Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751842AbeAEMBm (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Fri, 5 Jan 2018 07:01:42 -0500
Received: from www.llwyncelyn.cymru ([82.70.14.225]:50230 "EHLO fuzix.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751785AbeAEMBi (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Jan 2018 07:01:38 -0500
Date: Fri, 5 Jan 2018 12:01:00 +0000
From: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Greg KH <gregkh@linuxfoundation.org>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andi Kleen <ak@linux.intel.com>,
        Arjan Van De Ven <arjan.van.de.ven@intel.com>,
        LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 3/7] x86/enter: Use IBRS on syscall and interrupts
Message-ID: <20180105120100.73f0b4b7@alans-desktop>
In-Reply-To: <84a6f2f2-d5fe-6b42-0590-33723c1b4960@intel.com>
References: <cover.1515086770.git.tim.c.chen@linux.intel.com>
        <0c525c4c6c817e9c42c7ed583d86dc591a86efde.1515086770.git.tim.c.chen@linux.intel.com>
        <20180104223321.GD32035@hirez.programming.kicks-ass.net>
        <8e382c5a-1d8d-44e6-87f4-176305493a47@intel.com>
        <CALCETrW65xTYcKu4T-5SK3CJ2+FbJq2MbKKCRpskAA5utChsoA@mail.gmail.com>
        <84a6f2f2-d5fe-6b42-0590-33723c1b4960@intel.com>
Organization: Intel Corporation
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Thu, 4 Jan 2018 21:11:23 -0800
Dave Hansen <dave.hansen@intel.com> wrote:

> On 01/04/2018 08:51 PM, Andy Lutomirski wrote:
> > Do we need an arch_prctl() to enable IBRS for user mode?  
> 
> Eventually, once the dust settles.  I think there's a spectrum of
> paranoia here, that is roughly (with increasing paranoia):
> 
> 1. do nothing
> 2. do retpoline
> 3. do IBRS in kernel
> 4. do IBRS always
> 
> I think you're asking for ~3.5.

And we'll actually end up with cgroups needing to handle this and a prctl
because the answer is simply not a systemwide single constant. To start
with if my code has CAP_SYS_RAWIO who gives a **** about IBRS protecting
it.

Likewise on many real world systems I trust my base OS (or I might as
well turn off the power) I sort of trust my apps, and I deeply distrust
my web browser which itself probably wants to turn some of the
protections on for crap like javascript and webassembly.

If I'm running containers well my desktop is probably #2 and my container
#3 or #4

There's no point getting hung up about a single magic default number,
because that's not how it's going to end up.

Alan