Received: by 10.223.176.46 with SMTP id f43csp161803wra; Thu, 18 Jan 2018 15:29:25 -0800 (PST) X-Google-Smtp-Source: ACJfBouXM0u71sJiokN7mjNaQzhHN/eqEXRw1FsAlV81Seur+TRnErBSeAvYJZaZq2D2qhl0tw+/ X-Received: by 2002:a17:902:7d8b:: with SMTP id a11-v6mr433416plm.216.1516318165537; Thu, 18 Jan 2018 15:29:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516318165; cv=none; d=google.com; s=arc-20160816; b=MLybBg5PM0F/VtHDxEHQ2C31Oae4ZC1ApHjHUPRJD0FHuBLsfGD7wlWN0ETLdjwbSC aEIi+PCXNv8eKvh1vt3xp2TosO3EEaR0NYWW9cTgA6g8brDn6+qT974g6xVOBesXK3EO o7IoLyJRKwy1BTx03UuPhOogpW2ZxaAsUqlqnTO51v/Hr1Y4oo/Fo5x8P9mSwN1JH8J4 Gm4KSRA7XgCcrgrw0dqwRQtFzrUXP6oQvfwSlzn13TRPANXmONdAHMtQxFJPOIrZaGqJ qMvRlWvcvNa/vTC754YWNJhCwpzIM8h0/NzCVvcW53XHLn49j4HHHVsIYIjxSmKVB+bZ VcpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:spamdiagnosticmetadata :spamdiagnosticoutput:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=1ro0mnxF+DtbtxPOdHSfQEnn1Q8b/xejhcUKWazNRJ0=; b=RLgP5FDCO1rATzrFimZAB0nDnVADaPHyRk7R3sdDF0MXz5VaJyTlvN5X2ffgXtrE/S C/zhDAgD3+Jn+GA4FkFY2JQnPXqGRu8rnrn3PUyTqMVebfY16H+negfriVFVcdTa5jN1 0yTvatOFtpu/JPS4oGOKTb+q+g3pJKmEo5eSffdNJ+LtrW6ovaKLyGdJ5h2yPvboVpog zoxk3SajqNmLjohvrdldzQV9EFOUa6xOCX3Ze/89wqaQMif4z/+GLoFL8XPUXCmZwP3G db4cekugvqiSWYXaNFUoN6UxTcq+q6hko819PCTR11jl9l7ooiw8rwu4h+MLiU5i2uST JJfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@CAVIUMNETWORKS.onmicrosoft.com header.s=selector1-cavium-com header.b=LWTP7RtK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b25si7992758pfc.241.2018.01.18.15.29.11; Thu, 18 Jan 2018 15:29:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@CAVIUMNETWORKS.onmicrosoft.com header.s=selector1-cavium-com header.b=LWTP7RtK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932520AbeARX2k (ORCPT + 99 others); Thu, 18 Jan 2018 18:28:40 -0500 Received: from mail-sn1nam01on0078.outbound.protection.outlook.com ([104.47.32.78]:40224 "EHLO NAM01-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932166AbeARX2d (ORCPT ); Thu, 18 Jan 2018 18:28:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=CAVIUMNETWORKS.onmicrosoft.com; s=selector1-cavium-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1ro0mnxF+DtbtxPOdHSfQEnn1Q8b/xejhcUKWazNRJ0=; b=LWTP7RtK2mQPnmWKGchwWztfZamfKhwZyDd5wzAjQQ7q2F2td12pU/cBumcHUSOjYFs794rKBWajCjh/IOyvnzSkf6uGrYPj4oqdhb8bVssQTemfrII/ekHGcEsvGXZzhKW1sctJGIPJ3Lrhx1Fehs4R/3s4iEtjbi3dTSzsnEs= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Jayachandran.Nair@cavium.com; Received: from jc-sabre (50.233.148.156) by CO2PR0701MB1064.namprd07.prod.outlook.com (10.160.8.