Received: by 10.223.176.46 with SMTP id f43csp445870wra; Thu, 18 Jan 2018 20:14:15 -0800 (PST) X-Google-Smtp-Source: ACJfBotN2akHn8CqgWpJpsprg7HLHHeqSTwwWqpSJP0k2hj4qDT0FuYsgXKzRfYhsHoZBH1Eywwl X-Received: by 10.98.166.195 with SMTP id r64mr37635482pfl.175.1516335255800; Thu, 18 Jan 2018 20:14:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516335255; cv=none; d=google.com; s=arc-20160816; b=GBVW1Q1c0zoiKBAtm2x76HcSM02PGlmxQXI6O32r3qg4nSEYcoDfoLIchiUjq7bQat i4jAviLgKQiKkISQXj3Z0+WnJBp/e24bDB5pp3MDyMLx05a0G1IoYy2u3v6tA3GomZe8 vfSJ0zWCBthV5sylVNNKVtWazerY2rG1aymoOKwRyXzI281vrVRPHiQyMGyxgkDaoMt1 k9a7tC+a3bUuDBS+mn4ksfhVsg+PRiGr7Fx0jc1MfzUvLXf9493OoTALM70MGgh9oyIg OnRd6wWzXjq/d4s9YPLYF/NhMzylURz3I8zgLwSjnt/ZiGdpibhav8kRIeKpeC+brG4X 70Pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dmarc-filter:arc-authentication-results; bh=yU1gix6AOUNjZKp3LtAtuN2ZKUrGVjVKV3RbKvpz83k=; b=DBSqcoh3a8zpouh2pr8gOLD1qnoB7QikqERtejGkk2tVNiCmNvoVRY6mnJHau1DJ1r AjAYAkchOmklLTvhJxXCXoueqtsGISXhHi8jeTioBkeruuSuTGXlimdzlSuhMlOOyOtz 12gvrwVwNOEWPUU9KXRBxW602ZbSYj9PQR5e4VaIubvS9D5lpC7CvfXKMq/wdXrOGPeB WbZGvPIZQB2lg/M4rjg+Dy2MKT09zgih4UEMGIwwnf82UUcNJ7xxGeyuDR0GAdVaxWYs 8p9fbF8c7oqf7aHSr2vGOk9wE318Id9PfjDf+y4VRB+zCegIRfA2qQBFAIsLCvy+/wjX tytQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p14si7588135pgf.480.2018.01.18.20.13.57; Thu, 18 Jan 2018 20:14:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752588AbeASELV convert rfc822-to-8bit (ORCPT + 99 others); Thu, 18 Jan 2018 23:11:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:41514 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750718AbeASELO (ORCPT ); Thu, 18 Jan 2018 23:11:14 -0500 Received: from mail-io0-f172.google.com (mail-io0-f172.google.com [209.85.223.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1D02221774 for ; Fri, 19 Jan 2018 04:11:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1D02221774 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f172.google.com with SMTP id d11so819967iog.5 for ; Thu, 18 Jan 2018 20:11:14 -0800 (PST) X-Gm-Message-State: AKwxytfSZT5j4Uf85lqXHzWkznCQYIfgZbkwjhTIfOjL0hjHjcoTYtpq I3qXhC3enJMpsKiXFegDMt2z2tOH7Feo94POm2t8OA== X-Received: by 10.107.7.198 with SMTP id g67mr29158350ioi.271.1516335073380; Thu, 18 Jan 2018 20:11:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.84 with HTTP; Thu, 18 Jan 2018 20:10:52 -0800 (PST) In-Reply-To: <20180119014105.GD14136@redhat.com> References: <20180118134800.711245485@infradead.org> <20180118140152.830682032@infradead.org> <20180118163745.t5nmwdr53wjsl7o5@treble> <73a5735a-6a5b-0e0f-1f0b-e7cd955880d2@intel.com> <20180118182431.xvmk6kzxpzu43b43@treble> <20180118190842.GA14136@redhat.com> <20180119014105.GD14136@redhat.com> From: Andy Lutomirski Date: Thu, 18 Jan 2018 20:10:52 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 23/35] x86/speculation: Add basic speculation control code To: Andrea Arcangeli Cc: Andy Lutomirski , Josh Poimboeuf , Paolo Bonzini , Dave Hansen , Peter Zijlstra , David Woodhouse , Thomas Gleixner , LKML , Ashok Raj , Tim Chen , Linus Torvalds , Greg KH , Andi Kleen , Arjan Van De Ven , Dan Williams , Jun Nakajima , Asit Mallick , Jason Baron Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 18, 2018 at 5:41 PM, Andrea Arcangeli wrote: > Hello, > > On Thu, Jan 18, 2018 at 03:25:25PM -0800, Andy Lutomirski wrote: >> I read the whitepaper that documented the new MSRs a couple days ago >> and I'm now completely unable to find it. If anyone could send the >> link, that would be great. > > I see Andrew posted a link. > >> From memory, however, the docs were quite clear that setting leaving >> IBRS set when entering user