Received: by 10.223.176.46 with SMTP id f43csp2368602wra; Sun, 21 Jan 2018 18:29:07 -0800 (PST) X-Google-Smtp-Source: AH8x227TdIAYRuNicYd/PVCoHJhCytHOSpbLPW0e117stUMUSkeZcKmQrzR7oZmpTNh9nHjRL0vI X-Received: by 10.99.115.67 with SMTP id d3mr6097652pgn.223.1516588147379; Sun, 21 Jan 2018 18:29:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516588147; cv=none; d=google.com; s=arc-20160816; b=kE+CcHTjYJjIzo9dc3rV+uiuouUtdePFbu+Dq2R3hHPjDLd2cVk7Lbje59bIU51F8b V0Foq577SNoZ0au7+rYojLj0aYHkUNpVmWkR8kYLFVOr8Z0M0bF0P89cECjn45LhduJX 7eRwNDVm8KZVzROmt8MTNEgjlzZaYLOYsMQMOphR0+L5cxiALZIJNBhyNSs6AtrOvIez ILriulyApw85/EjTcyB2tQ1feHWYGcCl3r7i2nv7zU3x2smmS9lsS76iPE12t/yjhQqg VooMu10TdAbQ9/o7MargKwHf8pHPGZwo7GiP9+9M8LQAcys3Pvq1dsaAyz2zS4Lip8j8 HgSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=OLl64QM8LbaeGqjnje8L5GVJXImcqDoHhXL5etf7jY4=; b=y8sNyWbvJjRHwevaDk5ewwTXGt90S3A+NZCttaZDkmh8sMcIPnSy7mVtzWQOnNfP9Q hMQd0Q9vkzEvm1Ci8QFFoQn7ZEHaSRvv4BTspveKY/9fHyM5wsDwLyx9rgpfzDs1Qm/0 eaFdBqnxb7AU19JORW430MKtmEqDE45BJ65bEtmZXjzxrJQY3c3xXOz46mV+g+1sTDPA 1+GyfwI2AJR8/hW6D/a+cnaeAAkMSr+GjwI9mI1l9RkYFlCMPtBxxdXErKIANu9/sInD TIFGaoUNJd/sXxGv5TXFloXAly/wFi6Eul2oE/OV5tWhk0X6L3139S8sV4pvGyDGuTBC KJUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZDCsAxaK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y6si13147599pgs.458.2018.01.21.18.28.43; Sun, 21 Jan 2018 18:29:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZDCsAxaK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751128AbeAVC2K (ORCPT + 99 others); Sun, 21 Jan 2018 21:28:10 -0500 Received: from mail-wm0-f52.google.com ([74.125.82.52]:40098 "EHLO mail-wm0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751076AbeAVC2I (ORCPT ); Sun, 21 Jan 2018 21:28:08 -0500 Received: by mail-wm0-f52.google.com with SMTP id v123so13909309wmd.5 for ; Sun, 21 Jan 2018 18:28:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OLl64QM8LbaeGqjnje8L5GVJXImcqDoHhXL5etf7jY4=; b=ZDCsAxaK247T0aMhrY5tlayweCnrpX0YW23/fmOkzIqk4XkufGcWWzLA8Avi/TIAsR zIjHGpx0tZg6cSglc4PJPfAoDKH6pKbmS2EhPZaBkTMVUEunBYB9gcVant3MBFyoX9OF 8ZSewT35edw9558hQUmDMhRc5CDTpKGp/n5J9sLkPcqngR5AF6yWq0fj+nBUzjWnexah 0FDBcwyF5KL7CWAp0k/IlkqP+wOtaj2YTlHFZ/3wqlvAnlkl8c0zm1g1sipMRoqMhmcU Qq0KjT4VMZCpz65XNcRFL1Poguu507kbW8OnNCXpWR/vGlo9Sw9Avs4Cv+IWbaxIIhKB nTaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=OLl64QM8LbaeGqjnje8L5GVJXImcqDoHhXL5etf7jY4=; b=Ui/oEMgjeGKHAO4bBAfV/KYf39GJ229KzA114+ezzuu3JrnDdYYLifrDEmy842epIY gykVsg4dU0n8fOfbqRALz8CNaLMVYOlUBQB73Jg8TZRWsSJZhNKURtwxIUhmyfozxqjL kWbfIV6ZiGf4C4/76+0YRXmOStlZHtLuXLai87hM832IoVYn+R5tCpLY4GMVQjuSysH5 Et/eIaEtKlWDO42seUmK6gO+nvQ8GnNH3zrvkPWHXyZomDTuPpIg/cc+qbBIkDn5txAZ ni7TZFmkZ/7cbssxRz/m2TnZY6aaBWzmtfYCB5YaqyVRvsGITd/0BlJJOTTgQ0YBa7NL r/cg== X-Gm-Message-State: AKwxytetIovkMKr4LrjwQYeJJVVdh2ZXwD7qrg30QNksu2zJjUrbtcw8 6wExMHJPwtszbTugoLz9e60= X-Received: by 10.80.195.75 with SMTP id q11mr11124670edb.254.1516588087197; Sun, 21 Jan 2018 18:28:07 -0800 (PST) Received: from [10.2.101.129] ([208.91.2.2]) by smtp.gmail.com with ESMTPSA id d92sm9814735edd.21.2018.01.21.18.28.