Received: by 10.223.176.46 with SMTP id f43csp213530wra; Tue, 23 Jan 2018 19:26:14 -0800 (PST) X-Google-Smtp-Source: AH8x227QrD/q28r8WAg/pEjSlP5+ImAQN0Lx++FMzuO4BBNamo8GH+P0xVRKHpWi5jYwmx2iKVYO X-Received: by 10.98.166.195 with SMTP id r64mr11603944pfl.175.1516764374134; Tue, 23 Jan 2018 19:26:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516764374; cv=none; d=google.com; s=arc-20160816; b=XcZbFKgdBHG7a2HQZL6r/c68Q6oD3LK1UBKtwk+82uUkbFuDnNoXGhviFAC7nidjfs 3VS+pXkUD/GvVTCO05BMm2kWUC2CQKtLj2M61Wz4HE4oTq+Uon8MlPhdYnwYXnNaZoIL YDuucxa4kKk/jDLc1ljjuNf9xEkpi5U5Zxs98060glK+18Et4mhSHwPkXvVjBP4VA3OC KcmN/59ZOzl4fNk8aIi2JrYf0iAAtN7YVASyKxEHP5Oc8K5sVrXYOuCj+tmz3ub4bJDu sk83uaH6+zo9oD8LFXa3NTf9iRyKL4uDi+nPuCSJCRBoYna4ot8/jHyiVwkkHvS4uOil hxzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=yROzYF2uM1OOdD/kE130jwgU8KbkunESIOykxpLgrbU=; b=fcHS5NEAIRA2HR+a7rfchVEPvjVLjBY4AyaKuBtqmqteFU0c/5Sz9Vs2fJvX7oa/Xv cj+/MYv0vK2yTvZSdWVWuvCMtaq8vZTvUJTXoRRB768s4erL2LsXgyOXFsaRMkArOt+T AbtUf8UykZZsucigIu08xz3d6Q+NR+L3Cw+0RcEHeRH9K8N5hJ9igRD0vgr6f1G6M8ez bdwy6o+ADQY1Lh6s+D6prU+w0V0focCxaL01ZBTqm0yScFbXp2J1eLpYh6OOLN4TP1O8 pw54NKwfx1bUdjkuLrSHYVsaBTL0aRf/amWO5E0FVix/fhVUQjAr9tRyavXqTTh3v+Je I3mA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=FCIoL8Bh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l67si2214727pfa.321.2018.01.23.19.26.00; Tue, 23 Jan 2018 19:26:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=FCIoL8Bh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752588AbeAXDZ3 (ORCPT + 99 others); Tue, 23 Jan 2018 22:25:29 -0500 Received: from mail-pg0-f41.google.com ([74.125.83.41]:36886 "EHLO mail-pg0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752489AbeAXDZ0 (ORCPT ); Tue, 23 Jan 2018 22:25:26 -0500 Received: by mail-pg0-f41.google.com with SMTP id z17so1763335pgc.4 for ; Tue, 23 Jan 2018 19:25:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yROzYF2uM1OOdD/kE130jwgU8KbkunESIOykxpLgrbU=; b=FCIoL8BhODBv6wecaVguOHu5jYOtXDV1aLGoLNmuxH1zgRS0/14kjIotI+h9YJMn/S 4uoxjLn8uX5gW20UYuipIiUFnptPBtJibRbDhfiGyG6LQoJmt1IE79zJrIiZMFgSARXC MEnJhT5kmSwB410tfn96tkg2Ek0ysqzNqAywiM217sbNWliP4wI5wmxKsSDCYn+4FGX3 U/VhnBxK388AZOdkSlmXWS8G3kmPMuijGNF+s0NG0tsY9teMQjSqlpXKEr4AEiEN1Gw8 q9UN2ZphKUZW2ONAe6j0J7YmhhMKKIypTtcfb6amFnDbXGNEgky1PEFk9YGeS7PHLvWL 7clw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yROzYF2uM1OOdD/kE130jwgU8KbkunESIOykxpLgrbU=; b=EmMa0K7+46uWYszWx1Jd4huUNSSDiC18Lxg5CnyyCdws1kzWR5dd1/HhEKZ/YCK/Y9 VeQsEIblJDUPvboc+raiYA619ymPqreED9exstI9RICc7OgWSFJjlEDv6d50k3bFo0Kw cDobrqOXepgYQYVS/B+f0K5Bsdtw+of9ZtzHC74UbS8q/W1AhEDyFlV6xS9CS08LSg1Z zbLDwLpUFVobJBleAC8XeACM+hAYwXuOA01rUAZLdlkA5FcZW+cP5uZJsBWERRypVw1V Wqe3s23Eea4Fn7p60FWryeH0OlIBSyO8zjEZGCx3uAw4CdeUeJMNpe6qebQzTGS/1kTh Ab4g== X-Gm-Message-State: AKwxytdXmsz7KXdo5amZpoixorvEcxpa003FQYRm1HRVKwClpVVLUdE1 BqtMxq/dwJ75e8ZLdEEk8q9Y1w== X-Received: by 10.98.102.135 with SMTP id s7mr11486660pfj.209.1516764325504; Tue, 23 Jan 2018 19:25:25 -0800 (PST) Received: from ?IPv6:2601:646:c200:7429:75c4:ed5b:4954:4019? ([2601:646:c200:7429:75c4:ed5b:4954:4019]) by smtp.gmail.com with ESMTPSA id r88sm8348930pfb.17.2018.01.23.19.25.