Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933412AbeAOKD0 (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Mon, 15 Jan 2018 05:03:26 -0500
Received: from Galois.linutronix.de ([146.0.238.70]:39437 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933367AbeAOKDY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Jan 2018 05:03:24 -0500
Date: Mon, 15 Jan 2018 11:03:08 +0100 (CET)
From: Thomas Gleixner <tglx@linutronix.de>
To: Jon Masters <jcm@jonmasters.org>
cc: Henrique de Moraes Holschuh <hmh@hmh.eng.br>,
        Andi Kleen <andi@firstfloor.org>,
        David Woodhouse <dwmw2@infradead.org>, x86@kernel.org,
        linux-kernel@vger.kernel.org, pjt@google.com,
        torvalds@linux-foundation.org, gregkh@linux-foundation.org,
        peterz@infradead.org, luto@amacapital.net, thomas.lendacky@amd.com,
        arjan.van.de.ven@intel.com
Subject: Re: Improve retpoline for Skylake
In-Reply-To: <985f979e-0740-5d8a-d6b8-b023105aa021@jonmasters.org>
Message-ID: <alpine.DEB.2.20.1801151059210.1810@nanos>
References: <20180112184550.6573-1-andi@firstfloor.org> <1515784373.22302.492.camel@infradead.org> <20180112192126.su2evwfefdfeaa6g@two.firstfloor.org> <20180112220349.7dorb3lde4tffsjm@khazad-dum.debian.net>
 <985f979e-0740-5d8a-d6b8-b023105aa021@jonmasters.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Mon, 15 Jan 2018, Jon Masters wrote:
> On 01/12/2018 05:03 PM, Henrique de Moraes Holschuh wrote:
> > On Fri, 12 Jan 2018, Andi Kleen wrote:
> >>> Skylake still loses if it takes an SMI, right? 
> >>
> >> SMMs are usually rare, especially on servers, and are usually
> >> not very predictible, and even if you have
> > 
> > FWIW, a data point: SMIs can be generated on demand by userspace on
> > thinkpad laptops, but they will be triggered from within a kernel
> > context.  I very much doubt this is a rare pattern...
> 
> Sure. Just touch some "legacy" hardware that the vendor emulates in a
> nasty SMI handler. It's definitely not acceptable to assume that SMIs
> can't be generated under the control of some malicious user code.

We all know that there are holes, but can we finally sit down and do a
proper analysis whether they are practically exploitable or not.

A laptop is single user, i.e. the most likely attack vector is java
script. So please elaborate how you abuse that from JS.

If the laptop is compromised in a way that malicious code is executed on it
outside JS, then the SMI hole is the least of your worries, really.

> Our numbers on Skylake weren't bad, and there seem to be all kinds of
> corner cases, so again, it seems as if IBRS is the safest choice.

Talk is cheap. Show numbers comparing the full retpoline/RBS mitigation
compared to IBRS.

Thanks,

	tglx