Received: by 10.223.176.46 with SMTP id f43csp2368602wra;
        Sun, 21 Jan 2018 18:29:07 -0800 (PST)
X-Google-Smtp-Source: AH8x227TdIAYRuNicYd/PVCoHJhCytHOSpbLPW0e117stUMUSkeZcKmQrzR7oZmpTNh9nHjRL0vI
X-Received: by 10.99.115.67 with SMTP id d3mr6097652pgn.223.1516588147379;
        Sun, 21 Jan 2018 18:29:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516588147; cv=none;
        d=google.com; s=arc-20160816;
        b=kE+CcHTjYJjIzo9dc3rV+uiuouUtdePFbu+Dq2R3hHPjDLd2cVk7Lbje59bIU51F8b
         V0Foq577SNoZ0au7+rYojLj0aYHkUNpVmWkR8kYLFVOr8Z0M0bF0P89cECjn45LhduJX
         7eRwNDVm8KZVzROmt8MTNEgjlzZaYLOYsMQMOphR0+L5cxiALZIJNBhyNSs6AtrOvIez
         ILriulyApw85/EjTcyB2tQ1feHWYGcCl3r7i2nv7zU3x2smmS9lsS76iPE12t/yjhQqg
         VooMu10TdAbQ9/o7MargKwHf8pHPGZwo7GiP9+9M8LQAcys3Pvq1dsaAyz2zS4Lip8j8
         HgSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version:dkim-signature:arc-authentication-results;
        bh=OLl64QM8LbaeGqjnje8L5GVJXImcqDoHhXL5etf7jY4=;
        b=y8sNyWbvJjRHwevaDk5ewwTXGt90S3A+NZCttaZDkmh8sMcIPnSy7mVtzWQOnNfP9Q
         hMQd0Q9vkzEvm1Ci8QFFoQn7ZEHaSRvv4BTspveKY/9fHyM5wsDwLyx9rgpfzDs1Qm/0
         eaFdBqnxb7AU19JORW430MKtmEqDE45BJ65bEtmZXjzxrJQY3c3xXOz46mV+g+1sTDPA
         1+GyfwI2AJR8/hW6D/a+cnaeAAkMSr+GjwI9mI1l9RkYFlCMPtBxxdXErKIANu9/sInD
         TIFGaoUNJd/sXxGv5TXFloXAly/wFi6Eul2oE/OV5tWhk0X6L3139S8sV4pvGyDGuTBC
         KJUA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZDCsAxaK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y6si13147599pgs.458.2018.01.21.18.28.43;
        Sun, 21 Jan 2018 18:29:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZDCsAxaK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751128AbeAVC2K (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Sun, 21 Jan 2018 21:28:10 -0500
Received: from mail-wm0-f52.google.com ([74.125.82.52]:40098 "EHLO
        mail-wm0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751076AbeAVC2I (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 21 Jan 2018 21:28:08 -0500
Received: by mail-wm0-f52.google.com with SMTP id v123so13909309wmd.5
        for <linux-kernel@vger.kernel.org>; Sun, 21 Jan 2018 18:28:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=OLl64QM8LbaeGqjnje8L5GVJXImcqDoHhXL5etf7jY4=;
        b=ZDCsAxaK247T0aMhrY5tlayweCnrpX0YW23/fmOkzIqk4XkufGcWWzLA8Avi/TIAsR
         zIjHGpx0tZg6cSglc4PJPfAoDKH6pKbmS2EhPZaBkTMVUEunBYB9gcVant3MBFyoX9OF
         8ZSewT35edw9558hQUmDMhRc5CDTpKGp/n5J9sLkPcqngR5AF6yWq0fj+nBUzjWnexah
         0FDBcwyF5KL7CWAp0k/IlkqP+wOtaj2YTlHFZ/3wqlvAnlkl8c0zm1g1sipMRoqMhmcU
         Qq0KjT4VMZCpz65XNcRFL1Poguu507kbW8OnNCXpWR/vGlo9Sw9Avs4Cv+IWbaxIIhKB
         nTaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=OLl64QM8LbaeGqjnje8L5GVJXImcqDoHhXL5etf7jY4=;
        b=Ui/oEMgjeGKHAO4bBAfV/KYf39GJ229KzA114+ezzuu3JrnDdYYLifrDEmy842epIY
         gykVsg4dU0n8fOfbqRALz8CNaLMVYOlUBQB73Jg8TZRWsSJZhNKURtwxIUhmyfozxqjL
         kWbfIV6ZiGf4C4/76+0YRXmOStlZHtLuXLai87hM832IoVYn+R5tCpLY4GMVQjuSysH5
         Et/eIaEtKlWDO42seUmK6gO+nvQ8GnNH3zrvkPWHXyZomDTuPpIg/cc+qbBIkDn5txAZ
         ni7TZFmkZ/7cbssxRz/m2TnZY6aaBWzmtfYCB5YaqyVRvsGITd/0BlJJOTTgQ0YBa7NL
         r/cg==
X-Gm-Message-State: AKwxytetIovkMKr4LrjwQYeJJVVdh2ZXwD7qrg30QNksu2zJjUrbtcw8
        6wExMHJPwtszbTugoLz9e60=
X-Received: by 10.80.195.75 with SMTP id q11mr11124670edb.254.1516588087197;
        Sun, 21 Jan 2018 18:28:07 -0800 (PST)
Received: from [10.2.101.129] ([208.91.2.2])
        by smtp.gmail.com with ESMTPSA id d92sm9814735edd.21.2018.01.21.18.28.01
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 21 Jan 2018 18:28:06 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: [RFC PATCH 00/16] PTI support for x86-32
From:   Nadav Amit <nadav.amit@gmail.com>
In-Reply-To: <CA+55aFz4cUhqhmWg-F8NXGjowVGXkMA126H-mQ4n1A0ywtQ_tg@mail.gmail.com>
