Received: by 10.223.176.46 with SMTP id f43csp4148301wra; Tue, 23 Jan 2018 05:08:42 -0800 (PST) X-Google-Smtp-Source: AH8x226L2J6BkvA2pHE3+drPmwy4LDndkDqV8cAd95Lv14/nYby1kq8E1gJ+GrPTlvcUeg5PN9xq X-Received: by 2002:a17:902:2bc1:: with SMTP id l59-v6mr5543611plb.396.1516712922158; Tue, 23 Jan 2018 05:08:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516712922; cv=none; d=google.com; s=arc-20160816; b=aNtK0DYWEVrFktQh3NYMVgYH7bdqKzdIbTDDBEEpbmUSQ3dbf0sLu9nVdmXZm1/o2r UYlGhz4Fk7ZfHfGqWsg1w5+ifN7GpumixD3eRJc8T/uvb+jb5bAbcPa2XsqlgPZydz0o nkyzukiEuZ/Xkh+baARZsLoJZiGVAs01fkN5CKKiIYQY2JUZ4qSEs2P5REnacGuIvgiQ Vp//uNReFBVDVwnNTdPBdWALq3mE0hKGU52ScGEM9heR7RmvpBMwryJg8RxfB9CFDLS6 Ei0nUNSTh0dP/tJH07qdz5j7hJkvtCGpDpYdyFZfNgMPBqkAn+kYeMNZPOsLwSLF3k+G xvDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from:arc-authentication-results; bh=XZQJIq29sykpN3A4vFreKAbkbGWZvu5KQC+KkXM1yEY=; b=KS20oB01avKO5WtuzTatzMv/6fwynxb1cKu4HgsLJxLKRH7psEmEtTVgu0qNBLes8C 2FAzgmcZgJgVtz7B7BO4wMhtMJYtSDaAUtuDqzpR3kG3SaLAxFTioj2zPwChNACy77GN aR6GxMiD3Rv/huXCkEnLZfeBI4FeNojRvGiJrVkVU3ST8ZuMeZ20innrAQL2b9+oa43b IElLugfqV5PK4eoDw2jbMpVlug3KATEiF3Ce0JFaHvMqsdTxKYg82UI11VHuj24NgMbM qfa7e0bAUaoKWnqtCGeuDhuXfh5ybrneUi40KsjFCYG7pcCnfMIoO2cTl1JuLE5UilmS V3gg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z125si14735245pgb.304.2018.01.23.05.08.26; Tue, 23 Jan 2018 05:08:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751934AbeAWNHY (ORCPT + 99 others); Tue, 23 Jan 2018 08:07:24 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:53828 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751834AbeAWNHS (ORCPT ); Tue, 23 Jan 2018 08:07:18 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0ND5baR106826 for ; Tue, 23 Jan 2018 08:07:17 -0500 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0a-001b2d01.pphosted.com with ESMTP id 2fp5a8s1u6-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 23 Jan 2018 08:07:17 -0500 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 23 Jan 2018 13:07:11 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 23 Jan 2018 13:07:08 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w0ND77PI12976238; Tue, 23 Jan 2018 13:07:07 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 805AC4C044; Tue, 23 Jan 2018 13:01:12 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 319354C040; Tue, 23 Jan 2018 13:01:12 +0000 (GMT) Received: from mschwideX1.boeblingen.de.ibm.com (unknown [9.152.212.220]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTPS; Tue, 23 Jan 2018 13:01:12 +0000 (GMT) From: Martin Schwidefsky To: linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, kvm@vger.kernel.org Cc: Heiko Carstens , Christian Borntraeger , Paolo Bonzini , Cornelia Huck , David Hildenbrand , Greg Kroah-Hartman , Jon Masters , Marcus Meissner , Jiri Kosina Subject: [PATCH 1/5] prctl: add PR_ISOLATE_BP process control Date: Tue, 23 Jan 2018 14:07:01 +0100 X-Mailer: git-send-email 2.7.4 In-Reply-To: <1516712825-2917-1-git-send-email-schwidefsky@de.ibm.com> References: <1516712825-2917-1-git-send-email-schwidefsky@de.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18012313-0012-0000-0000-000005A6DA9D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18012313-0013-0000-0000-000019226217 Message-Id: <1516712825-2917-2-git-send-email-schwidefsky@de.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-23_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1801230179 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add the PR_ISOLATE_BP operation to prctl. The effect of the process control is to make all branch prediction entries created by the execution of the user space code of this task not applicable to kernel code or the code of any other task. This can be achieved by the architecture specific implementation in different ways, e.g. by limiting the branch predicion for the task, or by clearing the branch prediction tables on each context switch, or by tagging the branch prediction entries in a suitable way. The architecture code needs to define the ISOLATE_BP macro to implement the hardware specific details of the branch prediction isolation. The control can not be removed from a task once it is activated and it is inherited by all children of the task. The user space wrapper to start a program with the isolated branch prediction: int main(int argc, char *argv[], char *envp[]) { int rc; if (argc < 2) { fprintf(stderr, "Usage: %s \n", argv[0]); exit(EXIT_FAILURE); } rc = prctl(PR_ISOLATE_BP); if (rc) { perror("PR_ISOLATE_BP"); exit(EXIT_FAILURE); } execve(argv[1], argv + 1, envp); perror("execve"); exit(EXIT_FAILURE); } Signed-off-by: Martin Schwidefsky --- include/uapi/linux/prctl.h | 8 ++++++++ kernel/sys.c | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h index af5f8c2..e7b84c9 100644 --- a/include/uapi/linux/prctl.h +++ b/include/uapi/linux/prctl.h @@ -207,4 +207,12 @@ struct prctl_mm_map { # define PR_SVE_VL_LEN_MASK 0xffff # define PR_SVE_VL_INHERIT (1 << 17) /* inherit across exec */ +/* + * Prevent branch prediction entries created by the execution of + * user space code of this task to be used in any other context. + * This makes it impossible for malicious user space code to train + * a branch in the kernel code or in another task to be mispredicted. + */ +#define PR_ISOLATE_BP 52 + #endif /* _LINUX_PRCTL_H */ diff --git a/kernel/sys.c b/kernel/sys.c index 83ffd7d..e41cb2f 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -117,6 +117,9 @@ #ifndef SVE_GET_VL # define SVE_GET_VL() (-EINVAL) #endif +#ifndef ISOLATE_BP +# define ISOLATE_BP() (-EINVAL) +#endif /* * this is where the system-wide overflow UID and GID are defined, for @@ -2398,6 +2401,9 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, case PR_SVE_GET_VL: error = SVE_GET_VL(); break; + case PR_ISOLATE_BP: + error = ISOLATE_BP(); + break; default: error = -EINVAL; break; -- 2.7.4