Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754578AbeAGT1c (ORCPT + 1 other); Sun, 7 Jan 2018 14:27:32 -0500 Received: from mail.skyhub.de ([5.9.137.197]:38778 "EHLO mail.skyhub.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754372AbeAGT1a (ORCPT ); Sun, 7 Jan 2018 14:27:30 -0500 Date: Sun, 7 Jan 2018 20:27:21 +0100 From: Borislav Petkov To: Tim Chen Cc: Thomas Gleixner , Andy Lutomirski , Linus Torvalds , Greg KH , Dave Hansen , Andrea Arcangeli , Andi Kleen , Arjan Van De Ven , David Woodhouse , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 3/8] x86/enter: Use IBRS on syscall and interrupts Message-ID: <20180107192721.tyefgor22426vvfm@pd.tnic> References: <9ab6ab7aae8c24985e93fda3fcdafea64160298d.1515204614.git.tim.c.chen@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <9ab6ab7aae8c24985e93fda3fcdafea64160298d.1515204614.git.tim.c.chen@linux.intel.com> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Fri, Jan 05, 2018 at 06:12:18PM -0800, Tim Chen wrote: > From: Andrea Arcangeli > > Set IBRS upon kernel entrance via syscall and interrupts. Clear it > upon exit. IBRS protects against unsafe indirect branching predictions > in the kernel. > > The NMI interrupt save/restore of IBRS state was based on Andrea > Arcangeli's implementation. > Here's an explanation by Dave Hansen on why we save IBRS state for NMI. > > The normal interrupt code uses the 'error_entry' path which uses the > Code Segment (CS) of the instruction that was interrupted to tell > whether it interrupted the kernel or userspace and thus has to switch > IBRS, or leave it alone. > > The NMI code is different. It uses 'paranoid_entry' because it can > interrupt the kernel while it is running with a userspace IBRS (and %GS > and CR3) value, but has a kernel CS. If we used the same approach as > the normal interrupt code, we might do the following; > > SYSENTER_entry > <-------------- NMI HERE > IBRS=1 > do_something() > IBRS=0 > SYSRET > > The NMI code might notice that we are running in the kernel and decide > that it is OK to skip the IBRS=1. This would leave it running > unprotected with IBRS=0, which is bad. > > However, if we unconditionally set IBRS=1, in the NMI, we might get the > following case: > > SYSENTER_entry > IBRS=1 > do_something() > IBRS=0 > <-------------- NMI HERE (set IBRS=1) > SYSRET > > and we would return to userspace with IBRS=1. Userspace would run > slowly until we entered and exited the kernel again. > > Instead of those two approaches, we chose a third one where we simply > save the IBRS value in a scratch register (%r13) and then restore that > value, verbatim. That's one helluva commit message. This is how you write commit messages! > Signed-off-by: Andrea Arcangeli > Signed-off-by: Tim Chen > --- > arch/x86/entry/entry_64.S | 23 +++++++++++++++++++++++ > arch/x86/entry/entry_64_compat.S | 8 ++++++++ > 2 files changed, 31 insertions(+) Reviewed-by: Borislav Petkov -- Regards/Gruss, Boris. Good mailing practices for 400: avoid top-posting and trim the reply.