Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751842AbeAEMBm (ORCPT + 1 other); Fri, 5 Jan 2018 07:01:42 -0500 Received: from www.llwyncelyn.cymru ([82.70.14.225]:50230 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751785AbeAEMBi (ORCPT ); Fri, 5 Jan 2018 07:01:38 -0500 Date: Fri, 5 Jan 2018 12:01:00 +0000 From: Alan Cox To: Dave Hansen Cc: Andy Lutomirski , Peter Zijlstra , Tim Chen , Thomas Gleixner , Linus Torvalds , Greg KH , Andrea Arcangeli , Andi Kleen , Arjan Van De Ven , LKML Subject: Re: [PATCH 3/7] x86/enter: Use IBRS on syscall and interrupts Message-ID: <20180105120100.73f0b4b7@alans-desktop> In-Reply-To: <84a6f2f2-d5fe-6b42-0590-33723c1b4960@intel.com> References: <0c525c4c6c817e9c42c7ed583d86dc591a86efde.1515086770.git.tim.c.chen@linux.intel.com> <20180104223321.GD32035@hirez.programming.kicks-ass.net> <8e382c5a-1d8d-44e6-87f4-176305493a47@intel.com> <84a6f2f2-d5fe-6b42-0590-33723c1b4960@intel.com> Organization: Intel Corporation X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Thu, 4 Jan 2018 21:11:23 -0800 Dave Hansen wrote: > On 01/04/2018 08:51 PM, Andy Lutomirski wrote: > > Do we need an arch_prctl() to enable IBRS for user mode? > > Eventually, once the dust settles. I think there's a spectrum of > paranoia here, that is roughly (with increasing paranoia): > > 1. do nothing > 2. do retpoline > 3. do IBRS in kernel > 4. do IBRS always > > I think you're asking for ~3.5. And we'll actually end up with cgroups needing to handle this and a prctl because the answer is simply not a systemwide single constant. To start with if my code has CAP_SYS_RAWIO who gives a **** about IBRS protecting it. Likewise on many real world systems I trust my base OS (or I might as well turn off the power) I sort of trust my apps, and I deeply distrust my web browser which itself probably wants to turn some of the protections on for crap like javascript and webassembly. If I'm running containers well my desktop is probably #2 and my container #3 or #4 There's no point getting hung up about a single magic default number, because that's not how it's going to end up. Alan