Received: by 10.223.176.46 with SMTP id f43csp3869537wra; Tue, 23 Jan 2018 00:01:47 -0800 (PST) X-Google-Smtp-Source: AH8x225/3EhX8LRPwGjMvyGSsaQGz3Nm0PvD3E4RCHDrDN+oDTqnrD7fX9ih9GrITrzIehaKqDgN X-Received: by 2002:a17:902:7182:: with SMTP id b2-v6mr5250687pll.38.1516694507458; Tue, 23 Jan 2018 00:01:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516694507; cv=none; d=google.com; s=arc-20160816; b=K6Ya2oLmnyGxgBt3TTW1D8qyl9hoeCUJ51Hc+TvhRy1N18cQkWoR1pUQoaKCv5OgEA /V16GnSdyV/nANBcsBHKgXI7TtH27LiZPUUzRfrHFfEDRslJ9Q53Hb7acXAEYtMl118P Z8BhmdXeKdLu+mOsHHfb2UYxTmyUhtJ9L4X7GEw6LqK9KaD5j8t3SJrhyN2tuPDIsmVX H2rj7wiq/rruaC/bh+yv2IzdgcmrO6Sb7D8wCGPN9k76c+KF3+DCPwgTAmSmrYLRDE+C 6FAWcYAzYi9eusKMXI7scB8hzKvijR9G39UznHQBtedd3wvum4EhH0tIjVEwtGOMEj14 vo0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=m7tRZUlGe9sucE/sFjk2lE1KlZlHIcrDlml0A0Hfbdo=; b=kFJvfTFpd+Lz88KfCU7wWNiSjk/z9eEEI1q+/rlv/N93yNE2lkxE7jFnVGLGMCw9Bl oSFMMaX508EMv1lZxA6HBfsQeIjVV3iQqxARRiOTpWVdbFWNcZ/9PilvYG1vAnOMSaJU YDJzj52F6qL4pI3ebiMHnEe7ElyK3Iybg3qj0fQjIytkWRBQhwthJuHFP0p/K/0S9342 bCmymB1hwDd1xaKt9vzFfjfAOP/Bxtfk6yoTfWNm5jkgdWACinoBgqga9YvdUJkPDiz+ sqr7F8wZlku6oi0kq3UcqvtBguFO0dkU59J0Pjh9VnG5XvMv7mrg2cc8q3jtgXkYrdIm qGIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=f6DbJNKN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d9si4400367pgp.285.2018.01.23.00.01.31; Tue, 23 Jan 2018 00:01:47 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=f6DbJNKN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751178AbeAWIBI (ORCPT + 99 others); Tue, 23 Jan 2018 03:01:08 -0500 Received: from mail-wr0-f182.google.com ([209.85.128.182]:39293 "EHLO mail-wr0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751141AbeAWIBG (ORCPT ); Tue, 23 Jan 2018 03:01:06 -0500 Received: by mail-wr0-f182.google.com with SMTP id z48so11429449wrz.6 for ; Tue, 23 Jan 2018 00:01:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=m7tRZUlGe9sucE/sFjk2lE1KlZlHIcrDlml0A0Hfbdo=; b=f6DbJNKN5fNyfotpajSgmEbG0C5/20dQQHu58LoPE8dqzQi1IFpQA8NYfXccHuTVop l2XOCarWylzv881jKZa2fWgU8gg1b9m+LE7/PIFd15m11E2Fpl12iFJUrodZOkOvPK3I BYqBof9WnIHK4dtP+YnowRsUxyJrHEurEnVItHdJKXVMjHoJ4kRrmd8ORW4/568lV5K0 HmTEtVXLdKbfM9Ql50hnmi++dA3k0BDpVdqlArCrZPyS7CN7uy4SYwYhiGhN2ddW4nhM kfq5fYDG1KBk4IhvFj5P67c//e3YbzJgO41IpZFeeLakLXjTqFJCvfA3GEnN8WWBbIrm tIPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=m7tRZUlGe9sucE/sFjk2lE1KlZlHIcrDlml0A0Hfbdo=; b=bxQ6ja7vHxlHj3erKBAbUi3UXalYJOD3g/1Vg23ZZGFcKqM8yzD61xUsyTLFjKTbCC nVnNcecA2ZFi02nr7C0KmyrEd081M0aDsJeqj4Yn0Xs3HnnP9kc8k20PGLyftc92lS8c EcVnC6rolgJ1j5iXdlXwk5W/ACKRdVdX6dsiyxj9Vm2ibmiBBtqLjJYCU6qY/st7uHtJ HY6QonfnxGzwzOe4GqtMX/YQhPlZgzJ3luBQa0zp6/HOLALunmE1X7uvus0iuDioNYI/ tLW0yzxAjk5yjqh8oSEF+Sn/y0nbfi+Is83d/X8tyve6AuWhNehcWOfDyF1AbFiZeyZK IcXg== X-Gm-Message-State: AKwxyteEAV0AtCNAjQkPEYN6IJ9vN4hH2MFvPrZeA58PGrHda5rbMgMD tpA2mv4/Im76aU8IqvOKqMk= X-Received: by 10.223.187.134 with SMTP id q6mr1326595wrg.144.1516694465789; Tue, 23 Jan 2018 00:01:05 -0800 (PST) Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213]) by smtp.gmail.com with ESMTPSA id w14sm16094310wrc.63.2018.01.23.00.01.03 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 23 Jan 2018 00:01:04 -0800 (PST) Date: Tue, 23 Jan 2018 09:01:01 +0100 From: Ingo Molnar To: Linus Torvalds Cc: Andy Lutomirski , the arch/x86 maintainers , LKML , Greg Kroah-Hartman , Alan Cox , Jann Horn , Samuel Neves , Dan Williams , Kernel Hardening , Borislav Petkov Subject: Re: [PATCH] x86/retpoline/entry: Disable the entire SYSCALL64 fast path with retpolines on Message-ID: <20180123080101.7udtt6wdl6jpglwa@gmail.com> References: <503224b776b9513885453756e44bab235221124e.1516644136.git.luto@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Linus Torvalds wrote: > On Mon, Jan 22, 2018 at 10:04 AM, Andy Lutomirski wrote: > > The existing retpoline code carefully and awkwardly retpolinifies > > the SYSCALL64 slow path. This stops the fast path from being > > particularly fast, and it's IMO rather messy. > > I'm not convinced your patch isn't messier still.. It's certainly > subtle. I had to look at that ptregs stub generator thing twice. > > Honestly, I'd rather get rid of the fast-path entirely. Compared to > all the PTI mess, it's not even noticeable. > > And if we ever get CPU's that have this all fixed, we can re-visit > introducing the fastpath. But this is all very messy and it doesn't > seem worth it right now. > > If we get rid of the fastpath, we can lay out the slow path slightly > better, and get rid of some of those jump-overs. And we'd get rid of > the ptregs hooks entirely. > > So we can try to make the "slow" path better while at it, but I really > don't think it matters much now in the post-PTI era. Sadly. Note that there's another advantage to your proposal: should other vulnerabilities arise in the future, requiring changes in the syscall entry path, we'd be more flexible to address them in the C space than in the assembly space. In hindsight a _LOT_ of the PTI complexity and fragility centered around interacting with x86 kernel entry assembly code - which entry code fortunately got much simpler (and easier to review) in the past 1-2 years due to the thorough cleanups and the conversion of most of it to C. But it was still painful. So I'm fully in favor of that. Thanks, Ingo