #asahi
choozy has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]
trippeh has joined #asahi
EER has quit [Remote host closed the connection]
matt_b has joined #asahi
<matt_b> I take it there won't be a march-april status update blog post?
nafod has joined #asahi
<Chainsaw> matt_b: There were m1racles instead.
VinDuv has joined #asahi
hir0pro has joined #asahi
<matt_b> yeah, saw that this morning :p
<matt_b> but I assumed that was the progress report for may XD
hir0pro has quit [Quit: leaving]
<yrlf> matt_b: IIRC marcan said he wants to wait a bit for the progress report to be able to add the hypervisor / mmiotrace stuff to it; that was a few weeks ago I think
<matt_b> mmm
choozy has joined #asahi
Andalu30 has joined #asahi
hir0pro has joined #asahi
<marcan> matt_b: the march one is very overdue and is supposed to be about kernel upstreaming
<marcan> then april-may, about the hypervisor
elwisp has joined #asahi
<marcan> was going to do another stream today but too much m1racles stuff, so tomorrow instead :)
<marcan> off to sleep
<facez[m]> <Chainsaw "matt_b: There were m1racles inst"> m1racles brought me here! Well done
bps has joined #asahi
bps is now known as bps2
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
bps2 has left #asahi [Leaving]
Andalu30 has quit [Ping timeout: 480 seconds]
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
izmar has joined #asahi
Izumoo has joined #asahi
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
fridtjof[m] is now known as fridtjof[m2]
fridtjof[m2] is now known as fridtjof[m]
fridtjof[m] has quit [Quit: authenticating]
fridtjof[m] has joined #asahi
Tom has joined #asahi
Tom has left #asahi [#asahi]
StupidYui has joined #asahi
SunWuKung has quit [Remote host closed the connection]
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
pugguu has quit [Read error: Connection reset by peer]
pugguu has joined #asahi
SunWuKung has joined #asahi
maor26 has joined #asahi
maor26 has quit []
ah-[m] has joined #asahi
PieroDel[m] has joined #asahi
pugguu has quit [Ping timeout: 480 seconds]
<Misthios> I liked the jokes
izmar has quit [Remote host closed the connection]
VinDuv has quit [Quit: Leaving.]
choozy has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]
mustache_ride has joined #asahi
matt_b has quit [Remote host closed the connection]
SunWuKung has quit [Ping timeout: 480 seconds]
choozy has joined #asahi
choozy has quit []
Aaron[m]1 has joined #asahi
maximus64 has joined #asahi
lanodan has joined #asahi
choozy has joined #asahi
pcm720 has joined #asahi
choozy has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]
enomem has joined #asahi
The_DarkFire_[m] has joined #asahi