Received: by 10.223.176.46 with SMTP id f43csp2011780wra;
        Thu, 25 Jan 2018 03:35:23 -0800 (PST)
X-Google-Smtp-Source: AH8x227Mfh7ynOhL29YyiHXKikqaSYS11fyeQUheRqaTTytzl6Ki/NgrntMQSMRkybbAj/YRBGBo
X-Received: by 10.98.201.199 with SMTP id l68mr15993552pfk.199.1516880122941;
        Thu, 25 Jan 2018 03:35:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516880122; cv=none;
        d=google.com; s=arc-20160816;
        b=YkuypBvu4tGdyfsKojR7GolcHnyfXzeBUudIwTTi5Ba6mQgEVAlW9CvRJwnGD8FfPB
         1tW2vGLIaYK0ncoadn10+jnU9m6LuMzy66dwLmgartzo7U0mqdBtmQLWxtjiOsZF+DVz
         j9jOqtjCJ6mNF0e8sEBJjkMdR+zBeU4ZlZzIDRUvpZFqtyd0pGb7JcCRrSUWhrH7f9eb
         tBHhtaJ8fqT/DF/H/l6zQSCIMQ1jBUkCBA1JWNyd5DPUolFE+5shW7280wrNrPNF1bj/
         LXlMmwRPhDQvIXzf5GdJY6xOkm/IJ+7U5PsuIO0kuRWGGIFFHOJ8GQXB5AvWvlnsg89h
         4BGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date
         :arc-authentication-results;
        bh=225Ey7qCMDdrIK4y5jVblbE7bLcUDrolPNDZC1Z9RGM=;
        b=NreUE4HXUqrLl9JJ/yUQSaZs0HfeYtVoI0hc7PAEtsHW994/5e4CU3R3ZbGX+uNB0/
         UvlsdX5fKXEgHarETzkQr7lByON/roM3aZ8Yn77uL3PRI9WWetRKgtd+qYcUTai+NQBq
         LNUMHfeDRF/ZwpqemAjXC2Xx26RAZUwzgIrCopvQvPvpKsXUK0R4Cd9N0tS82B6N9kgR
         9HOQ9P9SKc5cEisXY6vf0Y0gynbQQQzFzrv708fKeT6eKigRbbmQQ/NEdxR2W7uaSvQ7
         AX0vccTfc84Cll/IbyZ8g1tjHVkc7fjANLILCNpa51fYIgvx9v2fZtf9Qdv/Db4+XLyd
         dMWg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 3-v6si1838803plt.307.2018.01.25.03.35.08;
        Thu, 25 Jan 2018 03:35:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751631AbeAYLeM (ORCPT <rfc822;marvinzhang.kernel@gmail.com>
        + 99 others); Thu, 25 Jan 2018 06:34:12 -0500
Received: from Galois.linutronix.de ([146.0.238.70]:34881 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750769AbeAYLeL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Jan 2018 06:34:11 -0500
Received: from hsi-kbw-5-158-153-52.hsi19.kabel-badenwuerttemberg.de ([5.158.153.52] helo=nanos)
        by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
        (Exim 4.80)
        (envelope-from <tglx@linutronix.de>)
        id 1eefkb-00014a-Ne; Thu, 25 Jan 2018 12:31:25 +0100
Date:   Thu, 25 Jan 2018 12:34:06 +0100 (CET)
From:   Thomas Gleixner <tglx@linutronix.de>
To:     David Woodhouse <dwmw2@infradead.org>
cc:     arjan@linux.intel.com, karahmed@amazon.de, x86@kernel.org,
        linux-kernel@vger.kernel.org, tim.c.chen@linux.intel.com,
        bp@alien8.de, peterz@infradead.org, pbonzini@redhat.com,
        ak@linux.intel.com, torvalds@linux-foundation.org,
        gregkh@linux-foundation.org, dave.hansen@intel.com,
        gnomes@lxorguk.ukuu.org.uk, ashok.raj@intel.com, mingo@kernel.org
Subject: Re: [PATCH v4 6/7] x86/cpufeature: Blacklist SPEC_CTRL on early
 Spectre v2 microcodes
In-Reply-To: <1516879213.30244.74.camel@infradead.org>
Message-ID: <alpine.DEB.2.20.1801251221360.2020@nanos>
References: <1516872189-16577-1-git-send-email-dwmw@amazon.co.uk>  <1516872189-16577-7-git-send-email-dwmw@amazon.co.uk>  <1516876994.30244.51.camel@infradead.org>  <alpine.DEB.2.20.1801251146450.2020@nanos> <1516879213.30244.74.camel@infradead.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="8323329-1168674758-1516880047=:2020"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--8323329-1168674758-1516880047=:2020
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8BIT

On Thu, 25 Jan 2018, David Woodhouse wrote:
> On Thu, 2018-01-25 at 11:54 +0100, Thomas Gleixner wrote:
> > On Thu, 25 Jan 2018, David Woodhouse wrote:
> > > Thomas, want another copy in email now, or were we waiting for another
> > > round of these before you merge them anyway?
> > Looking at this mess makes me even less convinced that a blacklist is a
> > good idea. We have already at least 3 different variants of blacklists.
> > 
> > So I rather see a whitelist approach which says:
> > 
> >    if (ucode_version < known_good(family, model))
> >        return;
> > 
> > I know it would require that Intel releases a set of known good ucodes at
> > some point in the future, but that's a reasonable request.
> > 
> > I rather take a few patches which add the cutoff for family/model (and NO,
> > I don't want to add stepping into the mix at all) than having this
> > blacklist mess which keeps changing every other day.
> 
> I don't know why they added KBL 0x84 microcode; I'm not aware that it's
> been released. Maybe it escaped somewhere so that's why they added it
> to the doc.
> 
> If they ship another bad microcode revision to the public, newer than
> the ones which are already in that list, then there is something
> *SEVERELY* wrong. Wronger than we already know.

Well, all of this is already wrong.

> And if we take this 'piecemeal whitelist' approach, they're going to
> have to add the newly-released microcodes to the kernel each time they
> do a release which covers a new SKU — so it's not like it'll even help,
> because if they *do* ship another bad one, we'll *already* have added
> it to the kernel by the time we realise.

Fair enough.

> I don't expect them to *keep* doing daily releases of the blacklist
> doc; it's just been a bit rushed, that's all. I think we're much better
> off doing it this way than saying that we'll keep taking incremental
> updates as they do new releases.
> 
> Also, I don't think we can avoid looking at the stepping. Not unless
> you want to make Intel synchronise the microcode version numbers for
> different steppings of the same model? Because they aren't at the
> moment.

This stuff is really a master piece of trainwreck engineering.

So yeah, whatever we do we end up with a proper mess. Lets go for a
blacklist and hope that we'll have something which holds at some
foreseeable day in the future.

The other concern I have is IBRS vs. IBPB. Are we sufficiently sure that
IBPB is working on those IBRS blacklisted ucode revisions? Or should we
just play safe and not touch any of this at all when we detect a
blacklisted one?

Given the close to 0 trust in Intels change management and QA, I rather
keep my hands from everything which was ever mentioned in any document as
broken. I hope we have a collection of those PDFs stored at a safe place.

Thanks,

	tglx
--8323329-1168674758-1516880047=:2020--