Received: by 10.223.176.46 with SMTP id f43csp3845651wra; Mon, 22 Jan 2018 23:30:20 -0800 (PST) X-Google-Smtp-Source: AH8x224zvBtLSP4m3n3NhA86zLlbbz8orRkOp3xiDVL5Aa8ZDzIJLeLvRoiAWN1AHq35fI0fFVBx X-Received: by 2002:a17:902:8215:: with SMTP id x21-v6mr4863400pln.381.1516692620201; Mon, 22 Jan 2018 23:30:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516692620; cv=none; d=google.com; s=arc-20160816; b=Eu/SDjkO9vkXwAQZlVnRNKoXUQNbSxdIM5ynmyaftHRiC15Cyyhev/EtnB+K+O1IrD onXc5my3iReqQXIUD2jo1IlH2PbcJBJsVzcC7AyW2ijZEuxse9TOEgT/2yrjr1SysX9E 1bAmsuNa2YHDwLUEtutbkRFWkgtbHQiNXXbxtYcWuh16eXi3UftF/2LCTkDE1llcepu1 +BWO1pWIY3hLq/izQlvC0ImuB4G6z1wShufvuOoH+Cw4TdDT/phowowjP5sAmBClen8q 7IoQynLbAMFQIjwW0phqzELUHg6sDKEsX0v3zP4fhh+x/99+sh2eTmDf8Ytb+VDR+h52 kptw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=trSPNK+SB5FaHBFoLbiGSDGwpiwGGZ9xG9SfrhdVTro=; b=fShccQztuoYOAG987mQy2OnN8Hq6rpkec5SQdZ697m3wDCIOdIg6njwxm41beTGKOE F/pwZV7HkqvkcgzjYpGsLVqPjucTrIj+ZexotqgdeRWp26lv8yV4P2OvSEtABrEzzn/a bZB+rJpPnGx87FEM3sKnCdxpOfPHHfBUOY3xw4xN5taXFMzxj+i/9uR87T4Gz8AvIZNZ E7l4/bI5z3z7TpL1boohgNK919lmd3Fak6P+mwaGs2i8vG0yDSJqRj4ecfczzDVrMCQW vkqiyS4bjGdJaZ2B8nHW6WcZWNlYOFLQ48PhpeXZj+vNZTswieJKx2W0kcJW8vhfCw3N Bexg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=NoQT+kf/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k135si14659547pgc.32.2018.01.22.23.30.05; Mon, 22 Jan 2018 23:30:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=NoQT+kf/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751156AbeAWH3k (ORCPT + 99 others); Tue, 23 Jan 2018 02:29:40 -0500 Received: from mail-wm0-f43.google.com ([74.125.82.43]:35904 "EHLO mail-wm0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750760AbeAWH3h (ORCPT ); Tue, 23 Jan 2018 02:29:37 -0500 Received: by mail-wm0-f43.google.com with SMTP id f3so21461564wmc.1; Mon, 22 Jan 2018 23:29:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=trSPNK+SB5FaHBFoLbiGSDGwpiwGGZ9xG9SfrhdVTro=; b=NoQT+kf/GTnVRm7jLSCOMARgYFDWRGRknLGdxNMoV+6p3I26UNOf2tQgqBVnwvA2bx ukbSwApUUXaUf4siwLdzsqXaL2Jc0KjznPH34b4HppaV+HOZFz3L8ueoPNHjkB81MfQB yCKu8unutYH6iYLX6q9/uEPxxhiSboLmX/GWTtnW58GXSfW66W2MrslppXwmB5u78GxR 3pL7e84gJbE9OeEa0m/rIRR4KxeRSZtcTUrAeWMhJOkS1sAIQZEgqp1N+6ziLqd+w/jt UrYFh7Wqy9yKzfDEO2M/p/8CpmKSFzoBuM+Ws4F5ZVhjJzjEbwD1VUG9VmRTJNJV/sWD 0kGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=trSPNK+SB5FaHBFoLbiGSDGwpiwGGZ9xG9SfrhdVTro=; b=LEN+2fXDLx7vpFxMeEVAEAqAFzTSSQC0LhFGHgIOhtTjKyyhAXpRXYyMEWwk0KWz6k RykRqnBASccpZMHKe/bdyfzkAu832vHMAX8yg/Cqnnawdka4b/yEO6oFxfq4BEPuanjZ UN/mRlLHtSv8zhEfpbLyVYQZzkxCWLe6Sf7Y+K+qFNqK8u6dNLoXGx+HAng5pHXUURVT YRyGewf7fxc/4fRxgIw6jQCZo76xuh3fG3kkhTuIgRCGRVYgHitOxyrVgjpq3eBirqS6 JUoZ7iK3q09hlFtFyBpxExRejrPFC/EtV91QPG5De9zh4jj0hNejaposmX33AjVevJoE C3bw== X-Gm-Message-State: AKwxytd5FYmQs8qvUg7WcofBx8b+6QUqE9JqPexqBzglHcQ7sKNsvthY zJnZ+ANgZ3PmabRfpx8vz4g= X-Received: by 10.28.116.16 with SMTP id p16mr1044761wmc.21.1516692576432; Mon, 22 Jan 2018 23:29:36 -0800 (PST) Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213]) by smtp.gmail.com with ESMTPSA id l41sm14902112wrl.1.2018.01.22.23.29.31 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 22 Jan 2018 23:29:33 -0800 (PST) Date: Tue, 23 Jan 2018 08:29:30 +0100 From: Ingo Molnar To: David Woodhouse Cc: Linus Torvalds , KarimAllah Ahmed , Linux Kernel Mailing List , Andi Kleen , Andrea Arcangeli , Andy Lutomirski , Arjan van de Ven , Ashok Raj , Asit Mallick , Borislav Petkov , Dan Williams , Dave Hansen , Greg Kroah-Hartman , "H . Peter Anvin" , Ingo Molnar , Janakarajan Natarajan , Joerg Roedel , Jun Nakajima , Laura Abbott , Masami Hiramatsu , Paolo Bonzini , Peter Zijlstra , Radim =?utf-8?B?S3LEjW3DocWZ?