Received: by 10.223.176.46 with SMTP id f43csp2357373wra; Sun, 21 Jan 2018 18:11:47 -0800 (PST) X-Google-Smtp-Source: AH8x226jDXmkgU20KtgxTfOKlXsRZ9NAR/blWFUBMTVVJlH+5YN05VuIPEVDU7XKr9IyjFKKxmTm X-Received: by 10.99.125.78 with SMTP id m14mr5964892pgn.383.1516587106902; Sun, 21 Jan 2018 18:11:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516587106; cv=none; d=google.com; s=arc-20160816; b=TJLz/h9NTL7i5B1V+gzN6oE3psCWpo8PTP58JOuKr4oXC8EEhkP8AVqcibwhEzv9jd vKud3B8eZdmT8MmQk1YXIab1RWb67buoaVTll3zUnKbe1HbPoFnfIn0TIOb1Y1zbaHhO ydTaBN4hlv5d3d5BquqfdCiUO98MCX72d48+HS9MMaB8TQmWiIXYBmpD9HIAl+rGEsVe qjQWj+GDwCJHzGawiGg2R96EDPC4BpHSxpz59fuikrbAelwWlkOcs1RHugaPWr3eEuwu TPSRZu87QhUzZeMBRxVQE2Kwr/ZBg0jj5L3CdbFDkKrex6gyJSJx2epAVKJCsa4rJmiM pxyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:arc-authentication-results; bh=NoC+pqptOHt//GwClQlYa0XcRaQhL24zlneaW2s2kZg=; b=lvLU6wjmNmdlVkRqAUaonmc7tjZyCmNVPP1Bsx+KCoSq3DdDOVSy5TaraNCw1Pfwy8 wqxSZfs+t+QJVu63hP+iFpge0n7S96jgXSe95E+KE/39nIrqUFP591kE1iF/fA2OADrg 8VCcUNpJYia2T3glu1MSywU6s29YYZm+Tf93NSqoEn8yFixVFsFZTruvlgBH84ux9Ncn dZqBRXH4ouDsF++929KEvrRgYIGEngns6VJYpTWuOoRE9HmIhk+tw+FL3nhUNNt93C20 o0X1KYWQc/VTx12g/I7ehlwpbVPs3K8dFsH51YGs4NR6sJ1pOuuEBdL5zdPQ8r5CK/PC xVLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=lPNDXAuW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d63si14549237pfk.73.2018.01.21.18.11.32; Sun, 21 Jan 2018 18:11:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=lPNDXAuW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751104AbeAVCLK (ORCPT + 99 others); Sun, 21 Jan 2018 21:11:10 -0500 Received: from mail-it0-f51.google.com ([209.85.214.51]:38639 "EHLO mail-it0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750969AbeAVCLJ (ORCPT ); Sun, 21 Jan 2018 21:11:09 -0500 Received: by mail-it0-f51.google.com with SMTP id w14so8082716itc.3 for ; Sun, 21 Jan 2018 18:11:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=NoC+pqptOHt//GwClQlYa0XcRaQhL24zlneaW2s2kZg=; b=lPNDXAuW5tndFHpXgoVwRJshS5wOL+KW/shCymyQC4cOX8OxCzDATKG/+Md6Y9XUaZ rQFB3ZvEOFaA4nzK1SuiK9dq2b+lYEM7lVXkIw4mopt8ibrPSP5eJL5zlIy/3DGqx+GY A2+lbPnTH5f+9FMFOzOCOYyNPHNPDPXvHMC31+WOjENBz98LuCJUTTT8tUev773doNle EBR79hXLBH58JsKQtKylXMhNDy/kaeNdnDqcff3Ejmzk0wz4kRan7RNrvL+yQM3ixjMv /SPaAbZMgJmd3vSdA3vf7rEeKoQb3f+i3xvP6gFTMcS66ieFcgxA9tx93PPGXryvo2pL cIAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=NoC+pqptOHt//GwClQlYa0XcRaQhL24zlneaW2s2kZg=; b=qKEhSyFuB38WJS3SuNL05lnB73nz22bzDp5iUZymp3XPaOeCXLIgA4UYNagA+VSYEp Zc4Whnv51c7JRuFiF6GPY7V0y/WI+EZ4B9eJ/9LeqU4EdFSmDqMFtO0QixX1PHlyKolC T4xFl7cAzogXSgCXNMFNdyfTXncXXTa3RzM5I4Cd5F7JYm+nEX/rV199FDjqOGmJOK5g poFxHl6znj6ilENClD+KuHJsMGGehNSJ2zDHC6K4gqn3AFn+SzbhLlhB0FFrGZ3yUpTC xU52QlMoJq+UpnlNCti33exNYRhZOb0HhQh5h2Sqz/U8ogOwlBybFWRe3k5yQUBlmChA