Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751305AbeAEJ7p (ORCPT + 1 other); Fri, 5 Jan 2018 04:59:45 -0500 Received: from Galois.linutronix.de ([146.0.238.70]:43928 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751227AbeAEJ7l (ORCPT ); Fri, 5 Jan 2018 04:59:41 -0500 Date: Fri, 5 Jan 2018 10:59:28 +0100 (CET) From: Thomas Gleixner To: Jon Masters cc: "Woodhouse, David" , Paolo Bonzini , Alan Cox , Linus Torvalds , Andi Kleen , Greg Kroah-Hartman , Tim Chen , Linux Kernel Mailing List , Dave Hansen , Jeff Law , Nick Clifton Subject: Re: Avoid speculative indirect calls in kernel In-Reply-To: <9976a670-a023-ea1f-3f13-ee5253092533@redhat.com> Message-ID: References: <20180103230934.15788-1-andi@firstfloor.org> <20180104015920.1ad7b9d3@alans-desktop> <1515054014.12987.75.camel@amazon.co.uk> <403e65be-cfd1-fd08-0401-2e26470b63d4@redhat.com> <4dde456c-fd15-e768-8876-5844c8b7c455@redhat.com> <9976a670-a023-ea1f-3f13-ee5253092533@redhat.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Thu, 4 Jan 2018, Jon Masters wrote: > On 01/04/2018 07:54 PM, Thomas Gleixner wrote: > > On Thu, 4 Jan 2018, Jon Masters wrote: > >> P.S. I've an internal document where I've been tracking "nice to haves" > >> for later, and one of them is whether it makes sense to tag binaries as > >> "trusted" (e.g. extended attribute, label, whatever). It was something I > >> wanted to bring up at some point as potentially worth considering. > > > > Scratch that. There is no such thing as a trusted binary. > > I agree with your sentiment, but for those mitigations that carry a > significant performance overhead (for example IBRS at the moment, and on > some other architectures where we might not end up with retpolines) > there /could/ be some value in leaving them on by default but allowing a > sysadmin to decide to trust a given application/container and accept the > risk. Sure, it's selectively weakened security, I get that. I am not > necessarily advocating this, just suggesting it be discussed. > > [ I also totally get that you can extend variant 2 to have any > application that interacts with another abuse it (even over a pipe or a > socket, etc. provided they share the same cache and take untrusted data > that can lead to some kind of load within a speculation window), and > there are a ton of ways to still cause an attack in that case. ] Correct. We have neither the basic mitigations in place nor has anyone fully understood the implications and possible further issues. So can we please all sit back and fix the problems at hand in a sane way before we start discussing things like selective trust or whatever? I've seen the insanities which were crammed into the distro kernels, which have sysctls and whatever, but at the same time these kernels shipped in a haste do not even boot on a specific class of machines. Great engineering work. The thing which sits between the ears is not an acronyn for: Big Revenue All Intelligence Nuked But it seems that in some ways it has been degraded to exactly that or do you have a sane explanation why quite some of the chip vendors ignored the textbooks from the 90es about speculative execution, which clearly say that speculation has to stop on domain borders and permission violations. We already lost a lot of precious time due to other even more disgusting big corporate games and many of us haven't had a quite moment in the past two month. So can we please fix the stuff on the oldest and most important principle of engineering "Correctness first" and then once that done think about ways how to optimize that w/o digging yet another hole. Thanks, tglx