Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752831AbeADUAU (ORCPT + 1 other); Thu, 4 Jan 2018 15:00:20 -0500 Received: from mail-sn1nam02on0044.outbound.protection.outlook.com ([104.47.36.44]:22361 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751946AbeADUAS (ORCPT ); Thu, 4 Jan 2018 15:00:18 -0500 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Lendacky@amd.com; Subject: Re: Avoid speculative indirect calls in kernel To: David Woodhouse , Andrew Cooper , Paolo Bonzini , "pavel@ucw.cz" Cc: "tim.c.chen@linux.intel.com" , "linux-kernel@vger.kernel.org" , "torvalds@linux-foundation.org" , "tglx@linutronix.de" , "andi@firstfloor.org" , "gnomes@lxorguk.ukuu.org.uk" , "dave.hansen@intel.com" , "gregkh@linux-foundation.org" , Andrea Arcangeli References: <20180103230934.15788-1-andi@firstfloor.org> <20180104114231.GB1702@amd> <1515066469.12987.112.camel@amazon.co.uk> <94b12025-b27c-04d2-8726-c07a3af6b265@redhat.com> <7a3584c6-0c00-d807-5130-13d1f4b34102@citrix.com> <1515079777.12987.149.camel@amazon.co.uk> <1515082507.12987.159.camel@infradead.org> From: Tom Lendacky Message-ID: Date: Thu, 4 Jan 2018 14:00:11 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <1515082507.12987.159.camel@infradead.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Originating-IP: [165.204.78.1] X-ClientProxiedBy: MWHPR22CA0066.namprd22.prod.outlook.com (10.171.142.28) To CY4PR12MB1143.namprd12.prod.outlook.com (10.168.164.135) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7ca2d911-9ee1-431c-1d98-08d553adc683 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(5600026)(4604075)(48565401081)(2017052603307)(7153060);SRVR:CY4PR12MB1143; X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1143;3:l66mZTYAD3wD6sYgaJBQ8anxuSqzpNUmtsWsGfoj1gEcCkVy8OZ1TjQIH3i61jSuNpajVLNUrIyl3saBrtpNRV9Oev89iJ7IB1SKFQJE2FFgxOfgMgOu2RYgaN8pQOhWnbHhEPxMYHPnzaI56fuy4z2nS9S2ChhNQRpChTGGqntZ1HWQj5/bxHccIqfiXrAqj4vdh0V/7Lx41+rwEa04O0XQqS3huvcj2UEn9WQQEiL6zOzR9AqDkJzk9XIC6Vrn;25:y8n5LRp/eEl9T8W7ow0KNZ3eoDVM3fOBGERworfP1qqqInXgFnhLBlaBrCPh6NGgOx2WU8XgTBGEdY1FZQaspQHHvRjGpYsqkuan514Am9A67Cl7hcf+kLzPziNsYmFCw6jWQgW5o7cF7vErzHGZ9PW92+YkRyfh0oO5xijGo7FFp5Hk/+9DtU+qHGF7eAM98KIdC1IAwn/PU7eA+g34Ud6rS6wVUW9ztvb0Bm3tDIi69jc1+2K3JU1TjKccb723mBfK2lCeYgyDyrcH5XzTVCAM5B2pY6Wls6nu2HQIBNnZQ9g6q2jjoE6YprzpAUYMqHB+uAlyBHRhzYB/iWBwhw==;31:Cy44KpU/SRH4/wO3dyOTFg+If/iWbplEaCySXM6kyOFSW8Sj98d+IbNt1dHHbz5WOgKm3Wu+K/c3wzNGImqWMvNy4xo26kL72EzPnP25y7umf3eMPYKEQPV75j+zWQ0vMJyUibjQhmSI0I9zFIo3zoWja6YD5KA3VQvi/9Z1+v3Ih4oCboa4Po4YYdhOutwsuL54y53OuwSbDCi5hkenHjk2yStjAX9mvBmr4owcumw= X-MS-TrafficTypeDiagnostic: CY4PR12MB1143: X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1143;20:/eJ+xInONWUtmlQWDySMhBIy1pgXZvyfGZFPHKKq3zfVZzhfW9dU31phHlc6KkGZqfmm4RKb43gGWsym4muMgwLO08znnkj8JsxF7EhPuwhEzVW8n2DjT+uTVhtRRgRde9KiW0qY/LnQ6PDwxqSfKauN5hHeFU5nh22M6qzvUBpeVCBpUvTOTvpszYN/hRLNriKmAlxquXp+uT1WVyHPYE3G9FmOgrFOqpW80xsm+Pwc50vnp+WfRFNJMrB54H6fknBuctbCUE4Wg1R9a/X5nf6U3Y+taGfTNF5aEoOuR/wu3Rxjvkb6dhb5+jaREU2IwnXvTl0qvYtZk9GlaEKpqTyGTMqWBPR+0nDRFiKArqQFtModH5BveCUHM3toiONaqnWsvhMwJAuUoOCaOPpzxLIPGJjQ5J0W8QQFRWmODYLnk3fGg4S8N7DjPa0csaaz6JEznNr9ub1Bartwa2EMBM6ov0nkCbrMvDIKQz7DtREQcBwI084rZDIWcnB3UsBW;4:Ulafczv3jUsHZcgHfRTFPUsYRWO8OwM2h5yo0weHSxKX8/86EWVdG1grkt9cY5lnX66WX5DfK/FHn+eZYHGIsoG0RyPkjLGN4abM3ipT6F1kJt7+guY5+7Za6edr8DZERqzd3b5rYjp+a7zPuWYjWqS4WeFzlj4cR63J/1hmgvHOXcp0FBQjCU4Dqn+zybUn759kqw327c+kElPjZiffJzd2xK+88aj7iMfRe8T2Nxgu/fLS66nFXlsWXBASnitVxXDlyL4lHMb7c4x9JEn5jQ== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040470)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3231023)(944501075)(3002001)(6055026)(6041268)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123564045)(20161123562045)(6072148)(201708071742011);SRVR:CY4PR12MB1143;BCL:0;PCL:0;RULEID:(100000803101)(100110400095);SRVR:CY4PR12MB1143; X-Forefront-PRVS: 054231DC40 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6049001)(39860400002)(376002)(396003)(366004)(39380400002)(346002)(377424004)(199004)(24454002)(189003)(97736004)(47776003)(8676002)(16576012)(16526018)(316002)(76176011)(68736007)(50466002)(58126008)(93886005)(110136005)(8936002)(54906003)(36756003)(2486003)(83506002)(106356001)(23676004)(64126003)(478600001)(2501003)(72206003)(52116002)(52146003)(105586002)(2906002)(4326008)(90366009)(229853002)(6246003)(2870700001)(5660300001)(77096006)(31686004)(6486002)(65956001)(7416002)(53546011)(65806001)(25786009)(305945005)(3260700006)(386003)(7736002)(81156014)(3846002)(66066001)(6116002)(8666007)(65826007)(81166006)(6666003)(2950100002)(53936002)(86362001)(31696002);DIR:OUT;SFP:1101;SCL:1;SRVR:CY4PR12MB1143;H:[10.236.65.116];FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtDWTRQUjEyTUIxMTQzOzIzOjlxeTFOdUV6UzE2WW0vOWwxVEFiMW5IM21C?= =?utf-8?B?Nklwb1l3ZFZISkJJWXFjK2NwNmUxRHllV3dvU2srMmFUblE3c3lrdGhKRXhN?= =?utf-8?B?OVJtbW1MeVdXWnVweUxtRHg4NElLMDB2dHRjR2xuSGo4QzBiMnBmQXM3RTA2?= =?utf-8?B?MnZ4d05jaHRxa3d2SG4xTGVMVkJyZGpkT0FlN21rZTBNQXlKZy9IcC9CdEY3?= =?utf-8?B?SnlHWEN6dXFmREtpSFZSZ0h3VS9wODJPenIrTnZac0hEVkIrUFQ3M2l3aUpB?= =?utf-8?B?TTlKYk0xbVJLUkk1QlNHVGx6ZExjdHNINm9GNHpIQ25pZVVmdUljUUNTV3ZC?= =?utf-8?B?dWpyZHdEUnd4V05OMGsrNkRZdmdoNGQwZm1XczZiOXpIdGp3QWZMTWhLRm9a?= =?utf-8?B?Qy9DUzNKVTVFRUw3ekIwMm9TUkpnZHdKOUE3M1hkNU1NeUlHd3d0RkxvelRO?= =?utf-8?B?cHlnKzZod0piOHRRWUsrdHN4bno4cTZPYVR3SWFPd1hrTUpIQ1A0bENpdkFR?= =?utf-8?B?aDBmRGg1STQ0ejJ0VUNRZm91MFJFSlh6VzlqYzczZktrWVBEVWdyYmJJQmps?= =?utf-8?B?KytmR2trVURZSXorakxEVlRtTVYxcHQ1ZGs5ckx1TWRqN0w2bTQ5Y2U5eUdw?