Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754291AbeAGRpc (ORCPT + 1 other); Sun, 7 Jan 2018 12:45:32 -0500 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:38716 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754204AbeAGRpa (ORCPT ); Sun, 7 Jan 2018 12:45:30 -0500 Date: Sun, 7 Jan 2018 18:44:51 +0100 From: Willy Tarreau To: Borislav Petkov Cc: Dave Hansen , Thomas Gleixner , Jon Masters , "Woodhouse, David" , Paolo Bonzini , Alan Cox , Linus Torvalds , Andi Kleen , Greg Kroah-Hartman , Tim Chen , Linux Kernel Mailing List , Jeff Law , Nick Clifton Subject: Re: Avoid speculative indirect calls in kernel Message-ID: <20180107174451.GD9772@1wt.eu> References: <20180104015920.1ad7b9d3@alans-desktop> <1515054014.12987.75.camel@amazon.co.uk> <403e65be-cfd1-fd08-0401-2e26470b63d4@redhat.com> <4dde456c-fd15-e768-8876-5844c8b7c455@redhat.com> <20180105064946.GA4007@1wt.eu> <44f1b753-47d3-82e3-9401-256b4beadd4f@intel.com> <20180105071333.GA4029@1wt.eu> <20180107141410.d6xd573s436ma5kz@pd.tnic> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180107141410.d6xd573s436ma5kz@pd.tnic> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Sun, Jan 07, 2018 at 03:14:10PM +0100, Borislav Petkov wrote: > On Fri, Jan 05, 2018 at 08:13:33AM +0100, Willy Tarreau wrote: > > I'm not fond of running the mitigations, but given that a few sysops can > > connect to the machine to collect stats or counters, I think it would be > > better to ensure these people can't happily play with the exploits to > > dump stuff they shouldn't have access to. > > So if someone exploits the "trusted" process, and then dumps all memory, > you have practically lost. Exactly, but there's much more to gain by owning this process anyway in certain cases than just dumping a few hundreds of kernel bytes. That's where I consider that "trusted" is more "critical" than "safe" : if it dies, we all die anyway. Just like you have to trust your plane's pilot eventhough you don't know him personally. Willy