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Jan 2018 19:25:24 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation From: Andy Lutomirski X-Mailer: iPhone Mail (15C202) In-Reply-To: <0575AF4FD06DD142AD198903C74E1CC87A5F0AC5@ORSMSX103.amr.corp.intel.com> Date: Tue, 23 Jan 2018 19:25:23 -0800 Cc: Andy Lutomirski , Tim Chen , "Woodhouse, David" , Andi Kleen , Tom Lendacky , KarimAllah Ahmed , LKML , Andrea Arcangeli , Arjan van de Ven , "Raj, Ashok" , "Mallick, Asit K" , Borislav Petkov , "Williams, Dan J" , "Hansen, Dave" , Greg Kroah-Hartman , "H . Peter Anvin" , Ingo Molnar , Janakarajan Natarajan , Joerg Roedel , "Nakajima, Jun" , Laura Abbott , Linus Torvalds , Masami Hiramatsu , Paolo Bonzini , Peter Zijlstra , =?utf-8?Q?Radim_Krcm=C3=A1r?= , Thomas Gleixner , kvm list , X86 ML Content-Transfer-Encoding: quoted-printable Message-Id: References: <1516476182-5153-1-git-send-email-karahmed@amazon.de> <1516476182-5153-10-git-send-email-karahmed@amazon.de> <243BE571-AF73-44B3-8D17-193F9E07686A@amacapital.net> <4e01a7a9-29e4-adcc-3f53-550fb7f3d370@amd.com> <1516724457.9521.156.camel@amazon.co.uk> <20180123224956.GQ7844@tassilo.jf.intel.com> <1516749276.13558.25.camel@amazon.co.uk> <0575AF4FD06DD142AD198903C74E1CC87A5F0AC5@ORSMSX103.amr.corp.intel.com> To: "Van De Ven, Arjan" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Jan 23, 2018, at 5:59 PM, Van De Ven, Arjan wrote: >=20 >=20 >>> It is a reasonable approach. Let a process who needs max security >>> opt in with disabled dumpable. It can have a flush with IBPB clear befor= e >>> starting to run, and have STIBP set while running. >>>=20 >>=20 >> Do we maybe want a separate opt in? I can easily imagine things like >> web browsers that *don't* want to be non-dumpable but do want this >> opt-in. >=20 > eventually we need something better. Probably in addition. > dumpable is used today for things that want this. >=20 >>=20 >> Also, what's the performance hit of STIBP? >=20 > pretty steep, but it depends on the CPU generation, for some it's cheaper t= han others. (yes I realize this is a vague answer, but the range is really f= rom just about zero to oh my god) >=20 > I'm not a fan of doing this right now to be honest. We really need to not p= iece meal some of this, and come up with a better concept of protection on a= higher level. > For example, you mention web browsers, but the threat model for browsers i= s generally internet content. For V2 to work you need to get some "evil poin= ter" into the app from the observer and browsers usually aren't doing that. > The most likely user would be some software-TPM-like service that has magi= c keys. >=20 > And for keys we want something else... we want an madvice() sort of thing t= hat does a few things, like equivalent of mlock (so the key does not end up i= n swap), I'd love to see a slight variant: encrypt that page against some ephemeral k= ey if it gets swapped. > not having the page (but potentially the rest) end up in core dumps, and t= he kernel making sure that if the program exits (say for segv) that the key p= age gets zeroed before going into the free pool. Once you do that as feature= , making the key speculation safe is not too hard (intel and arm have cpu op= tions to mark pages for that) >=20 >=20 How do we do that on Intel? Make it UC?=