= =?utf-8?B?K3JoNzFnR05SWE8xdXpSQnBFd2dOS3VSNnd3bm5XN3lmZDhJaEw5Si9sTXdM?= =?utf-8?B?SmtYdEwyeFVNZUJOUUthalVldzA0VGFzbUxrQjZrWVhIZFNzd0E5bmU5QXVr?= =?utf-8?B?czQ4dHc4cWFTYXIyNnQ4WTFldDN5MFBGbEFhTnVXYUkra0ZLSEFZU3RwOENW?= =?utf-8?B?RU41TFUvMHllQ2RTdE1ZMi9obHJCVUpYZDMzWkR3OGhKK2xOaWdaL0xRcUpB?= =?utf-8?B?dWM4eWpoQzJnMXN2V0luQUZVWkM4aHJMdWZMekJRY3lhOURwdnM5c3o4N2l2?= =?utf-8?B?c0pXenczR1VraG0wVGpWYUNSelZEaTVURWR0SDltOWJRMVpnRlFjTjcvcm1a?= =?utf-8?B?SUFoRDM3ZlVyTzlrUUFYQ2s0RVhBSFhYS3NvQndDQ2JudEtFRXdCNWd5TExX?= =?utf-8?B?WkEzd3ptRWlTNWxUdnV2czRiVVRsSlRwTzkxbmViRGRnNktsSng4a3hRYm0v?= =?utf-8?B?Rm4yOVJOZCticXF3bmRMcWdRUzZUMUJYeTdadGxjUnd5L0tkSVA0eW1PWFow?= =?utf-8?B?emt3UE5OSG9nNG5NUjNHa2hxeEZOSmpaakpCaUpaQTNMM1hnYnYvLzA1MDhB?= =?utf-8?B?bHlOcXJWQUhqamRxL05LS3ladmFWTVYwNHRyMXBlSkg1TEVTNUV3cllrRVlM?= =?utf-8?B?Ui8vUTlMdnBzazE0RHUzRm9heTJZZ1ZLNXBRVWJmZG03NnVaMlR5YnFsRkIr?= =?utf-8?B?VWU5a3NsTVVja2N6UFpNVklkeG9oaGNWM3Q5dXhLZE01dXlFZG9VOG5RaWtx?= =?utf-8?B?QzhEbXZsL1hUbDMySXB0K3k2L2xEUUgyYTZBY3dzMjNUQ290TzRnUFh2SlZi?= =?utf-8?B?RlVvS3dtMDIveHFxd011MU5EQ1l4Q3d6Z1RNSXppOS9WbUJYdFQ0YWVYSzhT?= =?utf-8?B?TmQzbCtuVXFvUnI5ckNBWmVTYmxvMkt1SzhCWm5jWFh4MmxFNlFaTU9wcXdz?= =?utf-8?B?bDBqV0h1N3NWVzRrdHpoUEp4bEFBV1hWWHdwTVJ6bVFXSTNzV1J4bW1ueDlw?= =?utf-8?B?WUlCSktoY0pSckttdGsyc0JDRlpIMXYvakxxMVo5YjU2MXp1bWZrRHBaMURV?= =?utf-8?B?bEsyL09LVlVvR0ZMb1Q0Rk11TFRWTW95YnZ6MVhlN2pWenNQdit2dko5bmRL?= =?utf-8?B?a1hxZ2Q4ZzQzMTAzQVVZZjJKQ0w0amZPTkl3RkIrSGtJVm9zeXJjTmQ0SWhx?= =?utf-8?B?dGxSOUNGcllBTlpPNGFURnBwUFVQbXp4ak9rRTg2bDF2bm9SeENpUHdHcVBs?= =?utf-8?B?UVloQXhvWFB4TVB6dC82Tnh6cUhaZVQyTG5VYk5udGVQSlFjeGN1Z2FLbVZt?= =?utf-8?B?WnQrOXh4VFpkaGo0c0lJRlFvTUNWRXBKQk94RFpLeEt5OTlwMDNWMTE0amln?= =?utf-8?B?MVZRaGc3THpYdC80SFpOdjZIOHh3b1dudWMzTUpjY0J6N2xjRkNXWjNQaXM2?= =?utf-8?B?WFE9PQ==?= X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1143;6:34AnZU6YKNEJw7buS0wjp/g8ns1d7wooaaQQ9851ZPN11ai+K4zRp2HED4pp58l3nAmG09mK1CQNZGVb1mtTwbzHTwbwF5TqsQIMbWU3ckd+4Ud2ixR3HTimOPk/RX88mclN/zrH+UjoB+FYPV5OoYCcfnNbIxLlUkCbera8lb9GxWi/Ec+Jn7wbcLkoV4HBe4n0wUJG5iKISNm1yznVKgnX7QmqEF6/iX74aP5fMuhVtPoeeygVO5KW7XyoEqlhhTrQSCTsuQa2cmuSwBSi2HLgiWUC2V3a1ipNeJA8cRsHyaMgXIK0XYtQiG5Daz6MdU4eGKUy79nK34QW9t8TMr7dUWyMQneDdNe8kWBdtvs=;5:OH7Wd0zwi+HSz+UE0fM2c5NXpe7dUSMYwGu1SHYcf5xCiT1nsTctQ6VMS7GF7aZ4kj7YWV8fQYDGkqmwsOVWqNp/CXOsvAS/JEhTEHvX538ZnBphz1epEo9xaBE93MGzs3i1b4gfzs3mIe/pa0Wypn1i90Ru6GSKVRISqxKkr04=;24:pmvlmeFV/spNdTCMCDRpHzjORb/sxxRgSddNgh2K/YoZ0j4qJHEjPrGp13K4TvATi0Yh/aZ8liscJCIQAezpXMfOi2XR8rRY4iY4QpTZF8U=;7:y+BVjt9jj6wAKFWnrtZdvpQdM6x3EJqqL3iN1Bo8nYu6xDpNSNGfqkbg8gBmm97EjH8BC7+TzeycQjHpr4DU8F5dkokVF0XXuw5/bQ30mykuVepUgCXMN5udhyzt9ieJZ2eMCuwqoFiclqmtphOczi9f1P2wFIGKnCfdaYFNVz1FRDH4ZSqzNxhLVd7P8AN8hS4Cc+mYAG/bN4BY4csaJQd2wbHYV01vJz+Axqg5bzmiuZlab0KC8dDYszfd7Y0j SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;CY4PR12MB1143;20:PuvhPo00BuZBCt5vcnEAY8gjv4qRojFHV8zR1UGdo5P+EWHCKcSZdOw4JWcCoeJCJRFRLgkighiuu8g+V3aamQTdK2a1KJovzOGtjt2I6aqPti8J+4Q5+VPGGV4ljOgZ4wBWt9K/nemWfbj7ENCZOLPO7LsvTq6oQQvu6FYErwjxK8TcI3R0vFUIGRYbkRzoUiGcjO+ek0XLpaKxFMW3wLqfPv+sf2blilEsWPeTYpZdcYLmWbVanQCRNR1s19VV X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jan 2018 20:00:15.3659 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7ca2d911-9ee1-431c-1d98-08d553adc683 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1143 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On 1/4/2018 10:15 AM, David Woodhouse wrote: > On Thu, 2018-01-04 at 15:29 +0000, Woodhouse, David wrote: >> >>> With the GCC -mindirect-branch=thunk-external support, and microcode, >>> Xen will make a boot-time choice between using Retpoline, Lfence (which >>> is the better AMD option, and more performant than retpoline), or IBRS >>> on Skylake and newer processors where it is strictly necessary, as well >>> as using IBPB whenever available. >> >> I need to pull in the AMD lfence alternative for retpoline, giving us a >> 3-way choice of the existing retpoline thunk, "lfence; jmp *%\reg", and >> a bare "jmp *%\reg". > > I think I can abuse X86_FEATURE_SYSCALL for that, right? So it would > look something like this: > >  --- a/arch/x86/lib/retpoline.S > +++ b/arch/x86/lib/retpoline.S > @@ -12,7 +12,7 @@ >   >  ENTRY(__x86.indirect_thunk.\reg) >         CFI_STARTPROC > -       ALTERNATIVE "call 2f", __stringify(jmp *%\reg), X86_BUG_NO_RETPOLINE > +       ALTERNATIVE_2 "call 2f", __stringify(lfence;jmp *%\reg), X86_FEATURE_SYSCALL, __stringify(jmp *%\reg), X86_BUG_NO_RETPOLINE >  1: >         lfence >         ASM_UNREACHABLE > > > However, I would very much like to see a categorical statement from AMD > that the lfence is sufficient in all cases. Remember, Intel were saying > that too for a while, before finding that it was not *quite* good > enough. Yes, lfence is sufficient. As long as the target is in the register before the lfence and we jump through the register all is good, i.e.: Include a dispatch serializing instruction after the load of an indirect branch target. For instance, change this code: 1: jmp *[rax] ; jump to address pointed to by RAX To this: 1: mov [rax], rax ; load target address 2: lfence ; dispatch serializing instruction 3: jmp *rax The processor will stop dispatching instructions until all older instructions have returned their results and are capable of being retired by the processor. At this point the branch target will be in the general purpose register (rax in this example) and available at dispatch for execution such that the speculative execution window is not large enough to be exploited. Thanks, Tom >