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.407.7; Thu, 18 Jan 2018 23:28:29 +0000 Date: Thu, 18 Jan 2018 15:28:20 -0800 From: Jayachandran C To: Jon Masters Cc: Will Deacon , marc.zyngier@arm.com, linux-arm-kernel@lists.infradead.org, lorenzo.pieralisi@arm.com, ard.biesheuvel@linaro.org, catalin.marinas@arm.com, linux-kernel@vger.kernel.org, labbott@redhat.com, christoffer.dall@linaro.org Subject: Re: [PATCH v2] arm64: Branch predictor hardening for Cavium ThunderX2 Message-ID: <20180118232816.GA93910@jc-sabre> References: <20180108164651.GQ25869@arm.com> <1515502022-7376-1-git-send-email-jnair@caviumnetworks.com> <20180116234554.GA38392@jc-sabre> <20180118135354.GB20783@arm.com> <20180118175615.GF38392@jc-sabre> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-Originating-IP: [50.233.148.156] X-ClientProxiedBy: DM5PR2001CA0013.namprd20.prod.outlook.com (10.172.43.23) To CO2PR0701MB1064.namprd07.prod.outlook.com (10.160.8.143) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e30aa73d-bca2-4889-5ecd-08d55ecb2f0e X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534125)(4602075)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(2017052603307)(7153060)(7193020);SRVR:CO2PR0701MB1064; X-Microsoft-Exchange-Diagnostics: 1;CO2PR0701MB1064;3:2dI/4LwJUY6JFrbr/8NipL1Akl7OfeFL/Rv5X3WpgUjsVAzMjUtqRiF+3JY2rjoerBzAf0erlLFd2pZfrmsBpr/+OrkZppwgmkv70QlM4slPzqMNJfRHJn//VJLl9kCfhMJmGHjsbw+cvnXbhmyWOOPKrh7rHbxraB2otKNm0gURtl8ALcXkjm1wd3eT3GOYifW0rgFRZ6nxBtBRRbEbUFMPUOZqWFxFsIBjxKJkKO/OwmCqbYS5pwGogapEXfUQ;25:4/ZUMqSqXIOeuWf0KWeCtXK01X2gtEVCL85Zuukcd2VtUAUH58mz6XmWj1mVN2Ag+E6JHdVjjGdSZ49I9FCfAlANiSqsTmV11VMrOISase/XX+Ihu9HXQvFzEjiBN5yOtr4GQF+/KrXxFfeeE9pg3GfuzdHE4wxmrnkLrWfU1IXaR5fgczC5xm3TDsKpX9HVEMZIffhbUxrpuvPAmW2ZWw1duktx4Ef2VNeZQ8MgDSGTT3ips7drGai85TIg8gHyhC32QWVP7VDE8kfmh7tBUg0UX0W5dDpcOwaW++xGo/HPBOa2JmJprpTTsr1sMyH8wLNwv3AFt2ktjt7iv9d1Sg==;31:jL67DPn1I3AIui5dBIHqCLTKfWT9Ym71HaJAxHm/Aabf0F97Rix6flfjoL6dRalgaEQR1RhLWKrydG63nVNQVk+1eJkz/2wQjLYbwVzusKOA8l9n2BA3iJ0EwcTxRJJj99LgT5/Tr+uQmVV2b2UHL0ZHWzGGUfAKCDEysDSlL8vM/4n26l+/MaUCZptS8ZJ+a7nUYptQO6XPDMXrDL3nhtIJLtjlw0CwBedy2zxlupQ= X-MS-TrafficTypeDiagnostic: CO2PR0701MB1064: X-Microsoft-Exchange-Diagnostics: 1;CO2PR0701MB1064;20:H7E54NjOxUDJfeGUFFDiy2qQfj/gsYzGI/l6L9HCobZ7ByMf1FypWnKjN6V3hTvPNfJwxDpkNtMQ+5nE1hAIJtRltQBsGM/lAzEMl91WX6GkI8SAAv3Sf1CI1bjhXCyTsdAfb8IHbvUSx2N+C/U1YdMLtU/MK06qnzBbKZMQMNl14mOuJ5CeQkkOPqJFBrlIYkO9KfAsRKRRXcUNxTg7dXsd83BKe6CbrulZFUR/rXsnQkUHmJni9As6SkwOj+X3uwUGS1ICAbvVJgfl0gKvcUdy6OzUNWcc3HOAZFAS+P8F9vXyScm+h/IoqGoPcOrEQ1ZvSK24JfTJJIskSgxRDzPyi1lRP0x+0Ofn/8BwCD+oo1RLY/kiOal6kE8Su58FV4hBt8zRkD69VTJr8sbt3WWROi94VsWQK+KW4Ho8phUirWKAq/FKTBlsU0pqeJ0ejfkvRAPQBRxlJ/sDY1sWBBG8bBLYWKLBnXffwb31UptWwdZxniwiK8gfWKaGFcbux6dOg2dqKU7LzMBwfeUdkrxJY1qaGBivLHJR+u+3i+Yl4AHgZLtD5raL4ld711JtNQL5XOjCH+tobw8K5HjEG3+30Np/ztZLAbU/5dUykkw= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(84791874153150); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040495)(2401047)(8121501046)(5005006)(3002001)(3231023)(2400068)(944501161)(93006095)(10201501046)(6041282)(20161123562045)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(6072148)(201708071742011);SRVR:CO2PR0701MB1064;BCL:0;PCL:0;RULEID:(100000803101)(100110400095);SRVR:CO2PR0701MB1064; X-Microsoft-Exchange-Diagnostics: 