Received: by 10.223.148.5 with SMTP id 5csp7922497wrq; Thu, 18 Jan 2018 11:09:28 -0800 (PST) X-Google-Smtp-Source: ACJfBos9aDn7c6c73mNhJzxepdxSdCAP1O5HW5PXMHCh0uedn/7FIAD829Baa+sRhABr1KQJGQUK X-Received: by 2002:a17:902:148:: with SMTP id 66-v6mr276068plb.128.1516302568236; Thu, 18 Jan 2018 11:09:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516302568; cv=none; d=google.com; s=arc-20160816; b=pGSHPxT5MSCTMgSrAohK5BY04aT48s96dXPdN175jZnZ1dysnSaNnMO3QEc1R6QzsM juS4ZbTKYIKQLPuQHHWU6gTuopfhHMCL92pQi9aAuOirLTRaUZIEVlZ+EXORk9jpByxf BfClG6ZnQHTQD7aKR2kssdRvOUSNkI3fuHVO+4Oqx4AU/1ojXwRX73/FOEaphqMKhEGJ Zm0MCBwLbGnftwXL3cnbtVI6qo+2MT2hxn/3RwU+sVxNDBYujzk7svwAWxwtLhAhg5X+ JyeqKDNak4kyTU0t0sN2lpu7EhPYSsVzjzsI+W5e/AqcfWnA1jGZslrgbGc04upSndKb HAbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=LAHzu4RT45cMLJ5vmAmmxiEH/HPN+VAbsgaU7JoJY2M=; b=oJgE9t8wUY9eFclDo1qcVW/Vx+PWIb5mOaCdt7BEznpFPqXFsL0mFsJ49roEJcRVsm FXWm6Sn7wBYsLwMUqJOFvy0SwE+cN7sx4XRRVLAoxgURAAjR51Hk66FgQA48u9ogs3zo qu171wMfj2kfoOxPAp5alavMqcOCsNWq9P1zqOAiYg72OPy1QyiwEe+HHuUA+dvk6z5M Vaj1ySKMNH2NAYO4hqK+KQKlgq8pzVEpF+Oe0SM8F3uPcMtauFB/KW+TixKhICuKaLO/ 65qAQZwO24kBplHzfUTw0dPyUDyhnu2sUlKMngLaf6fVVjB6XeRFP6HQDMfrQLM87d1J UUNQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si129415plj.417.2018.01.18.11.09.12; Thu, 18 Jan 2018 11:09:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755606AbeARTIr (ORCPT + 99 others); Thu, 18 Jan 2018 14:08:47 -0500 Received: from mx1.redhat.com ([209.132.183.28]:40498 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752368AbeARTIq (ORCPT ); Thu, 18 Jan 2018 14:08:46 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F32487E42A; Thu, 18 Jan 2018 19:08:45 +0000 (UTC) Received: from mail.random (ovpn-116-144.ams2.redhat.com [10.36.116.144]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F392B17C65; Thu, 18 Jan 2018 19:08:43 +0000 (UTC) Date: Thu, 18 Jan 2018 20:08:42 +0100 From: Andrea Arcangeli To: Josh Poimboeuf Cc: Paolo Bonzini , Dave Hansen , Peter Zijlstra , David Woodhouse , Thomas Gleixner , linux-kernel@vger.kernel.org, Ashok Raj , Tim Chen , Andy Lutomirski , Linus Torvalds , Greg KH , Andi Kleen , Arjan Van De Ven , Dan Williams , Jun Nakajima , Asit Mallick , Jason Baron Subject: Re: [PATCH 23/35] x86/speculation: Add basic speculation control code Message-ID: <20180118190842.GA14136@redhat.com> References: <20180118134800.711245485@infradead.org> <20180118140152.830682032@infradead.org> <20180118163745.t5nmwdr53wjsl7o5@treble> <73a5735a-6a5b-0e0f-1f0b-e7cd955880d2@intel.com> <20180118182431.xvmk6kzxpzu43b43@treble> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180118182431.xvmk6kzxpzu43b43@treble> User-Agent: Mutt/1.9.2 (2017-12-15) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 18 Jan 2018 19:08:46 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 18, 2018 at 12:24:31PM -0600, Josh Poimboeuf wrote: > On Thu, Jan 18, 2018 at 06:12:36PM +0100, Paolo Bonzini wrote: > > On 18/01/2018 18:08, Dave Hansen wrote: > > > On 01/18/2018 08:37 AM, Josh Poimboeuf wrote: > > >>> > > >>> --- a/Documentation/admin-guide/kernel-parameters.txt > > >>> +++ b/Documentation/admin-guide/kernel-parameters.txt > > >>> @@ -3932,6 +3932,7 @@ > > >>> retpoline - replace indirect branches > > >>> retpoline,generic - google's original retpoline > > >>> retpoline,amd - AMD-specific minimal thunk > > >>> + ibrs - Intel: Indirect Branch Restricted Speculation > > >> Are there plans to add spectre_v2=ibrs_always to prevent SMT-based > > >> attacks? > > > > > > What does "ibrs_always" mean to you? > > Maybe ibrs_always isn't the best name. Basically we need an option to > protect user-user attacks via SMT. > > It could be implemented with IBRS=1, or STIBP, or as part of the > mythical IBRS_ATT. User stibp or user ibrs would be different things, both would be valid for different use cases, and the user stibp should perform better. Leaving ibrs on when returning from kernel to userland (or setting ibrs if kernel used retpolines instead of ibrs) achieves stronger semantics than just setting SPEC_CTRL with stibp when returning to userland. That is true no matter if kernel is using retpolines or ibrs. IBRS is semantically equivalent to "STIBP; IBPB", so user_ibrs is always inclusive of user_stibp. Said that the CPU should better achieve such semantics without really internally issuing an IBPB of course, but you can think at the current IBRS as "STIBP; IBPB". That IBPB immediately after the STIBP makes a difference to the non HT attacks possible on host userland. user_smt wouldn't solve all cases that user_ibrs solves, but it'd be ideal if critical user apps are built with retpolines and the only concern left is a HT/SMT attack on those only need to care about HT/SMT. To begin with, user_ibrs would be more important than user_stibp. On a side note: stibp isn't always available, it requires a new cpuid check on bit 27 too, you can still write to it but it won't #gp, on some CPUs it's simply implicit and you can write to it, but it's a noop. I haven't figured exactly to differentiate when it's disabled or implicitly enabled when not enumerated in cpuid.