Received: by 10.223.176.46 with SMTP id f43csp2701607wra; Thu, 25 Jan 2018 13:54:13 -0800 (PST) X-Google-Smtp-Source: AH8x227VJZ9IkPFZZ/zUQc0AbnIyYjSAE7CgJeyaERTPKYESjOCiEaUMqoX8oK5lEeFiKCkzzA0x X-Received: by 10.99.47.71 with SMTP id v68mr13830812pgv.176.1516917253668; Thu, 25 Jan 2018 13:54:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516917253; cv=none; d=google.com; s=arc-20160816; b=F4aJgsoWCuQuvLbG2Kbb/vrX+6VQfxw/oWnM4WPYsi3iNioh6/4vIOvHO5na6X8g4p qXLV4ShQwbhq0xRBBM0I0SY4By4fArlrLByACvqed0MBl3PAR+fRAuTnZ3hDIgqOBbHz D4gI3Ea8vvPHluIXDr3OIvFDv6EbdPzbqttJG0EZ3u676e2CoVXF6xrBn9eT+FlMcelK 4trModcYCn7Fnd5sW/sZo4RCHz6KQqlZjzAi3FFAiN0KoIQ+vndWmBtYOXVCNl+II7Fk Bt0v3XrE+1YtyQ1AsvcjJwOWK+gxXxW7bmtBZXhaWFkDesF7yr4Yo+cQQKkvgIUtobKR w7Aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=aa+VpWFC07tljotcxVgOdxL9ttrr21u70tP36y0cO3U=; b=jq2m9VV7NzgPWWMZL+OffQ1HyW9NeouycScIla16tE9CROdhwYCehnBKSxXprl+3So 6D3MkvtIXc6em56/2cZdw6ufew5q3xBFQ4LCgYWRhShye4zL4wqROrE0s1mqF574P57p gpDMqX/X17BaMNWMtMgcUoOXSS5SNPvypyI9HTWyN+4LzcMWEQXs1jGq52Ifer1/h7Yw VZ5UIfVosxRQV1k2zZjrwLfN3Fz38OJF3d0l+Bsz16Z1W+si3iQm+2ydIEp+JL5vmgsY g7FYpSWUBQ3roLBWaO5jOQdZmogtu3dZPYJUBfE6bCun35N7z9gVo9Msl99U8RugcBeU iJdw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l11si2067238pgr.492.2018.01.25.13.53.58; Thu, 25 Jan 2018 13:54:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751413AbeAYVxc (ORCPT + 99 others); Thu, 25 Jan 2018 16:53:32 -0500 Received: from mail.kernel.org ([198.145.29.99]:55516 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751174AbeAYVxb (ORCPT ); Thu, 25 Jan 2018 16:53:31 -0500 Received: from mail-oi0-f48.google.com (mail-oi0-f48.google.com [209.85.218.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E61B0217A1 for ; Thu, 25 Jan 2018 21:53:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E61B0217A1 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-oi0-f48.google.com with SMTP id 4so2911693ois.10 for ; Thu, 25 Jan 2018 13:53:30 -0800 (PST) X-Gm-Message-State: AKwxyteKAifAjdiuVc7gfe27MMXGZ/j8qvJuDhiwhPkwsTrKjIoGUNO4 KA0iXyn4JSMy9hSM1X2OFszMOf5xNWvhtuYDmjP1SA== X-Received: by 10.202.53.67 with SMTP id c64mr3787908oia.241.1516917210116; Thu, 25 Jan 2018 13:53:30 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.66.36 with HTTP; Thu, 25 Jan 2018 13:53:09 -0800 (PST) In-Reply-To: References: <503224b776b9513885453756e44bab235221124e.1516644136.git.luto@kernel.org> From: Andy Lutomirski Date: Thu, 25 Jan 2018 13:53:09 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] x86/retpoline/entry: Disable the entire SYSCALL64 fast path with retpolines on To: Dan Williams Cc: Andy Lutomirski , Linus Torvalds , "the arch/x86 maintainers" , LKML , Greg Kroah-Hartman , Alan Cox , Jann Horn , Samuel Neves , Kernel Hardening , Borislav Petkov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 25, 2018 at 1:39 PM, Dan Williams wrote: > On Thu, Jan 25, 2018 at 1:31 PM, Andy Lutomirski wrote: >> On Thu, Jan 25, 2018 at 1:20 PM, Linus Torvalds >> wrote: >>> On Thu, Jan 25, 2018 at 1:08 PM, Andy Lutomirski wrote: >>>> >>>> With retpoline, the retpoline in the trampoline sucks. I don't need >>>> perf for that -- I've benchmarked it both ways. It sucks. I'll fix >>>> it, but it'll be kind of complicated. >>> >>> Ahh, I'd forgotten about that (and obviously didn't see it in the profiles). >>> >>> But yeah, that is fixable even if it does require a page per CPU. Or >>> did you have some clever scheme in mind? >> >> Nothing clever. I was going to see if I could get actual >> binutils-generated relocations to work in the trampoline. We already >> have code to parse ELF relocations and turn them into a simple table, >> and it shouldn't be *that* hard to run a separate pass on the entry >> trampoline. >> >> Another potentially useful if rather minor optimization would be to >> rejigger the SYSCALL_DEFINE macros a bit. Currently we treat all >> syscalls like this: >> >> long func(long arg0, long arg1, long arg2, long arg3, long arg4, long arg5); >> >> I wonder if we'd be better off doing: >> >> long func(const struct pt_regs *regs); >> >> and autogenerating: >> >> static long SyS_read(const struct pt_regs *regs) >> { >> return sys_reg(regs->di, ...); >> } > > If you're rejiggering, can we also put in a mechanism for detecting > which registers to clear so that userspace can't inject useful values > into speculation paths? > > https://patchwork.kernel.org/patch/10153753/ My SYSCALL_DEFINE rejigger suggestion up-thread does this for free as a side effect. That being said, I think this would be more accurately characterized as "so that userspace has a somewhat harder time injecting useful values into speculation paths".