1;CO2PR0701MB1064;4:PuNU0xJQ+1AOLHtMd7d78BXjdhjDYQCK0Ysi4Ro3R5VeRTQdlNX8LFzBtbW00dEMkBhgAvddzBvbxbJLzLNnqunfKMwUXPE+a4YYrr912oi28Tn+UEf6d1HRmQ0twteLutH62RifH2oNPCmen8vLG5i3vIsP+2MMYrFYWp0ehRUIlF5x1E6onSn8oaTYxMRACjDDDY8OeCSNB30KgHgBnm+O5PZ5e7JUpoFiLas5h/q2jkAANcvAMmJgL5b/SH/guZMEXd4Yk2wu+y+AUmvzdpzsO4DL+jP/TeZy6n8391hQ8/+nGRKevO0TsCAHC29V9S6ykbpUrEUigTy89fSq+T7FM9u7bf5QEvC4D35QVxk= X-Forefront-PRVS: 05568D1FF7 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(39380400002)(366004)(346002)(376002)(396003)(39860400002)(199004)(189003)(97736004)(5660300001)(81166006)(106356001)(81156014)(105586002)(2906002)(1076002)(25786009)(3846002)(23726003)(7736002)(6116002)(4326008)(8936002)(305945005)(7416002)(53936002)(6306002)(9686003)(58126008)(83506002)(316002)(33716001)(76176011)(478600001)(66066001)(16526018)(386003)(33896004)(59450400001)(966005)(16586007)(229853002)(52116002)(26005)(53546011)(33656002)(6496006)(72206003)(50466002)(93886005)(42882006)(6916009)(6666003)(2950100002)(68736007)(8676002)(6246003)(55016002)(47776003)(18370500001)(107986001);DIR:OUT;SFP:1101;SCL:1;SRVR:CO2PR0701MB1064;H:jc-sabre;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; Received-SPF: None (protection.outlook.com: cavium.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;CO2PR0701MB1064;23:tMyn14+gYV3kf25PeWyAaExaEFR/ASF2ujr6SSm?= =?us-ascii?Q?eW7FfY9UbXVrdkRpT8wvr9K3iy5jwo9aC+oEd5p4e4DA6TLMkHaPtpbfZCFx?= =?us-ascii?Q?qm8rG4x0H7l5DShyLsk/tQt+kkIRCbSuFq3jbJhdKEztq/b1ZjnNbJCqA7l2?= =?us-ascii?Q?8hqcRmSltB/E8Cd1CR/vNsI+e5jJX4MnCRDnPkS3NU5BA1tND/oegmgbgSCi?= =?us-ascii?Q?rrQHtQCpefcQ0qpVQLZqckyfoGVVZOkV3Sn1CI92SCQGu/1ZiL/zVhPX42c5?= =?us-ascii?Q?sO84ad1J72shpr46Rp6Xj0aHoYIVae15OIq0TXf71GCCFm3hc6A7XSQ5EAtw?= =?us-ascii?Q?uVgtTSCLX1kH4l+hTOBObuPqWTU3hg+5MV109doa7BJdCEaHhKyY/NrMN01j?= =?us-ascii?Q?AvasQDQ/IZNQpKkaomo0jQ3bauR9OdbJ9hWapOmng5Vm1zjQlSMo9cAMfJ3F?= =?us-ascii?Q?UxNCpoxyh1zbPvKipdqZrHPNPjXYtkqSYS69HB78Dn8ZXaAihagSv0hTOzX8?= =?us-ascii?Q?Kj70lnGrqPdNPk9twCMm5aRGo1g7uvdFoAQZjX8425TJYKAn0FWrKilsowhu?= =?us-ascii?Q?fkgKaedvYwk+/Uka93Qt8I29rRxeB/gYH0RJ++iaA6sUkpHfPQJ/kxAb6BMX?= =?us-ascii?Q?zov7sl+85Z7sWcgkznkY67dhqmpP6M9VG+MUzDnC+0V+moIGL65fEx0qS0j5?= =?us-ascii?Q?Uw2Frm6JcXdMgXBavDbToTOAYk5RLdfO9AeGIImw/jlckUFUo6vXG558HnBq?= =?us-ascii?Q?A+hIYToYJE0ZcbxIUyn9ZkdkNBmx4h/X3oS49Giq2RbtktFoe4u7OpEO1L3J?= =?us-ascii?Q?NUeAub8AXswdzcsqjspVJabiBhwRrkoZcX4nrNG5Jm1ShuLTnB6lV1JXk/6k?