Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752853AbeADL0R (ORCPT + 1 other); Thu, 4 Jan 2018 06:26:17 -0500 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:58062 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752159AbeADL0Q (ORCPT ); Thu, 4 Jan 2018 06:26:16 -0500 Date: Thu, 4 Jan 2018 12:26:14 +0100 From: Pavel Machek To: Linus Torvalds Cc: Andi Kleen , tglx@linuxtronix.de, Greg Kroah-Hartman , dwmw@amazon.co.uk, Tim Chen , Linux Kernel Mailing List , Dave Hansen Subject: Re: Avoid speculative indirect calls in kernel Message-ID: <20180104112614.GA1702@amd> References: <20180103230934.15788-1-andi@firstfloor.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed 2018-01-03 15:51:35, Linus Torvalds wrote: > On Wed, Jan 3, 2018 at 3:09 PM, Andi Kleen wrote: > > This is a fix for Variant 2 in > > https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memor= y-with-side.html > > > > Any speculative indirect calls in the kernel can be tricked > > to execute any kernel code, which may allow side channel > > attacks that can leak arbitrary kernel data. >=20 > Why is this all done without any configuration options? >=20 > A *competent* CPU engineer would fix this by making sure speculation > doesn't happen across protection domains. Maybe even a L1 I$ that is > keyed by CPL. Would that be enough? AFAICT this will be pretty tricky to fix; it looks like you could "attack" one userland application from another. Probing does not have to work on L1 cache level; even main memory has "state". It seems that complete fix would be considering any cache modification and any memory access as a "side effect" -- so not okay to do speculatively. But that sounds... quite expensive for the performance...? Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlpOD1YACgkQMOfwapXb+vKtVgCguJEV+Uen2e5EoUNOWdSth/op Y/gAoIcOzTtCK9oAsV9Zjhvx1mEbIoly =LjOS -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn--