Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753502AbeAFXFk (ORCPT + 1 other); Sat, 6 Jan 2018 18:05:40 -0500 Received: from www.llwyncelyn.cymru ([82.70.14.225]:56588 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752176AbeAFXFi (ORCPT ); Sat, 6 Jan 2018 18:05:38 -0500 Date: Sat, 6 Jan 2018 23:05:07 +0000 From: Alan Cox To: Alexei Starovoitov Cc: Linus Torvalds , Dan Williams , linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, Andi Kleen , Arnd Bergmann , Greg Kroah-Hartman , Peter Zijlstra , netdev@vger.kernel.org, Ingo Molnar , "H. Peter Anvin" , Thomas Gleixner Subject: Re: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok Message-ID: <20180106230507.3547c9a0@alans-desktop> In-Reply-To: <20180106211729.cp5oet3at3hyce4o@ast-mbp> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520102670.32271.8447983009852138826.stgit@dwillia2-desk3.amr.corp.intel.com> <20180106123242.77f4d860@alans-desktop> <20180106181331.mmrqwwbu2jcjj2si@ast-mbp> <20180106183859.1ad9ae37@alans-desktop> <20180106185134.dzn2en4vw2hj3p6h@ast-mbp> <20180106195551.3207f75d@alans-desktop> <20180106200912.zhzdt4qmfrojeeqe@ast-mbp> <20180106202213.23e553fb@alans-desktop> <20180106211729.cp5oet3at3hyce4o@ast-mbp> Organization: Intel Corporation X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: > Even if it would be practical the speed probably going to be in bytes per second, > so to read anything meaningful an attack detection techniques (that people > are actively working on) will be able to catch it. > At the end security cannot be absolute. > The current level of paranoia shouldn't force us to make hastily decisions. I think there are at least three overlapping problem spaces here 1. This is a new field. That could mean that it turns out to be really hard and everyone discovers that eBPF was pretty much the only interesting attack. It could also mean we are going to see several years or refinement by evil geniuses all over the world and what we see now is tip of iceberg in cleverness. 2. It is very very complicated to answer a question like "is sequence x safe on all of vendor's microprocessors" even for the vendor 3. A lot of people outside of the professional security space are very new to the concept of security economics and risk management as opposed to seeing the fake binary nice green tick that says their computers are secure that they can pass to their senior management or show to audit. > So how about we do array_access() macro similar to above by default > with extra CONFIG_ to convert it to lfence ? We don't have to decide today. Intel's current position is 'lfence'. Over time we may see vendors provide more sequences. We will see vendors add new instruction hints and the like (See the ARM whitepaper for example) and the array access code will change and change again for the better. The important thing is that there is something clean, all architecture that can be used today that doesn't keep forcing everyone to change drivers when new/better ways to do the speculation management appear. > Why default to AND approach instead of lfence ? > Because the kernel should still be usable. If security > sacrifices performance so much such security will be turned off. > Ex: kpti suppose to add 5-30%. If it means 10% on production workload > and the datacenter capacity cannot grow 10% overnight, kpti will be off. The differences involved on the "lfence" versus "and" versus before are not likely to be anywhere in that order of magnitude. As I said I want to take a hard look at the IPv4/6 ones but most of them are not in places where you'd expect a lot of data to be in flight in a perf critical path. Alan