Received: by 10.223.176.46 with SMTP id f43csp3942120wra; Tue, 23 Jan 2018 01:29:59 -0800 (PST) X-Google-Smtp-Source: AH8x224fVwPVnV7CbPNT6eHsGJUgJGVLI52ymJeSq1VCuIbAU2zsb3uNcN1QKIF6Ysv0XNv1Isob X-Received: by 10.101.101.26 with SMTP id x26mr8519301pgv.149.1516699799084; Tue, 23 Jan 2018 01:29:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516699799; cv=none; d=google.com; s=arc-20160816; b=ecf8WaJjAQFp5qWov3xBafPlWMMrKrp0lKGml56vGldATBBDI37Dp5bl83jS+A2kbC a0eB9tfeLpXeWsBoP4NOZT4TcOp2fVkaXh4ZOYXnITkBnvqgPEgTpxAzl6+DKUBZAs8v Bl0GcylCpJlYYgcVwrCPG9TgCKlPrX30iil2Y2OrfgD13xeVsliW5EqWRuXyr88qnb67 bMKS3YlymmG6WgyVlZco0wEidypLWu/UdUzkVKu+4lK50hUznm3X3sgfL4G7u1p9A5gE DK02rKoYFuy8GFRc+UxZTiKiltl7nA/M4UE4GAHSNKZNxJmPiBniVoBlW1QHn4CqbPlc k53g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=bHHulpTIfFVDhbvbT07lOeBZglMs5RupZNUhqXmKkl4=; b=yKbaiOUPlOKjbsYGO3Oog3nKQ1slTOm57W2z25N9VBbUWe6hQ4Ozpp6cbplfnH4nze yUoLCBqzMKByIsIkOfFaIIXaqQAYG2/ca1C00+VKa7AAMpBimLF+ye8zOPdToS2z4XIK O4AFaUy7d4+z8t3I/CIUynn4UM83iyos+ncylXLETwxUxfCQ5YbEwOOlY4QIH89jK6cs cNnIhc2mpb/Rdz8h5EoWYcAgE50LxH6CFeGfHjCUhUuhw3rJ/DB+3KNpYJtCqKpQg1+9 pU4OXdzNGu6y0wzEiYmwmybNJSyPB6POiVqvMAvKaD3fAfsmFGQv6rInrsI8Trzecgm5 spfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=ovJvuzYj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 36-v6si4451876pla.343.2018.01.23.01.29.44; Tue, 23 Jan 2018 01:29:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=ovJvuzYj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751265AbeAWJ2F (ORCPT + 99 others); Tue, 23 Jan 2018 04:28:05 -0500 Received: from mail-wr0-f176.google.com ([209.85.128.176]:41074 "EHLO mail-wr0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750946AbeAWJ2B (ORCPT ); Tue, 23 Jan 2018 04:28:01 -0500 Received: by mail-wr0-f176.google.com with SMTP id v15so8872824wrb.8; Tue, 23 Jan 2018 01:28:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=bHHulpTIfFVDhbvbT07lOeBZglMs5RupZNUhqXmKkl4=; b=ovJvuzYjfCSI/JxXxXPnYLmplABhd1+nFX2k4i2eIm7xfVPLMGmZLGWOj4NWnmqCsn FKaRtbS+H5D+89RTCCSMVRcaw3flFC8XXtdI491r2reD2LxAol0zkP2eUUAahYGVr7JJ nF/eR/FcUv8HhUoCrHJ27GuLaw5C5RHp8PN8tepWSnfgpcM5ZUtK2woX+XJCC8xL1Axz pNZ8SUsYffUvUA5irqFZPPUaE/vQMxJmCnQHTOe6lBdmOzTKEmDBXsG86RJoOcZxVic6 mNRsY9CsvslgGxlH3B3ge4eV6S09Uzy2HAREy7Y/pFjyad8EkSuQLrpUgQjckOtqggnj JXnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=bHHulpTIfFVDhbvbT07lOeBZglMs5RupZNUhqXmKkl4=; b=eMwUz3hdKwxrQSI8UIuaEqMdqIUUzvnPuv3eNgdRLX2qPiPUN3u5/GrGNGr3NbNaaa 1IwbqHhLicEiMWIQ7xpJ2HfVNI7V11txQi/Aj/BVHTIZ5a3SeaTGHLSzTjzO70KuzrEm X+m3qwAQlqAboWJnWsu96h/mrKcJdkP80el245DAhCD9FblWnihnlSw+DpQk3iwyZJJi mQoDOHi0cZEqxgybdsarI9TabzxKhaSLlZzZ9CbLY0cesxnXFHzGU8RIosXEJJtVJLBi QvBjpsc37nlVGNOltXRWAZXcK0AvF0RtVHbDiO7DYKaU13LTXF5+r1/VB9mTvYNlZmvK QuoA== X-Gm-Message-State: AKwxyteQwXbfn7qZIqf27oqCzX282YI5Lri4Cm5K8iWpR1VswFllXhtk XnsWlQKCGnsswMGFIfL2Jx8= X-Received: by 10.223.179.193 with SMTP id x1mr1518199wrd.171.1516699679822; Tue, 23 Jan 2018 01:27:59 -0800 (PST) Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213]) by