Received: by 10.223.176.46 with SMTP id f43csp4662138wra; Tue, 23 Jan 2018 12:33:19 -0800 (PST) X-Google-Smtp-Source: AH8x224pYd3ECvRq0zT69RRWD6W+9cx1oTUAo/hwZfHiD6VhPr9zEtCQPOeqeWGBMhM72wleT7L6 X-Received: by 10.36.246.66 with SMTP id u63mr5982939ith.82.1516739599217; Tue, 23 Jan 2018 12:33:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516739599; cv=none; d=google.com; s=arc-20160816; b=A7g4EyeOItB8Y8qvq/MKGGvDDuL2Cu545rbxDpQxn3nAaXICXk2j4pbzP7mgNxEIbK FTbVoy6KGpaS+t/Ty5TciK5o1i7BCkZ8TWd6DgFZ+OXmhoWwmAMoqy8mvOJfjMhm+ZWc rA0bl2B/F2LnAJrTQua2Mq2XPBsxR4vsp6UKdEdYZe8EkG5A1W3I6GexQY1e020AGpvw k8dLYJjG5R1JHk968OCY+U4qdizQSwNX4G6sbdmv/Tp3GYhO1KP/K8oZVnmWgiYMDIdE TuPVAZ6PirD5sBRmn8xDBch4x2XDBPvxVFAyzSlWNH1KQ2b6EI0oFXh9gz0WpeRWCVlu hsWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=6S4lPRVyqdRPaHVtbjOwZGUsOwbFoVViWqESkMde2mE=; b=OJV28836bWndwnuDxvGyGeIEQ7yzohoB3tFowb8boWzsQ/rjyFXzUpLIE+JaqcMuk/ WaXAkxe1WCM2ZTugkRTq9jyE4SETbf3TZqTXmATuIqpt3QPzM8R/kwN1CGWPhpTnc7YK hflir286Xt53pzdM2fSxJhJzGKVLmfR8jomALUMzc94mDgd8I3bgfPekZryGgO46hBYb wG/XfpYKgVdXbSycm0SP1kKXIfkt3Clh8t4WAzelu/APb96I6a/qc9Lq7wFHoSQU0hBa mihY26fGuOOgy6L4BTSd0H7Ys/aSFDnukcoPnbIJ9iugOhEBJCdYpH7Cc8PCZXdyj/nO ys+w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t1si9262778itg.140.2018.01.23.12.33.05; Tue, 23 Jan 2018 12:33:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752604AbeAWUcm (ORCPT + 99 others); Tue, 23 Jan 2018 15:32:42 -0500 Received: from mx1.redhat.com ([209.132.183.28]:51952 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752495AbeAWUck (ORCPT ); Tue, 23 Jan 2018 15:32:40 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 363FF780EE; Tue, 23 Jan 2018 20:32:40 +0000 (UTC) Received: from flask (unknown [10.43.2.80]) by smtp.corp.redhat.com (Postfix) with SMTP id 7772F5D6A3; Tue, 23 Jan 2018 20:32:29 +0000 (UTC) Received: by flask (sSMTP sendmail emulation); Tue, 23 Jan 2018 21:32:24 +0100 Date: Tue, 23 Jan 2018 21:32:24 +0100 From: Radim =?utf-8?B?S3LEjW3DocWZ?= To: Christian Borntraeger Cc: kvm@vger.kernel.org, Paolo Bonzini , Martin Schwidefsky , linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, Heiko Carstens , Cornelia Huck , David Hildenbrand , Greg Kroah-Hartman , Jon Masters , Marcus Meissner , Jiri Kosina Subject: Re: [PATCH 4/5] s390: define ISOLATE_BP to run tasks with modified branch prediction Message-ID: <20180123203223.GA648@flask> References: <1516712825-2917-1-git-send-email-schwidefsky@de.ibm.com> <1516712825-2917-5-git-send-email-schwidefsky@de.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 23 Jan 2018 20:32:40 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2018-01-23 15:21+0100, Christian Borntraeger: > Paolo, Radim, > > this patch not only allows to isolate a userspace process, it also allows us > to add a new interface for KVM that would allow us to isolate a KVM guest CPU > to no longer being able to inject branches in any host or other guests. (while > at the same time QEMU and host kernel can run with full power). > We just have to set the TIF bit TIF_ISOLATE_BP_GUEST for the thread that runs a > given CPU. This would certainly be an addon patch on top of this patch at a later > point in time. I think that the default should be secure, so userspace will be breaking the isolation instead of setting it up and having just one place to screw up would be better -- the prctl could decide which isolation mode to pick. Maybe we can change the conditions and break logical connection between TIF_ISOLATE_BP and TIF_ISOLATE_BP_GUEST, to make a separate KVM interface useful. > Do you think something similar would be useful for other architectures as well? It goes against my idea of virtualization, but there probably are users that don't care about isolation and still use virtual machines ... I expect most architectures to have a fairly similar resolution of branch prediction leaks, so the idea should be easily abstractable on all levels. (At least x86 is.) > In that case we should try to come up with a cross-architecture interface to enable > that. Makes me think of a generic VM control "prefer performance over security", which would also take care of future problems and let arches decide what is worth the code. A main drawback is that this will introduce dynamic branches to the code, which are going to slow down the common case to speed up a niche.