= , Thomas Gleixner , Tim Chen , Tom Lendacky , KVM list , the arch/x86 maintainers , Arjan Van De Ven Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation Message-ID: <20180123072930.soz25cyky3u4hpgv@gmail.com> References: <1516476182-5153-1-git-send-email-karahmed@amazon.de> <1516476182-5153-10-git-send-email-karahmed@amazon.de> <1516566497.9814.78.camel@infradead.org> <1516572013.9814.109.camel@infradead.org> <1516638426.9521.20.camel@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1516638426.9521.20.camel@infradead.org> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * David Woodhouse wrote: > But wait, why did I say "mostly"? Well, not everyone has a retpoline > compiler yet... but OK, screw them; they need to update. > > Then there's Skylake, and that generation of CPU cores. For complicated > reasons they actually end up being vulnerable not just on indirect > branches, but also on a 'ret' in some circumstances (such as 16+ CALLs > in a deep chain). > > The IBRS solution, ugly though it is, did address that. Retpoline > doesn't. There are patches being floated to detect and prevent deep > stacks, and deal with some of the other special cases that bite on SKL, > but those are icky too. And in fact IBRS performance isn't anywhere > near as bad on this generation of CPUs as it is on earlier CPUs > *anyway*, which makes it not quite so insane to *contemplate* using it > as Intel proposed. There's another possible method to avoid deep stacks on Skylake, without compiler support: - Use the existing mcount based function tracing live patching machinery (CONFIG_FUNCTION_TRACER=y) to install a _very_ fast and simple stack depth tracking tracer which would issue a retpoline when stack depth crosses boundaries of ~16 entries. The overhead of that would _still_ very likely be much cheaper than a hundreds (thousands) of cycle expensive MSR write at every kernel entry (syscall entry, IRQ entry, etc.). Note the huge number of advantages: - All distro kernels already enable the mcount based patching options, so there's literally zero overhead to anything except SkyLake. - It is fully kernel patching based and can be activated on Skylake only - It doesn't require any microcode updates, so it will work on all existing CPUs with no firmware or microcode modificatons - It doesn't require any compiler updates - SkyLake performance is very likely to be much less fragile than relying on a hastily deployed microcode hack - The "SkyLake stack depth tracer" can be tested on other CPUs as well in debug builds, broadening the testing base - The tracer is very obviously simple and reviewable, and we can forget about it in the far future. - It's much more backportable to older kernels: should there be a new class of exploits then this machinery could be updated to cover that too - while upgrades to newer kernels would give the higher performant solution. Yes, there are some practical complications like always enabling CONFIG_FUNCTION_TRACER=y on x86, plus the ftrace interaction has to be sorted out, but in practice it's enabled on all major distros anyway, due to ftrace. Is there any reason why this wouldn't work? Thanks, Ingo