= =?us-ascii?Q?prm2zk55oonO7CfPbdAhyWQiAAWyycs6R2+dWuO4iWNTd43+VoKOecp23INi?= =?us-ascii?Q?0ToQWj0zd+ofQFKBg+XCkC+naTAHR1wefQxBUkXV/k2Kc7u8QrRyl8BAcYlx?= =?us-ascii?Q?sh4h/6g9LoXh5CB1UWu78XaKLJboiiG4jzuW2+P1ztdY1OmtOu5xeOdVVJTL?= =?us-ascii?Q?BvmYPK5GVqTylGyT0CgABG/bto9+bSM2iQlCf+cgU3YaPPzV5172CMk1ZcbP?= =?us-ascii?Q?9KBHCn1zcXRhPId0OII6/o465ROGvFYjOLyCjcjoYKOaZOXHOpDBwOVcZ1u9?= =?us-ascii?Q?CkbMXy/b2IIET66dVVPta28ixNdYyFhKmPwA+s46zczuzKsfClL2XLo1ox3i?= =?us-ascii?Q?uuNk++rNyGmIf460UxLZZcWWfXaDugP2as9xhHNYwaxa76CvoSocSn7oi/nD?= =?us-ascii?Q?B4x2y7PhiQuyOyvdvjRV5gniLuLvOBQVRw8keIxGLs6HPP6eSyigo/224rpN?= =?us-ascii?Q?FrbiK8B8JnQJuk90AaN7Smtzy0p0=3D?= X-Microsoft-Exchange-Diagnostics: 1;CO2PR0701MB1064;6:Az/o+DljcT1MFUkMzPuE6WPupQhbptoFyWxa9LguT6ojWmPFQRon4VkKEAo6+wOknX0yEsex2HOMzOSrohjH0yBNj/9MA9j4fIkQ6B3nMk1PQU64C8YjiEzE4mGHcoY4xdyZwKilwYWwzXgQSMje9PaeH/9WsM3W4m0ZVO2hMnnNoZUDvTplYiYd3SEWYVHEuLIxWWDJuy3phT57fUcn7hnbN2cNtcj8dEphxiDa4EM8kTTDCX4deWYLPHK0F7qctCN4wpP+BzwobNpR1jRoeTixPOXug+4y+qYdPOmhcFK6hPsomzC+hqNrV03jSn52O85FH+tIyfOt+igIBxf17AtPChoBECgY1l7yVE7FfYs=;5:TgiSDBKuh9rgS9K745wHKzN+XdAMt68+cPuaiHQIzZel0X0vYsH8czmY/UzLL2tD5jGgiVAN0g9pW45zmKl3ua6Y03g7bSZ4E/30vzVmWZ/x7FU28AZtzkfs/Rq+yjuFd6nz1Mr1WRKoPmE+f5boVd+7fA9Oydn6kz3WqHmXG+0=;24:hPrcDjOv46peZlvxh9rmZerc23zQ6v/c9JOAvFccQAE3Tr3AMBUxNfpw4X8qVY9Br7yE1+YmFtlAmwgblhPmqVu7z/OyjQ57W6jZnZMg5aA=;7:VvdLTvyfilmJZLmZiKkHEdREE9avz0FCEFyC+jTCbu7Dwfkuuzut0V8pejmvOnIpd2GPUqMPbCH0/DaM3okjvOZqXkVPY02quLJinVtP2lMZUlAq2TFyKUbUd7K+0Hx+c32BeiYRIw2aBU1Lg8MjCBxRRJ1Qovl4i8P85atmDsCrTuac39YQQpR2dqWAbZI1YQY2/VVvbI7/GUbmIFncnmndQhodEtCupWGj4NokjIkNtkCDMP3Hq5eWzAyEsIFX SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: caviumnetworks.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jan 2018 23:28:29.2699 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e30aa73d-bca2-4889-5ecd-08d55ecb2f0e X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 711e4ccf-2e9b-4bcf-a551-4094005b6194 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR0701MB1064 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Jon, On Thu, Jan 18, 2018 at 01:27:15PM -0500, Jon Masters wrote: > On 01/18/2018 12:56 PM, Jayachandran C wrote: > > On Thu, Jan 18, 2018 at 01:53:55PM +0000, Will Deacon wrote: > >> Hi JC, > >> > >> On Tue, Jan 16, 2018 at 03:45:54PM -0800, Jayachandran C wrote: > >>> On Tue, Jan 16, 2018 at 04:52:53PM -0500, Jon Masters wrote: > >>>> On 01/09/2018 07:47 AM, Jayachandran C wrote: > >>>> > >>>>> Use PSCI based mitigation for speculative execution attacks targeting > >>>>> the branch predictor. The approach is similar to the one used for > >>>>> Cortex-A CPUs, but in case of ThunderX2 we add another SMC call to > >>>>> test if the firmware