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 21 Jan 2018 18:28:06 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [RFC PATCH 00/16] PTI support for x86-32 From: Nadav Amit In-Reply-To: Date: Sun, 21 Jan 2018 18:27:59 -0800 Cc: Joerg Roedel , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , the arch/x86 maintainers , LKML , "open list:MEMORY MANAGEMENT" , Andy Lutomirski , Dave Hansen , Josh Poimboeuf , Juergen Gross , Peter Zijlstra , Borislav Petkov , Jiri Kosina , Boris Ostrovsky , Brian Gerst , David Laight , Denys Vlasenko , Eduardo Valentin , Greg KH , Will Deacon , "Liguori, Anthony" , Daniel Gruss , Hugh Dickins , Kees Cook , Andrea Arcangeli , Waiman Long , Joerg Roedel Content-Transfer-Encoding: quoted-printable Message-Id: <8B8147E4-0560-456D-BA23-F0037C80C945@gmail.com> References: <1516120619-1159-1-git-send-email-joro@8bytes.org> <5D89F55C-902A-4464-A64E-7157FF55FAD0@gmail.com> <886C924D-668F-4007-98CA-555DB6279E4F@gmail.com> <9CF1DD34-7C66-4F11-856D-B5E896988E16@gmail.com> To: Linus Torvalds X-Mailer: Apple Mail (2.3273) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Linus Torvalds wrote: > On Sun, Jan 21, 2018 at 3:46 PM, Nadav Amit = wrote: >> I wanted to see whether segments protection can be a replacement for = PTI >> (yes, excluding SMEP emulation), or whether speculative execution = =E2=80=9Cignores=E2=80=9D >> limit checks, similarly to the way paging protection is skipped. >>=20 >> It does seem that segmentation provides sufficient protection from = Meltdown. >> The =E2=80=9Creliability=E2=80=9D test of Gratz PoC fails if the = segment limit is set to >> prevent access to the kernel memory. [ It passes if the limit is not = set, >> even if the DS is reloaded. ] My test is enclosed below. >=20 > Interesting. It might not be entirely reliable for all > microarchitectures, though. >=20 >> So my question: wouldn=E2=80=99t it be much more efficient to use = segmentation >> protection for x86-32, and allow users to choose whether they want = SMEP-like >> protection if needed (and then enable PTI)? >=20 > That's what we did long long ago, with user space segments actually > using the limit (in fact, if you go back far enough, the kernel even > used the base). >=20 > You'd have to make sure that the LDT loading etc do not allow CPL3 > segments with base+limit past TASK_SIZE, so that people can't generate > their own. And the TLS segments also need to be limited (and > remember, the limit has to be TASK_SIZE-base, not just TASK_SIZE). >=20 > And we should check with Intel that segment limit checking really is > guaranteed to be done before any access. Thanks. I=E2=80=99ll try to check with Intel liaison people of VMware = (my employer), yet any feedback will be appreciated. > Too bad x86-64 got rid of the segments ;) Actually, as I noted in a different thread, running 32-bit binaries on x86_64 in legacy-mode, without PTI, performs considerably better than = x86_64 binaries with PTI for workloads that are hit the most (e.g., Redis). By dynamically removing the 64-bit user-CS from the GDT, this mode should = be safe, as long as CS load is not done speculatively. Regards, Nadav=