smtp.gmail.com with ESMTPSA id b79sm8964330wmb.18.2018.01.23.01.27.57 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 23 Jan 2018 01:27:58 -0800 (PST) Date: Tue, 23 Jan 2018 10:27:56 +0100 From: Ingo Molnar To: David Woodhouse Cc: Linus Torvalds , KarimAllah Ahmed , Linux Kernel Mailing List , Andi Kleen , Andrea Arcangeli , Andy Lutomirski , Arjan van de Ven , Ashok Raj , Asit Mallick , Borislav Petkov , Dan Williams , Dave Hansen , Greg Kroah-Hartman , "H . Peter Anvin" , Ingo Molnar , Janakarajan Natarajan , Joerg Roedel , Jun Nakajima , Laura Abbott , Masami Hiramatsu , Paolo Bonzini , Peter Zijlstra , Radim =?utf-8?B?S3LEjW3DocWZ?= , Thomas Gleixner , Tim Chen , Tom Lendacky , KVM list , the arch/x86 maintainers , Arjan Van De Ven Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation Message-ID: <20180123092756.iznzepwnolsviof7@gmail.com> References: <1516476182-5153-1-git-send-email-karahmed@amazon.de> <1516476182-5153-10-git-send-email-karahmed@amazon.de> <1516566497.9814.78.camel@infradead.org> <1516572013.9814.109.camel@infradead.org> <1516638426.9521.20.camel@infradead.org> <20180123072930.soz25cyky3u4hpgv@gmail.com> <20180123075358.nztpyxympwfkyi2a@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180123075358.nztpyxympwfkyi2a@gmail.com> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Ingo Molnar wrote: > Is there a testcase for the SkyLake 16-deep-call-stack problem that I could run? > Is there a description of the exact speculative execution vulnerability that has > to be addressed to begin with? Ok, so for now I'm assuming that this is the 16 entries return-stack-buffer underflow condition where SkyLake falls back to the branch predictor (while other CPUs wrap the buffer). > If this approach is workable I'd much prefer it to any MSR writes in the syscall > entry path not just because it's fast enough in practice to not be turned off by > everyone, but also because everyone would agree that per function call overhead > needs to go away on new CPUs. Both deployment and backporting is also _much_ more > flexible, simpler, faster and more complete than microcode/firmware or compiler > based solutions. > > Assuming the vulnerability can be addressed via this route that is, which is a big > assumption! So I talked this over with PeterZ, and I think it's all doable: - the CALL __fentry__ callbacks maintain the depth tracking (on the kernel stack, fast to access), and issue an "RSB-stuffing sequence" when depth reaches 16 entries. - "the RSB-stuffing sequence" is a return trampoline that pushes a CALL on the stack which is executed on the RET. - All asynchronous contexts (IRQs, NMIs, etc.) stuff the RSB before IRET. (The tracking could probably made IRQ and maybe even NMI safe, but the worst-case nesting scenarios make my head ache.) I.e. IBRS can be mostly replaced with a kernel based solution that is better than IBRS and which does not negatively impact any other non-SkyLake CPUs or general code quality. I.e. a full upstream Spectre solution. Thanks, Ingo