Received: by 10.223.176.46 with SMTP id f43csp436683wra; Wed, 24 Jan 2018 00:09:37 -0800 (PST) X-Google-Smtp-Source: AH8x227pnTxywmpqf+YsuInCwmY+18zH9RmsLuqjelxtmypYvxyHBRxxcAPj4CexAnnlpIUISL0O X-Received: by 2002:a17:902:7182:: with SMTP id b2-v6mr8000911pll.38.1516781377811; Wed, 24 Jan 2018 00:09:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516781377; cv=none; d=google.com; s=arc-20160816; b=S+lqPetgIsNkCASgVjjRwloqR2ZaHLL7a8jmRkzQphgoNZwu4TLKVN/XTZxtMaNhSy NHUQr7ix0BC8SzYLBUPAixPB2qOxN0JI7KqeeGEyBUb9Pge0yfd29hWQejlzw3oqEucA MsB9rVKZDP3qEYN76Nvt7JJvViqP1/eA78IRw4Ixt50XkQohyIBpi3NPSvrsCexWigd5 VOx735ahA0dV9gu1qx/y4WHs3g7Bi/UwbKhn/JSc0+86sy5PIdL6Ok7m7nPYU5+wzAM+ gDEbU1+VYC4goojDa+TmyUCmaasty0F00YGPcbAxfg6MTJ0fcRe54d+OKsdYX152Y3CD 3rZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date:from :references:cc:to:subject:arc-authentication-results; bh=ZJOZDUZJ8KriX79XtYyBen/wLgbKk8ZlYGsXuFYUIt8=; b=ieFWiFGMfbpgp6P6ZfjKVGnyrgDz9EdL6is30gqTrpWg5DzgywEKcbdBc8HhM2qzlr hou8rr6ZPL3LEvkFdHO7T+S6TEmHArXzpgIm6aQQmlfufGBGlip7PQVVOT3hXK/+IrLS +awtda5vWgH9iGkoPxgTUEZmrJDF61NgKqhfPWglCZ5xwXmrUs8PGkfnn/2yYo/Kc5Ni QkIaFb41tZBTofRX77oFt1txAXN9OIbKilEPvba4tHieB/HjrE59xUZ1eJuV29xL5DCw jyqENWs7RHtUQ3JUauF8IPYlabAL97+nyCJM2orhD2tZ0+lf2ucDWOMsK9AtsJsyk232 XYhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bh3-v6si5764240plb.795.2018.01.24.00.09.23; Wed, 24 Jan 2018 00:09:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932356AbeAXIJA (ORCPT + 99 others); Wed, 24 Jan 2018 03:09:00 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:60248 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752590AbeAXII6 (ORCPT ); Wed, 24 Jan 2018 03:08:58 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0O84iHJ063606 for ; Wed, 24 Jan 2018 03:08:58 -0500 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0a-001b2d01.pphosted.com with ESMTP id 2fpky5w0yg-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 24 Jan 2018 03:08:57 -0500 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 24 Jan 2018 08:08:55 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 24 Jan 2018 08:08:50 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w0O88ovp61603960; Wed, 24 Jan 2018 08:08:50 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 60F574C050; Wed, 24 Jan 2018 08:02:54 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E2A324C052; Wed, 24 Jan 2018 08:02:53 +0000 (GMT) Received: from oc7330422307.ibm.com (unknown [9.152.224.46]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 24 Jan 2018 08:02:53 +0000 (GMT) Subject: Re: [PATCH 1/5] prctl: add PR_ISOLATE_BP process control To: Dominik Brodowski , Martin Schwidefsky Cc: linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, kvm@vger.kernel.org, Heiko Carstens , Paolo Bonzini , Cornelia Huck , David Hildenbrand , Greg Kroah-Hartman , Jon Masters , Marcus Meissner , Jiri Kosina , w@1wt.eu, keescook@chromium.org References: <1516712825-2917-1-git-send-email-schwidefsky@de.ibm.com> <1516712825-2917-2-git-send-email-schwidefsky@de.ibm.com> <20180123170719.GA4154@isilmar-4.linta.de> From: Christian Borntraeger Date: Wed, 24 Jan 2018 09:08:49 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <20180123170719.GA4154@isilmar-4.linta.de> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 18012408-0008-0000-0000-000004C5389F X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18012408-0009-0000-0000-00001E58BAA8 Message-Id: <57cfefd8-53c1-9928-23fd-05a50350d0dc@de.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-24_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1801240109 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01/23/2018 06:07 PM, Dominik Brodowski wrote: > On Tue, Jan 23, 2018 at 02:07:01PM +0100, Martin Schwidefsky wrote: >> Add the PR_ISOLATE_BP operation to prctl. The effect of the process >> control is to make all branch prediction entries created by the execution >> of the user space code of this task not applicable to kernel code or the >> code of any other task. > > What is the rationale for requiring a per-process *opt-in* for this added > protection? > > For KPTI on x86, the exact opposite approach is being discussed (see, e.g. > http://lkml.kernel.org/r/1515612500-14505-1-git-send-email-w@1wt.eu ): By > default, play it safe, with KPTI enabled. But for "trusted" processes, one > may opt out using prctrl. FWIW, this is not about KPTI. s390 always has the kernel in a separate address space. Its only about potential spectre like attacks. This idea is to be able to isolate in controlled environments, e.g. if you have only one thread with untrusted code (e.g. jitting remote code). The property of the branch prediction mode on s390 is that it protects in two ways - against being attacked but also against being able to attack via the btb.