Received: by 10.223.176.46 with SMTP id f43csp160906wra; Thu, 18 Jan 2018 15:28:13 -0800 (PST) X-Google-Smtp-Source: ACJfBou2CH4f2ttQ9ZF6dLB6ZDGE7jEZrvx3IGrrgxobvhf6t0dRFvMpe74bTCs+nV8fr6JtdQb6 X-Received: by 10.99.97.87 with SMTP id v84mr3417771pgb.342.1516318093872; Thu, 18 Jan 2018 15:28:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516318093; cv=none; d=google.com; s=arc-20160816; b=PQM1XfIRp0itklGqfZbalhy57qiNXbpXpGOrqaAqKx3NAHpfjq/HAuRXpMyoe52EOS wQyJOJqp3PwA8KKAk9HFQ0jhAISDiCZZVdj2ZOG/jOSM8p5CHdA3VutKMcMs1Zz72l0e 7rNzi93Gm6k+jiHRUqmrcOFOesElQIWc1TnKhL9sjvKozsFu/URibw87j2DqMrqc7yC4 g15kE8G5DjNwVoL/R+LZI9cZloslHIHU/dhD0H2N39HNJL774n/StE0Icwv+Bbwc/n0k jk9MAd9S9F02zlVIgPOXPSyN2/sVa9SCqxIDqtxXG6O5Po2YI4VDbWkPvT0ppAfEyKQD FA+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=G9a55gSuiJVAyg4GzGex5olJ8syDa7R1wTE5JY3Yxw4=; b=qCwhri55HXoKPzLk4vnkQlshblzsBHWDmiGjjic75o5OCiQekV6MKal+MjIKIFKIgt sxIk9z9/hRM2mVbeIhVv/y5m55uAOLNLiMmqOGesUgz4YRBDuY5a9JxRjcpxGk/2wMvf u0ECXlE6QcMxBPrU+9u4TdqetmksA/kuPYLYfbo6QtM42S2f3miSyl23aScjHTVxodXy AQg/CVpNW+4wlK+xS/14uGoLZ0tfKTGRuCykH55wTL6+q98HXa/VP/tRuhMAvZs92Xd0 X/9bEJJ5ji5DpIz5cJyzEF6G0qv956TKeY4N/JTqT7zC6JiS6arqiFMUsZ5TQ6VmafPD 6mQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h192si7006678pgc.123.2018.01.18.15.28.00; Thu, 18 Jan 2018 15:28:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932647AbeARXZx (ORCPT + 99 others); Thu, 18 Jan 2018 18:25:53 -0500 Received: from mail.kernel.org ([198.145.29.99]:34102 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753881AbeARXZq (ORCPT ); Thu, 18 Jan 2018 18:25:46 -0500 Received: from mail-io0-f169.google.com (mail-io0-f169.google.com [209.85.223.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1B84E20C48 for ; Thu, 18 Jan 2018 23:25:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1B84E20C48 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f169.google.com with SMTP id f6so273520ioh.8 for ; Thu, 18 Jan 2018 15:25:46 -0800 (PST) X-Gm-Message-State: AKwxyteEuYU9mr2zSm4UHY8QRKYD7DoijybMRLl40v/y85ML56oBC6ml xRfuaRfozSDHjxBFh81xJ4ZMexL1TO4QIwbD7XH2sg== X-Received: by 10.107.7.198 with SMTP id g67mr28538313ioi.271.1516317945558; Thu, 18 Jan 2018 15:25:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.152.114 with HTTP; Thu, 18 Jan 2018 15:25:25 -0800 (PST) In-Reply-To: <20180118190842.GA14136@redhat.com> References: <20180118134800.711245485@infradead.org> <20180118140152.830682032@infradead.org> <20180118163745.t5nmwdr53wjsl7o5@treble> <73a5735a-6a5b-0e0f-1f0b-e7cd955880d2@intel.com> <20180118182431.xvmk6kzxpzu43b43@treble> <20180118190842.GA14136@redhat.com> From: Andy Lutomirski Date: Thu, 18 Jan 2018 15:25:25 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 23/35] x86/speculation: Add basic speculation control code To: Andrea Arcangeli Cc: Josh Poimboeuf , Paolo Bonzini , Dave Hansen , Peter Zijlstra , David Woodhouse , Thomas Gleixner , LKML , Ashok Raj , Tim Chen , Andy Lutomirski , Linus Torvalds , Greg KH , Andi Kleen , Arjan Van De Ven , Dan Williams , Jun Nakajima , Asit Mallick , Jason Baron Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 18, 2018 at 11:08 AM, Andrea Arcangeli wrote: > On Thu, Jan 18, 2018 at 12:24:31PM -0600, Josh Poimboeuf wrote: >> On Thu, Jan 18, 2018 at 06:12:36PM +0100, Paolo Bonzini wrote: >> > On 18/01/2018 18:08, Dave Hansen wrote: >> > > On 01/18/2018 08:37 AM, Josh Poimboeuf wrote: >> > >>> >> > >>> --- a/Documentation/admin-guide/kernel-parameters.txt >> > >>> +++ b/Documentation/admin-guide/kernel-parameters.txt >> > >>> @@ -3932,6 +3932,7 @@ >> > >>> retpoline - replace indirect branches >> > >>> retpoline,generic - google's original retpoline >> > >>> retpoline,amd - AMD-specific minimal thunk >> > >>> + ibrs - Intel: Indirect Branch Restricted Speculation >> > >> Are there plans to add spectre_v2=ibrs_always to prevent SMT-based >> > >> attacks? >> > > >> > > What does "ibrs_always" mean to you? >> >> Maybe ibrs_always isn't the best name. Basically we need an option to >> protect user-user attacks via SMT. >> >> It could be implemented with IBRS=1, or STIBP, or as part of the >> mythical IBRS_ATT. > > User stibp or user ibrs would be different things, both would be valid > for different use cases, and the user stibp should perform better. > > Leaving ibrs on when returning from kernel to userland (or setting > ibrs if kernel used retpolines instead of ibrs) achieves stronger > semantics than just setting SPEC_CTRL with stibp when returning to > userland. I read the whitepaper that documented the new MSRs a couple days ago and I'm now completely unable to find it. If anyone could send the link, that would be great. From memory, however, the docs were quite clear that setting leaving IBRS set when entering user mode or guest mode does not guarantee any particular protection unless an additional CPUID bit (the name of which I forget) is set, and that current CPUs will *not* get that bit set by microcode update. IOW the protection given is that, if you set IBRS bit zero after entry to kernel mode, you are protected until you re-enter user mode. When you're in user mode, you're not protected. When you return back to kernel mode, you *still* aren't protected no matter what value is in the MSR until you write 1 again. > > That is true no matter if kernel is using retpolines or ibrs. > > IBRS is semantically equivalent to "STIBP; IBPB", so user_ibrs is > always inclusive of user_stibp. Are you quite sure? I had the impression that IBPB was much slower than writing 1 to IBRS and that writing 1 to IBRS has much more limited effects.