Received: by 10.223.176.46 with SMTP id f43csp277494wra; Thu, 18 Jan 2018 17:18:34 -0800 (PST) X-Google-Smtp-Source: ACJfBosNS/lMi/43bL31OyqLIWAszC0PbhhTapHxbzcaS5HegyPyVoYF2AZmV7/zaLcKe67mdW7A X-Received: by 10.99.190.76 with SMTP id g12mr24678663pgo.235.1516324713912; Thu, 18 Jan 2018 17:18:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516324713; cv=none; d=google.com; s=arc-20160816; b=OWKtw0+kFeHSKgCXZYPaEsAZnOr9S74/QtoWTlGwDWaUxibctCMZ8aRPrQbyon1jIM vkuZE4NPWBsS9omDZObFtaJWeVlS8JLDoW8bXG4Pbd3UGsdeh3F3GjH4+IVWHce2Hi9T YL4DxlhqgLlU9b56ragC23imKYbpKv/d9KZ+EOE2oeDSW+g5lo5Y5HxFLn4CyrX1jDey XyoUfPbDKotwLcGRAwEbEi7+DzNbu3vzHpwhbqD9gyQYu8ZW59t17ifXbxSKJc2D7zdL oJuaeJIu2RjihNLMRt5OfKjj6hoRdlUyaZ4KdDmY9OAPTP5UlnXcIpOj+x3FCyZKcAvD SAdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:organization :from:cc:references:to:arc-authentication-results; bh=eLbFlfCQXeqI+xAiFpZq8mUcH1XPG8oGJb1/OavQURI=; b=IY9FD2sI9fuWD5jcIPhnNmttUmZVV2Xz0oWFCukMj3AKtolOLWB8pt1D2yO/i3Bxph jmh5/MebfM/fzRmvOz75GMEBALN597+N6jNjDqE+qJENFO7D1uyTyK/1sY1lKpZEjuF9 OVCyX98rwlXqdwbuQeRrRImK1NZHjXDCaWWxTd//rYFJvoPICRJFBMqDW+1oRBNkpEuf 9H98MEdDoXjE11e2UhMHPPnZlQeCpAtWZIBNiHoY22qrdEftnrORoVOymnM7hiadmXBt pqSC/Q0FeNEBSFaP8fdxdnZjBACx0u0eskOgq0gfcvgRDb6n1W+6P4xgZvaWj7StVWhi VRRg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p26si8181030pfh.220.2018.01.18.17.18.19; Thu, 18 Jan 2018 17:18:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755220AbeASBRV (ORCPT + 99 others); Thu, 18 Jan 2018 20:17:21 -0500 Received: from edison.jonmasters.org ([173.255.233.168]:36120 "EHLO edison.jonmasters.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754090AbeASBRP (ORCPT ); Thu, 18 Jan 2018 20:17:15 -0500 Received: from boston.jonmasters.org ([74.92.29.237] helo=washington.bos.jonmasters.org) by edison.jonmasters.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ecLIw-0001Cl-2D; Fri, 19 Jan 2018 01:17:14 +0000 To: Jayachandran C References: <20180108164651.GQ25869@arm.com> <1515502022-7376-1-git-send-email-jnair@caviumnetworks.com> <20180116234554.GA38392@jc-sabre> <20180118135354.GB20783@arm.com> <20180118175615.GF38392@jc-sabre> <20180118232816.GA93910@jc-sabre> Cc: Will Deacon , marc.zyngier@arm.com, linux-arm-kernel@lists.infradead.org, lorenzo.pieralisi@arm.com, ard.biesheuvel@linaro.org, catalin.marinas@arm.com, linux-kernel@vger.kernel.org, labbott@redhat.com, christoffer.dall@linaro.org From: Jon Masters Organization: World Organi{s,z}ation Of Broken Dreams Message-ID: <4317e419-ddb1-b5b8-35a5-0cc227e1d217@jonmasters.org> Date: Thu, 18 Jan 2018 20:17:13 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <20180118232816.GA93910@jc-sabre> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 74.92.29.237 X-SA-Exim-Mail-From: jcm@jonmasters.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on edison.jonmasters.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 Subject: Re: [PATCH v2] arm64: Branch predictor hardening for Cavium ThunderX2 X-SA-Exim-Version: 4.2.1 (built Sun, 08 Nov 2009 07:31:22 +0000) X-SA-Exim-Scanned: Yes (on edison.jonmasters.org) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi JC, Will, On 01/18/2018 06:28 PM, Jayachandran C wrote: > On Thu, Jan 18, 2018 at 01:27:15PM -0500, Jon Masters wrote: >> On 01/18/2018 12:56 PM, Jayachandran C wrote: >>> On Thu, Jan 18, 2018 at 01:53:55PM +0000, Will Deacon wrote: >>> I think in this case we have to choose between crashing or giving a false >>> sense of security when a guest compiled with HARDEN_BRANCH_PREDICTOR is >>> booted on an hypervisor that does not support hardening. Crashing maybe >>> a reasonable option. >> >> Crashing is a completely unreasonable option and is totally >> unacceptable. We never do this in enterprise, period. >> >> It's reasonable to give an output in dmesg that a system isn't hardened, >> but it's not reasonable to crash. On x86, we added a new qemu machine >> type for those guests that would have IBRS exposed, and ask users to >> switch that on explicitly, but even if they boot the new kernels on >> unpatched infrastructure, we'll detect the lack of the branch predictor >> control interface and just log that. >> >> The exact same thing should happen on ARM. > > With the current patchset from ARM, there is no way of detecting if the > hypervisor is hardened or not, to provide the warning. The only other > option I have call get version blindly and provide a false sense of > security. Agreed that (unless) I'm missing something, the current arm patchset doesn't have an enumeration mechanism to see if firmware supports the branch predictor hardening or not. Am I missing something there? On the three other affected arches we're tracking, there's an enumeration mechanism. On x86, there's a new set of CPUID bits. On POWER, there's a new hcall that tells us whether the millicode supports what we need, and on z there's a new facility code we can test for that is also passed into VMs. So we need to have a similar enumeration mechanism on ARM that is passed into guests as well. > Since both options are bad, I don't have a good solution here. If RedHat > has a preference here on what would be better, I can go with that. We need an enumeration mechanism that determines whether the hypervisor is patched. In the absence of that, blindly calling in and hoping that the firmware is updated is better than nothing. I'll look to see if there's a generic upstream solution for enumeration that I've missed (or that can be added, perhaps a new SMC enumeration mechanism). If there isn't a short term fix, we'll work with you guys directly to add something RHEL specific by checking some firmware version somehow. Jon.