Received: by 10.223.176.46 with SMTP id f43csp102851wra;
        Tue, 23 Jan 2018 17:01:54 -0800 (PST)
X-Google-Smtp-Source: AH8x226SkTGdXYfXV7qIg2olN3SyY5VDvdxMp+TUsnLjfU99iioGHa+7h6XDRVLprx4nlmksegHo
X-Received: by 10.98.159.25 with SMTP id g25mr11475695pfe.224.1516755713974;
        Tue, 23 Jan 2018 17:01:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516755713; cv=none;
        d=google.com; s=arc-20160816;
        b=VUyGUrWJCo2DCWDdgquN95kxwxEe/cXL3M/00/ZETC6j2uoggUmQ77GKjOVu7bfPET
         Mn5Cbl4p6fSV7Atw0no2QzxBwcExFEVEMlcf/Ip+QuMiNCqQLIis1nHdLlinhSHL/+rp
         tYmJMLcULu0L9GSlYg62s4yVHv4B7DatF2pHAvz57l+Opz8tahnhdr6edl36yOr87WHp
         7uuZXoHFw7RfikQ20HMf+1jEg0AtUZp09n3GuHUv2ylk5DU68sP32+4Mpx6DGM560RQl
         8+H6c/dLCCDir3quwrdW8n+CoIF3KNPdxZcjyF6nir6MJ1uvv57/PlqQpX3CK2OqOc7v
         ltfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dmarc-filter
         :arc-authentication-results;
        bh=Hf1/tALYn7B2gp7FpWsIQ8tazl1Sr3gcHAP2/YduOaU=;
        b=OHuxob/Z18POPJCvHYTpd8MdH9sqRw5GzB8GaXNbiml6IG7kp7tB1R0KkhkppLMwWK
         WawoW6CZeVph6aJSvQdWYsYpvaFSuK+gXRFrB8BJqCPhqBJq1uHdG8mu+u93oybU8qhL
         7HtaMq8XuLa+Ug5CuR1IuxoZU/a/+pfFfrWbtYwDCZrpW+6m7SGo9YRDNVIQ1ZGm7qni
         E95JvNY0UPYtbx0osoMy+Z0pn59hXh0EnxTP5a0yw3b78clAftlk6J2O3kfyRdGf+H3T
         N5a7X1ItMHYGUiKJ8KAMX8tqrmgFbg2soXVB+YNDopyQSMO9FkZC+eOqIZjG4QvpCqjh
         zibA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x5si11504986pgo.709.2018.01.23.17.01.39;
        Tue, 23 Jan 2018 17:01:53 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932456AbeAXBBM (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Tue, 23 Jan 2018 20:01:12 -0500
Received: from mail.kernel.org ([198.145.29.99]:58928 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S932083AbeAXBBL (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Jan 2018 20:01:11 -0500
Received: from mail-io0-f174.google.com (mail-io0-f174.google.com [209.85.223.174])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 0E491217A1
        for <linux-kernel@vger.kernel.org>; Wed, 24 Jan 2018 01:01:11 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0E491217A1
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org
Received: by mail-io0-f174.google.com with SMTP id d13so3015743iog.5
        for <linux-kernel@vger.kernel.org>; Tue, 23 Jan 2018 17:01:11 -0800 (PST)
X-Gm-Message-State: AKwxytebQrRHiSLQ/MenpinrKF1pULZDAGs2Ja+t9VJTgsLpDdNdTYFP
        +JwXH3SlJilzHWRDGepy5PtTSd916kGv3b8hMkx7Gg==
X-Received: by 10.107.167.136 with SMTP id q130mr6451129ioe.173.1516755670327;
 Tue, 23 Jan 2018 17:01:10 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.137.84 with HTTP; Tue, 23 Jan 2018 17:00:49 -0800 (PST)
In-Reply-To: <cac69284-e76f-6081-62db-adb4dc123045@linux.intel.com>
References: <1516476182-5153-1-git-send-email-karahmed@amazon.de>
 <1516476182-5153-10-git-send-email-karahmed@amazon.de> <243BE571-AF73-44B3-8D17-193F9E07686A@amacapital.net>
 <4e01a7a9-29e4-adcc-3f53-550fb7f3d370@amd.com> <1516724457.9521.156.camel@amazon.co.uk>
 <fb2b5589-e14c-470e-2de0-d9da1667bace@amd.com> <20180123224956.GQ7844@tassilo.jf.intel.com>
 <1516749276.13558.25.camel@amazon.co.uk> <cac69284-e76f-6081-62db-adb4dc123045@linux.intel.com>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Tue, 23 Jan 2018 17:00:49 -0800
X-Gmail-Original-Message-ID: <CALCETrUTjw+KHFA3a4eL+ds=HOoK_BFWZPdkeOkfcn=Oq-F2+w@mail.gmail.com>
Message-ID: <CALCETrUTjw+KHFA3a4eL+ds=HOoK_BFWZPdkeOkfcn=Oq-F2+w@mail.gmail.com>
Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict
 Indirect Branch Speculation
To:     Tim Chen <tim.c.chen@linux.intel.com>
Cc:     "Woodhouse, David" <dwmw@amazon.co.uk>,
        Andi Kleen <ak@linux.intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        KarimAllah Ahmed <karahmed@amazon.de>,
        LKML <linux-kernel@vger.kernel.org>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        Arjan van de Ven <arjan@linux.intel.com>,
        Ashok Raj <ashok.raj@intel.com>,
        Asit Mallick <asit.k.mallick@intel.com>,
        Borislav Petkov <bp@suse.de>,
        Dan Williams <dan.j.williams@intel.com>,
        Dave Hansen <dave.hansen@intel.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
        Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>,
        Joerg Roedel <joro@8bytes.org>,
        Jun Nakajima <jun.nakajima@intel.com>,
        Laura Abbott <labbott@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        kvm list <kvm@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Arjan Van De Ven <arjan.van.de.ven@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jan 23, 2018 at 4:47 PM, Tim Chen <tim.c.chen@linux.intel.com> wrote:
> On 01/23/2018 03:14 PM, Woodhouse, David wrote:
>> On Tue, 2018-01-23 at 14:49 -0800, Andi Kleen wrote:
>>>> Not sure.  Maybe to start, the answer might be to allow it to be set for
>>>> the ultra-paranoid, but in general don't enable it by default.  Having it
>>>> enabled would be an alternative to someone deciding to disable SMT, since
>>>> that would have even more of a performance impact.
>>>
>>> I agree. A reasonable strategy would be to only enable it for
>>> processes that have dumpable disabled. This should be already set for
>>> high value processes like GPG, and allows others to opt-in if
>>> they need to.
>>
>> That seems to make sense, and I think was the solution we were
>> approaching for IBPB on context switch too, right?
>>
>> Are we generally agreed on dumpable as the criterion for both of those?
>>
>
> It is a reasonable approach.  Let a process who needs max security
> opt in with disabled dumpable. It can have a flush with IBPB clear before
> starting to run, and have STIBP set while running.
>

Do we maybe want a separate opt in?  I can easily imagine things like
web browsers that *don't* want to be non-dumpable but do want this
opt-in.

Also, what's the performance hit of STIBP?