Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753405AbeADQTV (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Thu, 4 Jan 2018 11:19:21 -0500
Received: from mail.kernel.org ([198.145.29.99]:33662 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752200AbeADQTT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 4 Jan 2018 11:19:19 -0500
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B8D8221928
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org
X-Google-Smtp-Source: ACJfBou8vnW+yodckiST3rfZa/3T+UiSd8fV8b4qDq8Au+hXmypp3/9gqe2mg+G02De11Y2ASjRjFgHExzAVBiSj0Pw=
MIME-Version: 1.0
In-Reply-To: <1515058213.12987.89.camel@amazon.co.uk>
References: <CAPM31RLaz7OuO_rm45_he=S0OZqPWY7zp-O6uevD25Br+YXwJA@mail.gmail.com>
 <1515058213.12987.89.camel@amazon.co.uk>
From: Andy Lutomirski <luto@kernel.org>
Date: Thu, 4 Jan 2018 08:18:57 -0800
X-Gmail-Original-Message-ID: <CALCETrWRca6X9AbXn2b_p_mbY9gAws3LFwsDxWw5Vk9zDLAwbg@mail.gmail.com>
Message-ID: <CALCETrWRca6X9AbXn2b_p_mbY9gAws3LFwsDxWw5Vk9zDLAwbg@mail.gmail.com>
Subject: Re: [RFC] Retpoline: Binary mitigation for branch-target-injection
 (aka "Spectre")
To: "Woodhouse, David" <dwmw@amazon.co.uk>,
        "Van De Ven, Arjan" <arjan.van.de.ven@intel.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "tim.c.chen@linux.intel.com" <tim.c.chen@linux.intel.com>,
        "peterz@infradead.org" <peterz@infradead.org>,
        "torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
        "tglx@linuxtronix.de" <tglx@linuxtronix.de>,
        "riel@redhat.com" <riel@redhat.com>,
        "keescook@google.com" <keescook@google.com>,
        "gnomes@lxorguk.ukuu.org.uk" <gnomes@lxorguk.ukuu.org.uk>,
        "pjt@google.com" <pjt@google.com>,
        "dave.hansen@intel.com" <dave.hansen@intel.com>,
        "jikos@kernel.org" <jikos@kernel.org>,
        "gregkh@linux-foundation.org" <gregkh@linux-foundation.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Thu, Jan 4, 2018 at 1:30 AM, Woodhouse, David <dwmw@amazon.co.uk> wrote:
> On Thu, 2018-01-04 at 01:10 -0800, Paul Turner wrote:
>> Apologies for the discombobulation around today's disclosure.  Obviously the
>> original goal was to communicate this a little more coherently, but the
>> unscheduled advances in the disclosure disrupted the efforts to pull this
>> together more cleanly.
>>
>> I wanted to open discussion the "retpoline" approach and and define its
>> requirements so that we can separate the core
>> details from questions regarding any particular implementation thereof.
>>
>> As a starting point, a full write-up describing the approach is available at:
>>   https://support.google.com/faqs/answer/7625886
>
> Note that (ab)using 'ret' in this way is incompatible with CET on
> upcoming processors. HJ added a -mno-indirect-branch-register option to
> the latest round of GCC patches, which puts the branch target in a
> register instead of on the stack. My kernel patches (which I'm about to
> reconcile with Andi's tweaks and post) do the same.
>
> That means that in the cases where at runtime we want to ALTERNATIVE
> out the retpoline, it just turns back into a bare 'jmp *\reg'.
>
>

I hate to say this, but I think Intel should postpone CET until the
dust settles.  Intel should also consider a hardware-protected stack
that is only accessible with PUSH, POP, CALL, RET, and a new MOVSTACK
instruction.  That, by itself, would give considerable protection.
But we still need JMP_NO_SPECULATE.  Or, better yet, get the CPU to
stop leaking data during speculative execution.