Date:   Sun, 21 Jan 2018 18:27:59 -0800
Cc:     Joerg Roedel <joro@8bytes.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@kernel.org>,
        "H . Peter Anvin" <hpa@zytor.com>,
        the arch/x86 maintainers <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        "open list:MEMORY MANAGEMENT" <linux-mm@kvack.org>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@intel.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Juergen Gross <jgross@suse.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Borislav Petkov <bp@alien8.de>, Jiri Kosina <jkosina@suse.cz>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        Brian Gerst <brgerst@gmail.com>,
        David Laight <David.Laight@aculab.com>,
        Denys Vlasenko <dvlasenk@redhat.com>,
        Eduardo Valentin <eduval@amazon.com>,
        Greg KH <gregkh@linuxfoundation.org>,
        Will Deacon <will.deacon@arm.com>,
        "Liguori, Anthony" <aliguori@amazon.com>,
        Daniel Gruss <daniel.gruss@iaik.tugraz.at>,
        Hugh Dickins <hughd@google.com>,
        Kees Cook <keescook@google.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Waiman Long <llong@redhat.com>, Joerg Roedel <jroedel@suse.de>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8B8147E4-0560-456D-BA23-F0037C80C945@gmail.com>
References: <1516120619-1159-1-git-send-email-joro@8bytes.org>
 <5D89F55C-902A-4464-A64E-7157FF55FAD0@gmail.com>
 <886C924D-668F-4007-98CA-555DB6279E4F@gmail.com>
 <9CF1DD34-7C66-4F11-856D-B5E896988E16@gmail.com>
 <CA+55aFz4cUhqhmWg-F8NXGjowVGXkMA126H-mQ4n1A0ywtQ_tg@mail.gmail.com>
To:     Linus Torvalds <torvalds@linux-foundation.org>
X-Mailer: Apple Mail (2.3273)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Sun, Jan 21, 2018 at 3:46 PM, Nadav Amit <nadav.amit@gmail.com> =
wrote:
>> I wanted to see whether segments protection can be a replacement for =
PTI
>> (yes, excluding SMEP emulation), or whether speculative execution =
=E2=80=9Cignores=E2=80=9D
>> limit checks, similarly to the way paging protection is skipped.
>>=20
>> It does seem that segmentation provides sufficient protection from =
Meltdown.
>> The =E2=80=9Creliability=E2=80=9D test of Gratz PoC fails if the =
segment limit is set to
>> prevent access to the kernel memory. [ It passes if the limit is not =
set,
>> even if the DS is reloaded. ] My test is enclosed below.
>=20
> Interesting. It might not be entirely reliable for all
> microarchitectures, though.
>=20
>> So my question: wouldn=E2=80=99t it be much more efficient to use =
segmentation
>> protection for x86-32, and allow users to choose whether they want =
SMEP-like
>> protection if needed (and then enable PTI)?
>=20
> That's what we did long long ago, with user space segments actually
> using the limit (in fact, if you go back far enough, the kernel even
> used the base).
>=20
> You'd have to make sure that the LDT loading etc do not allow CPL3
> segments with base+limit past TASK_SIZE, so that people can't generate
> their own.  And the TLS segments also need to be limited (and
> remember, the limit has to be TASK_SIZE-base, not just TASK_SIZE).
>=20
> And we should check with Intel that segment limit checking really is
> guaranteed to be done before any access.

Thanks. I=E2=80=99ll try to check with Intel liaison people of VMware =
(my employer),
yet any feedback will be appreciated.

> Too bad x86-64 got rid of the segments ;)

Actually, as I noted in a different thread, running 32-bit binaries on
x86_64 in legacy-mode, without PTI, performs considerably better than =
x86_64
binaries with PTI for workloads that are hit the most (e.g., Redis). By
dynamically removing the 64-bit user-CS from the GDT, this mode should =
be
safe, as long as CS load is not done speculatively.

Regards,
Nadav=