MIME-Version: 1.0
In-Reply-To: <20180104112614.GA1702@amd>
References: <20180103230934.15788-1-andi@firstfloor.org> <CA+55aFzCocoK+4kxAUEhaxxba4RTv3ewBmhiZ8Osc9iDkBtCEQ@mail.gmail.com>
 <20180104112614.GA1702@amd>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 4 Jan 2018 10:33:04 -0800
Message-ID: <CA+55aFz3Z6jYnG9mCG2UMDqvg5bv7k7gKO3pZc36BrNSwfmUnQ@mail.gmail.com>
Subject: Re: Avoid speculative indirect calls in kernel
To: Pavel Machek <pavel@ucw.cz>
Cc: Andi Kleen <andi@firstfloor.org>, tglx@linuxtronix.de,
        Greg Kroah-Hartman <gregkh@linux-foundation.org>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Dave Hansen <dave.hansen@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org

On Thu, Jan 4, 2018 at 3:26 AM, Pavel Machek <pavel@ucw.cz> wrote:
> On Wed 2018-01-03 15:51:35, Linus Torvalds wrote:
>>
>> A *competent* CPU engineer would fix this by making sure speculation
>> doesn't happen across protection domains. Maybe even a L1 I$ that is
>> keyed by CPL.
>
> Would that be enough?

No, you'd need to add the CPL to the branch target buffer itself, not the I$ L1.

And as somebody pointed out, that only helps the user space messing
with the kernel. It doesn't help the "one user context fools another
user context to mispredict". (Where the user contexts might be a
JIT'ed JS vs the rest of the web browser).

So you really would want to just make sure the full address is used to
index (or at least verify) the BTB lookup, and even then you'd then
need to invalidate the BTB on context switches so that one context
can't fill in data for another context.

           Linus