rHrQ== X-Gm-Message-State: AKwxytfVcAldYr2AxUS82lS3ByyuoaOZeZKo3DTReoEt1ymNIBVwuvFc xhD3O+AZhRjGkvEsvEkc1JrbThD8TGX+QCtq2gg= X-Received: by 10.36.248.134 with SMTP id a128mr6280189ith.152.1516587068169; Sun, 21 Jan 2018 18:11:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.59.196 with HTTP; Sun, 21 Jan 2018 18:11:07 -0800 (PST) In-Reply-To: <9CF1DD34-7C66-4F11-856D-B5E896988E16@gmail.com> References: <1516120619-1159-1-git-send-email-joro@8bytes.org> <5D89F55C-902A-4464-A64E-7157FF55FAD0@gmail.com> <886C924D-668F-4007-98CA-555DB6279E4F@gmail.com> <9CF1DD34-7C66-4F11-856D-B5E896988E16@gmail.com> From: Linus Torvalds Date: Sun, 21 Jan 2018 18:11:07 -0800 X-Google-Sender-Auth: cYzZpOzd7AJu-XIr1LsHw8mGR9o Message-ID: Subject: Re: [RFC PATCH 00/16] PTI support for x86-32 To: Nadav Amit Cc: Joerg Roedel , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , "the arch/x86 maintainers" , LKML , "open list:MEMORY MANAGEMENT" , Andy Lutomirski , Dave Hansen , Josh Poimboeuf , Juergen Gross , Peter Zijlstra , Borislav Petkov , Jiri Kosina , Boris Ostrovsky , Brian Gerst , David Laight , Denys Vlasenko , Eduardo Valentin , Greg KH , Will Deacon , "Liguori, Anthony" , Daniel Gruss , Hugh Dickins , Kees Cook , Andrea Arcangeli , Waiman Long , Joerg Roedel Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jan 21, 2018 at 3:46 PM, Nadav Amit wrote: > I wanted to see whether segments protection can be a replacement for PTI > (yes, excluding SMEP emulation), or whether speculative execution =E2=80= =9Cignores=E2=80=9D > limit checks, similarly to the way paging protection is skipped. > > It does seem that segmentation provides sufficient protection from Meltdo= wn. > The =E2=80=9Creliability=E2=80=9D test of Gratz PoC fails if the segment = limit is set to > prevent access to the kernel memory. [ It passes if the limit is not set, > even if the DS is reloaded. ] My test is enclosed below. Interesting. It might not be entirely reliable for all microarchitectures, though. > So my question: wouldn=E2=80=99t it be much more efficient to use segment= ation > protection for x86-32, and allow users to choose whether they want SMEP-l= ike > protection if needed (and then enable PTI)? That's what we did long long ago, with user space segments actually using the limit (in fact, if you go back far enough, the kernel even used the base). You'd have to make sure that the LDT loading etc do not allow CPL3 segments with base+limit past TASK_SIZE, so that people can't generate their own. And the TLS segments also need to be limited (and remember, the limit has to be TASK_SIZE-base, not just TASK_SIZE). And we should check with Intel that segment limit checking really is guaranteed to be done before any access. Too bad x86-64 got rid of the segments ;) Linus