Received: by 10.223.176.46 with SMTP id f43csp357659wra; Tue, 23 Jan 2018 22:36:56 -0800 (PST) X-Google-Smtp-Source: AH8x227Sf0u949sCqemdexrO1wtybaIEseDtSVgiMIvKYkowM6zXDxiDJnl6T/yItMMQq/gp3tlq X-Received: by 2002:a17:902:bc4b:: with SMTP id t11-v6mr7427088plz.324.1516775816518; Tue, 23 Jan 2018 22:36:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516775816; cv=none; d=google.com; s=arc-20160816; b=eFTvdyaTDiMU9vJyAMrkPOt4UMm3AypxqrXKOSVJxgCEdPHzEVNJFT1FB+krDrDNaj HP17K43fPb9YCqSOKP4Sy4icU5jrebc+sNHBQLpnBPjenmu2+7GYEuKmTuu1fdo7wk2M znjp3SgEFB+h5kMbtB41NyebIjFfptKpJgne44V8iHvK17xWA3sJg46xy63Qy2/uzY49 xzL+xfo05xSWIdnEoQwdDajwISjSosOLzWrrbhWfVU5PwooUj7HiQi6UhsIqRaW1BkIR FFiNvvY3ZDJb1p0Qc2aGRQqH42ZQHMZ0N1OrSEGQMiZ967MfZ2SMBG74LOUbM+MVvIT7 EXFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:subject:cc:to:from:date :arc-authentication-results; bh=f2sAAmNzS6Gz/Dtj7rtUM7U89MgUK8yEqVCuVXW7pTE=; b=kJwOKpcg9obZlv9glei+SwRjVQ8dqX7H0RIfy5SCXYcusjeqiHDfYlkwm20bs4Z2NK jP6GTOwyrZJEK7P4SHhqXxVRTFarDaMpVhkHShjcP6M/dDbvEl/AIgOsaAejSTuqz4pe /pBOfWpsL4GR6YBGcNGqGeBK/UQTOgOnYRzNyDG/a8i58QP4H07fNevDo0gzd2/a61CS mmw/5DqPpp07Fu8AkTnqu3JMYEsoh5mXa6PlxUH8nof7/kphvKSwQh0xD6J3LECqQDnT MG33KmKJER19HaURwZ7UqUHZAXzQvp0ulq048Zvv9xzfA0HX7pII5V8E8lMeTcH40EXG IU6g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a100-v6si554672pli.768.2018.01.23.22.36.42; Tue, 23 Jan 2018 22:36:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752355AbeAXGgS convert rfc822-to-8bit (ORCPT + 99 others); Wed, 24 Jan 2018 01:36:18 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:57596 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752206AbeAXGgQ (ORCPT ); Wed, 24 Jan 2018 01:36:16 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0O6YGtX016535 for ; Wed, 24 Jan 2018 01:36:15 -0500 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 2fpktrjbf9-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 24 Jan 2018 01:36:15 -0500 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 24 Jan 2018 06:36:13 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 24 Jan 2018 06:36:08 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w0O6a7BU38338616; Wed, 24 Jan 2018 06:36:07 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EB14011C050; Wed, 24 Jan 2018 06:29:44 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6B97811C04C; Wed, 24 Jan 2018 06:29:44 +0000 (GMT) Received: from mschwideX1 (unknown [9.145.153.168]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 24 Jan 2018 06:29:44 +0000 (GMT) Date: Wed, 24 Jan 2018 07:36:05 +0100 From: Martin Schwidefsky To: Radim =?UTF-8?B?S3LEjW3DocWZ?= Cc: Christian Borntraeger , kvm@vger.kernel.org, Paolo Bonzini , linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, Heiko Carstens , Cornelia Huck , David Hildenbrand , Greg Kroah-Hartman , Jon Masters , Marcus Meissner , Jiri Kosina Subject: Re: [PATCH 4/5] s390: define ISOLATE_BP to run tasks with modified branch prediction In-Reply-To: <20180123203223.GA648@flask> References: <1516712825-2917-1-git-send-email-schwidefsky@de.ibm.com> <1516712825-2917-5-git-send-email-schwidefsky@de.ibm.com> <20180123203223.GA648@flask> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-TM-AS-GCONF: 00 x-cbid: 18012406-0008-0000-0000-000004C53188 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18012406-0009-0000-0000-00001E58B345 Message-Id: <20180124073605.494aceb8@mschwideX1> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-24_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1801240087 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 23 Jan 2018 21:32:24 +0100 Radim Krčmář wrote: > 2018-01-23 15:21+0100, Christian Borntraeger: > > Paolo, Radim, > > > > this patch not only allows to isolate a userspace process, it also allows us > > to add a new interface for KVM that would allow us to isolate a KVM guest CPU > > to no longer being able to inject branches in any host or other guests. (while > > at the same time QEMU and host kernel can run with full power). > > We just have to set the TIF bit TIF_ISOLATE_BP_GUEST for the thread that runs a > > given CPU. This would certainly be an addon patch on top of this patch at a later > > point in time. > > I think that the default should be secure, so userspace will be > breaking the isolation instead of setting it up and having just one > place to screw up would be better -- the prctl could decide which > isolation mode to pick. The prctl is one direction only. Once a task is "secured" there is no way back. If we start with a default of secure then *all* tasks will run with limited branch prediction. > Maybe we can change the conditions and break logical connection between > TIF_ISOLATE_BP and TIF_ISOLATE_BP_GUEST, to make a separate KVM > interface useful. The thinking here is that you use TIF_ISOLATE_BP to make use space secure, but you need to close the loophole that you can use a KVM guest to get out of the secured mode. That is why you need to run the guest with isolated BP if TIF_ISOLATE_BP is set. But if you want to run qemu as always and only the KVM guest with isolataed BP you need a second bit, thus TIF_ISOLATE_GUEST_BP. > > Do you think something similar would be useful for other architectures as well? > > It goes against my idea of virtualization, but there probably are users > that don't care about isolation and still use virtual machines ... > I expect most architectures to have a fairly similar resolution of > branch prediction leaks, so the idea should be easily abstractable on > all levels. (At least x86 is.) Yes. > > In that case we should try to come up with a cross-architecture interface to enable > > that. > > Makes me think of a generic VM control "prefer performance over > security", which would also take care of future problems and let arches > decide what is worth the code. VM as in virtual machine or VM as in virtual memory? > A main drawback is that this will introduce dynamic branches to the > code, which are going to slow down the common case to speed up a niche. Where would you place these additional branches? I don't quite get the idea. -- blue skies, Martin. "Reality continues to ruin my life." - Calvin.