Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756106AbeAHJaB (ORCPT + 1 other); Mon, 8 Jan 2018 04:30:01 -0500 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:38849 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755900AbeAHJaA (ORCPT ); Mon, 8 Jan 2018 04:30:00 -0500 Date: Mon, 8 Jan 2018 10:29:23 +0100 From: Willy Tarreau To: Thomas Gleixner Cc: Borislav Petkov , Dave Hansen , Jon Masters , "Woodhouse, David" , Paolo Bonzini , Alan Cox , Linus Torvalds , Andi Kleen , Greg Kroah-Hartman , Tim Chen , Linux Kernel Mailing List , Jeff Law , Nick Clifton Subject: Re: Avoid speculative indirect calls in kernel Message-ID: <20180108092923.GC10621@1wt.eu> References: <4dde456c-fd15-e768-8876-5844c8b7c455@redhat.com> <20180105064946.GA4007@1wt.eu> <44f1b753-47d3-82e3-9401-256b4beadd4f@intel.com> <20180105071333.GA4029@1wt.eu> <20180107141410.d6xd573s436ma5kz@pd.tnic> <20180107174451.GD9772@1wt.eu> <20180107185511.3r73spn4ylxgmd4u@pd.tnic> <20180107221038.GB9996@1wt.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: Hi Thomas, On Mon, Jan 08, 2018 at 10:18:09AM +0100, Thomas Gleixner wrote: > On Sun, 7 Jan 2018, Willy Tarreau wrote: > > On Sun, Jan 07, 2018 at 07:55:11PM +0100, Borislav Petkov wrote: > > > > Just like you have to trust your plane's pilot eventhough you don't > > > > know him personally. > > > > > > Funny you should make that analogy. Remember that germanwings pilot? > > > People trusted him too. > > > > > > Now imagine if the plane had protection against insane pilots... some of > > > those people might still be alive, who knows... > > > > Sure but despite this case many people continue to take the plane because > > it's their only option to cross half of the world in a reasonable time. > > > > Boris, I'm *not* contesting the performance resulting from the fixes, > > and I would never have been able to produce them myself had I to, so > > I'm really glad we have them. I just want to be clear that the big drop > > some of us are facing is not an option *at all* for certain processes > > in certain environments and that we'll either continue to run with > > pti=off or with pti=on + a finer grained setting ASAP. > > No argument about that. We've looked into per process PTI very early and > decided not to go that route because of the time pressure and the risk. I'm > glad that we managed to pull it off at all without breaking the world > completely. It's surely doable and we all know that it has to be done, just > not right now as we have to fast track at least the basic protections for > the other two attack vectors. I know that most people with the skills to do it are very busy, which is why I started to take a look at it, not being involved at all in this and having interest in seeing it done. For me the road is long, progressively discovering asid/pcid etc in the code, you can guess I won't come up with something testable any time soon ;-) My idea would be to use a privileged prctl() call to set a new TIF_NOPTI on the task and to see where to check for this to avoid switching to the user-only PGD when returning to userspace. I have no idea if this is doable at all nor if this would be sufficient (I hope so) but reading the code to try to figure whether it makes sense cannot hurt. > You can be sure, that all people involved hate it more than you do. I'm definitely convinced about this, we're all proud to save one CPU cycle here and there from time to time and having to suddenly flush TLBs and throw hundreds or thousands of cycles at once down the drain must be a very hard decision to take. And by the way I don't hate what was done because there's a config option and I still have the choice. Other OS users probably don't even have this choice, so thanks to all involved for this! Willy