Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754817AbeAGWOW (ORCPT + 1 other); Sun, 7 Jan 2018 17:14:22 -0500 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:38764 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754713AbeAGWOV (ORCPT ); Sun, 7 Jan 2018 17:14:21 -0500 Date: Sun, 7 Jan 2018 23:10:38 +0100 From: Willy Tarreau To: Borislav Petkov Cc: Dave Hansen , Thomas Gleixner , Jon Masters , "Woodhouse, David" , Paolo Bonzini , Alan Cox , Linus Torvalds , Andi Kleen , Greg Kroah-Hartman , Tim Chen , Linux Kernel Mailing List , Jeff Law , Nick Clifton Subject: Re: Avoid speculative indirect calls in kernel Message-ID: <20180107221038.GB9996@1wt.eu> References: <1515054014.12987.75.camel@amazon.co.uk> <403e65be-cfd1-fd08-0401-2e26470b63d4@redhat.com> <4dde456c-fd15-e768-8876-5844c8b7c455@redhat.com> <20180105064946.GA4007@1wt.eu> <44f1b753-47d3-82e3-9401-256b4beadd4f@intel.com> <20180105071333.GA4029@1wt.eu> <20180107141410.d6xd573s436ma5kz@pd.tnic> <20180107174451.GD9772@1wt.eu> <20180107185511.3r73spn4ylxgmd4u@pd.tnic> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180107185511.3r73spn4ylxgmd4u@pd.tnic> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Sun, Jan 07, 2018 at 07:55:11PM +0100, Borislav Petkov wrote: > > Just like you have to trust your plane's pilot eventhough you don't > > know him personally. > > Funny you should make that analogy. Remember that germanwings pilot? > People trusted him too. > > Now imagine if the plane had protection against insane pilots... some of > those people might still be alive, who knows... Sure but despite this case many people continue to take the plane because it's their only option to cross half of the world in a reasonable time. Boris, I'm *not* contesting the performance resulting from the fixes, and I would never have been able to produce them myself had I to, so I'm really glad we have them. I just want to be clear that the big drop some of us are facing is not an option *at all* for certain processes in certain environments and that we'll either continue to run with pti=off or with pti=on + a finer grained setting ASAP. I mean, the kernel is not the only sensitive part in a system (and sometimes it's even not at all). A kernel + a userland processes deliver a service, each in it role. Breaking one or the other can be similar or sometimes the trouble can be worse for one than the other. But for some situations, the good work condition of the combination of the two is critical, and even a kernel compromission could be a detail compared to the impact of something crashing at full load. Sometimes a userspace compromission would already be critical enough that the risk is not higher by accepting to take it for the kernel as well. In my specific case, on LB appliances, I don't really care what happens once haproxy has already been compromised, it's too late. End of the game, all sensitive information are already disclosed at this point. What I'd rather avoid however is the occasional sysop who has an account on the machine to retrieve some stats once in a while that would suddenly be able to get more than these stats. That's where I draw the line for *this* use case. Plenty of others will have plenty of other perception and that's fine. Cheers, Willy