supports the capability. > >>>>> > >>>>> If the secure firmware has been updated with the mitigation code to > >>>>> invalidate the branch target buffer, we use the PSCI version call to > >>>>> invoke it. > >>>> > >>>> What's the status of this patch currently? Previously you had suggested > >>>> to hold while the SMC got standardized, but then you seemed happy with > >>>> pulling in. What's the latest? > >>> > >>> My understanding is that the SMC standardization is being worked on > >>> but will take more time, and the KPTI current patchset will go to > >>> mainline before that. > >>> > >>> Given that, I would expect arm64 maintainers to pick up this patch for > >>> ThunderX2, but I have not seen any comments so far. > >>> > >>> Will/Marc, please let me know if you are planning to pick this patch > >>> into the KPTI tree. > >> > >> Are you really sure you want us to apply this? If we do, then you can't run > >> KVM guests anymore because your IMPDEF SMC results in an UNDEF being > >> injected (crash below). > >> > >> I really think that you should just hook up the enable_psci_bp_hardening > >> callback like we've done for the Cortex CPUs. We can optimise this later > >> once the SMC standarisation work has been completed (which is nearly final > >> now and works in a backwards-compatible manner). > > > > I think Marc's patch here: > > https://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git/commit/?h=kvm-arm64/kpti&id=d35e77fae4b70331310c3bc1796bb43b93f9a85e > > handles returning for undefined smc calls in guest. > > > > I think in this case we have to choose between crashing or giving a false > > sense of security when a guest compiled with HARDEN_BRANCH_PREDICTOR is > > booted on an hypervisor that does not support hardening. Crashing maybe > > a reasonable option. > > Crashing is a completely unreasonable option and is totally > unacceptable. We never do this in enterprise, period. > > It's reasonable to give an output in dmesg that a system isn't hardened, > but it's not reasonable to crash. On x86, we added a new qemu machine > type for those guests that would have IBRS exposed, and ask users to > switch that on explicitly, but even if they boot the new kernels on > unpatched infrastructure, we'll detect the lack of the branch predictor > control interface and just log that. > > The exact same thing should happen on ARM. With the current patchset from ARM, there is no way of detecting if the hypervisor is hardened or not, to provide the warning. The only other option I have call get version blindly and provide a false sense of security. Since both options are bad, I don't have a good solution here. If RedHat has a preference here on what would be better, I can go with that. JC.