Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932986AbeALDj4 (ORCPT + 1 other); Thu, 11 Jan 2018 22:39:56 -0500 Received: from mail-ot0-f193.google.com ([74.125.82.193]:35448 "EHLO mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932806AbeALDjy (ORCPT ); Thu, 11 Jan 2018 22:39:54 -0500 X-Google-Smtp-Source: ACJfBoub3ahtJro8zhIAlap7h596I8ldW2h56AoP3D5PY2HOD2+/zeQ97dYSW9Z/R8WIrrBE1NPxtR9atptA+Uulbcs= MIME-Version: 1.0 In-Reply-To: <87efmv4xr2.fsf@xmission.com> References: <151571798296.27429.7166552848688034184.stgit@dwillia2-desk3.amr.corp.intel.com> <151571800589.27429.13615996439124092232.stgit@dwillia2-desk3.amr.corp.intel.com> <87efmv4xr2.fsf@xmission.com> From: Dan Williams Date: Thu, 11 Jan 2018 19:39:52 -0800 Message-ID: Subject: Re: [PATCH v2 04/19] x86: implement ifence() To: "Eric W. Biederman" Cc: Linux Kernel Mailing List , Mark Rutland , Tom Lendacky , linux-arch@vger.kernel.org, Greg KH , Peter Zijlstra , Alan Cox , X86 ML , Ingo Molnar , "H. Peter Anvin" , kernel-hardening@lists.openwall.com, Thomas Gleixner , Linus Torvalds , Andrew Morton , Elena Reshetova , Alan Cox Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Thu, Jan 11, 2018 at 6:27 PM, Eric W. Biederman wrote: > > Dan Williams writes: > > > The new barrier, 'ifence', ensures that no instructions past the > > boundary are speculatively executed. > > This needs a much better description. > > If that description was valid we could add ifence in the syscall > entry path and not have any speculative execution to worry about in the > kernel. True, I'll fix that up. > > Perhaps: > 'ifence', ensures that no speculative execution that reaches the 'ifence' > boundary continues past the 'ifence' boundary. > > > Previously the kernel only needed this fence in 'rdtsc_ordered', but it > > can also be used as a mitigation against Spectre variant1 attacks that > > speculative access memory past an array bounds check. > > > > 'ifence', via 'ifence_array_ptr', is an opt-in fallback to the default > > mitigation provided by '__array_ptr'. It is also proposed for blocking > > speculation in the 'get_user' path to bypass 'access_ok' checks. For > > now, just provide the common definition for later patches to build > > upon. > > This part of the description is probably unnecessary. Probably, but having some redundant information in the changelog eases 'git blame' archaeology expeditions in the future. > > Eric > > > > > Suggested-by: Peter Zijlstra > > Suggested-by: Alan Cox > > Cc: Tom Lendacky > > Cc: Mark Rutland > > Cc: Greg KH > > Cc: Thomas Gleixner > > Cc: Ingo Molnar > > Cc: "H. Peter Anvin" > > Cc: x86@kernel.org > > Signed-off-by: Elena Reshetova > > Signed-off-by: Dan Williams > > --- > > arch/x86/include/asm/barrier.h | 4 ++++ > > arch/x86/include/asm/msr.h | 3 +-- > > 2 files changed, 5 insertions(+), 2 deletions(-) > > > > diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h > > index 7fb336210e1b..b04f572d6d97 100644 > > --- a/arch/x86/include/asm/barrier.h > > +++ b/arch/x86/include/asm/barrier.h > > @@ -24,6 +24,10 @@ > > #define wmb() asm volatile("sfence" ::: "memory") > > #endif > > > > +/* prevent speculative execution past this barrier */ > > +#define ifence() alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, \ > > + "lfence", X86_FEATURE_LFENCE_RDTSC) > > + > > #ifdef CONFIG_X86_PPRO_FENCE > > #define dma_rmb() rmb() > > #else > > diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h > > index 07962f5f6fba..e426d2a33ff3 100644 > > --- a/arch/x86/include/asm/msr.h > > +++ b/arch/x86/include/asm/msr.h > > @@ -214,8 +214,7 @@ static __always_inline unsigned long long rdtsc_ordered(void) > > * that some other imaginary CPU is updating continuously with a > > * time stamp. > > */ > > - alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, > > - "lfence", X86_FEATURE_LFENCE_RDTSC); > > + ifence(); > > return rdtsc(); > > } > >