mode or guest mode does not guarantee any >> particular protection unless an additional CPUID bit (the name of >> which I forget) is set, and that current CPUs will *not* get that bit > > My current understanding is that with SPEC_CTRL alone set in cpuid, > IBRS is meaningful, other bits don't matter. > >> set by microcode update. IOW the protection given is that, if you set >> IBRS bit zero after entry to kernel mode, you are protected until you >> re-enter user mode. When you're in user mode, you're not protected. > > If you leave IBRS set while in user mode, userland is protected as > strong as kernel mode. The link that Andrew posted says: If software sets IA32_SPEC_CTRL.IBRS to 1 after a transition to a more privileged predictor mode, predicted targets of indirect branches executed in that predictor mode with IA32_SPEC_CTRL.IBRS = 1 cannot be controlled by software that was executed in a less privileged predictor mode or on another logical processor. ... Enabling IBRS does not prevent software from controlling the predicted targets of indirect branches of unrelated software executed later at the same predictor mode (for example, between two different user applications, or two different virtual machines). Such isolation can be ensured through use of the IBPB command, described in Section 2.5.3, “Indirect Branch Predictor Barrier (IBPB)”. So maybe it's poorly written, but I see nothing in that language that suggests that IBRS=1 (on a CPU without enhanced IBRS) provides any guarantees at all about who can or cannot control speculation of indirect branches in user mode. > > When you return to kernel mode you've to call IBRS again even if it > was left set, because there's a higher-privilege mode change. That's > equivalent to calling only IBPB and leaving STIBP set (only way to > understand the locations where IBRS has to be set is to imagine IBRS > as a strict "STIBP; IBPB"). Then Intel should improve their spec to say so. > IBRS Q/A: > > 1) When to write IBRS in SPEC_CTRL? -> imagine it as "STIBP; IBPB" > > 2) When to leave IBRS set or when to call IBPB -> imagine the previous > setting of IBRS as temporarily disabling indirect branch prediction > without an IBPB implicit in IBRS > > If you think it only like 1) you risk missing some places where you've > to write IBRS even if it was already set. > > If you think it only like 2) you risk clearing it too early or you > risk missing a necessary IBPB. > > It has to be thought simultaneously in both ways. From your description, it sounds like what's actually happening is: When IBRS is enabled, indirect branch speculation targets cannot be controlled by code that executed on a different logical processor on by code that executed prior to the most recent time that IBRS was set to 1. Additionally, if the CPU supports enhanced IBRS, then indirect branch speculation targets cannot be controlled by code that executed at a less privileged predictor mode. Is that actually correct? If so, could Intel please *say* so? Because writing voodoo magic security code seriously sucks. > > The sure thing I get from the specs is IBRS always implies STIBP (even > when STIBP is a noop), specs are pretty explicit about that. Ah, it says: As noted in Section 2.5.1, “Indirect Branch Restricted Speculation (IBRS)”, enabling IBRS prevents software operating on one logical processor from controlling the predicted targets of indirect branches executed on another logical processor. For that reason, it is not necessary to enable STIBP when IBRS is enabled. So I guess we can write 1 when we enter the kernel, but we probably want to write 2 instead of 0 when we exit.