Received: by 10.223.176.46 with SMTP id f43csp1061275wra; Fri, 26 Jan 2018 11:10:57 -0800 (PST) X-Google-Smtp-Source: AH8x2252TJftA53QLd2eQwZS0IdDGBYh1InuiPrrVvbDn2SvfQgJkb2/IrM1jPGGn+HK5G+eY/OA X-Received: by 2002:a17:902:6e8c:: with SMTP id v12-v6mr15414599plk.14.1516993856983; Fri, 26 Jan 2018 11:10:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516993856; cv=none; d=google.com; s=arc-20160816; b=DC+xLDdgzXpPLhxJuARVCGaS2a2vi5lQSm7tqj6ic+nV81DU46qkfwmf+6tZ793jnh onryw1T+FgplyuOMOh3dM6ZtsgtGPHEfnINxN2ubTnI7JxKOap5TKbqAwgECQLjXYdcG leqJ3GiLTSk/aFz4NCcLARj7Aubm990HSYG/bBbwhXXitOVf9EKRzwvOsvoftBN3DDeh oiD8MUw+9XrdEJYInpdmC7xXTy9H0ju/uZIVZwsNWFV+E0xeODSIDte0ASCqhFvioK/z hIvBhUoUlJKCiynE4I3EiL9qTbpoE1riixxkOKbmO3OIXCkYRJj6wapZPeZUQJzx9GBI nCIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=5f5U29U7yOTCKkq0c5bpuqt4OLSTS/U88J75amTJyBc=; b=XqydzDU0IqPwa7z29pJ8mZNK9Cl58xuov7xsw7Tuq6KQbF4BhCcwbJBP+HQ//WO40f WGWVMYlAh4ju1H84BbLFkMez4260APlY9Gz1WYiGwtARxp3NNn1gM4abslEcLel6Lz0L Wkv6/x/nC0Jlf1aEbzF6OvvzqFpwnFaiPh3V4CT4TZWUZzT6BY/ko22ljukrX3FwtqcC xIms+4ZQfFmyuHk/XfZZG2hpm1a9b8T/jdAvSjxffB4bZwGQ8nDReeTM8WCICrmrjk7y 1/TV5igLjkyMpJiQfrXz7KjYgqTrca3VWDil/aXuHAchECDNn+W62OCWFw3M907toLs5 a8qQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ULDBQHWf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1si3348767pge.487.2018.01.26.11.10.42; Fri, 26 Jan 2018 11:10:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=ULDBQHWf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753074AbeAZTJs (ORCPT + 99 others); Fri, 26 Jan 2018 14:09:48 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:57628 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753055AbeAZTJq (ORCPT ); Fri, 26 Jan 2018 14:09:46 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w0QJ2NIv028933; Fri, 26 Jan 2018 19:03:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2017-10-26; bh=5f5U29U7yOTCKkq0c5bpuqt4OLSTS/U88J75amTJyBc=; b=ULDBQHWfkUk3TZ8Smw221APrU1UNKEkBX58Vg946NTAcLLnZmSzXlpy/x4Jud9wCbJJ5 mmDvSnR9EPRjv6LSQH22ofS9GoP06HoL6cisBzecyahk4v38V6FsMN43uk3crYpnFI9r jlxLly42Mo/xO+q4DyvRtyjxcGIVm+DqPr11jiZUngu1pCtK2Xamirx9eHVKCPVDxw5G OI0eWgsDyVhQk1NmLM7ie4wcBEla3Vev2r2+C8kldJPzPIIE4Rl/xceOy+OAGfpytgRu rJ+41/CD6Jm46bUwftzl8/NiVaNLhoJZJfsE61bV4Y/I0DD3BJV/qc6tusyr3oIRgNfC xg== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2fr7pbgvjy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 26 Jan 2018 19:03:03 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w0QJ33lh023528 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 26 Jan 2018 19:03:03 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w0QJ317V029129; Fri, 26 Jan 2018 19:03:01 GMT Received: from char.us.oracle.com (/10.137.176.158) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 26 Jan 2018 11:03:01 -0800 Received: by char.us.oracle.com (Postfix, from userid 1000) id AB33A6A0A2D; Fri, 26 Jan 2018 14:02:57 -0500 (EST) Date: Fri, 26 Jan 2018 14:02:57 -0500 From: Konrad Rzeszutek Wilk To: Andi Kleen Cc: Linus Torvalds , David Woodhouse , Dave Hansen , Liran Alon , Laura Abbott , Andrew Lutomirski , Janakarajan Natarajan , Borislav Petkov , "Mallick, Asit K" , Radim =?utf-8?B?S3LEjW3DocWZ?= , KarimAllah Ahmed , Peter Anvin , Jun Nakajima , Ingo Molnar , the arch/x86 maintainers , Ashok Raj , "Van De Ven, Arjan" , Tim Chen , Paolo Bonzini , Linux Kernel Mailing List , Peter Zijlstra , Thomas Gleixner , Greg Kroah-Hartman , Masami Hiramatsu , Arjan van de Ven , Tom Lendacky , Dan Williams , Joerg Roedel , Andrea Arcangeli , KVM list , Boris Ostrovsky Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation Message-ID: <20180126190257.GS14668@char.us.oracle.com> References: <7c0b0879-3448-43e4-8380-4708fc787113@default> <50c5d627-8975-184b-b50f-4cc02c5816c5@intel.com> <1516957886.30244.161.camel@infradead.org> <20180126175901.GL26209@tassilo.jf.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180126175901.GL26209@tassilo.jf.intel.com> User-Agent: Mutt/1.8.3 (2017-05-23) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8786 signatures=668655 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=766 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801260249 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 26, 2018 at 09:59:01AM -0800, Andi Kleen wrote: > On Fri, Jan 26, 2018 at 09:19:09AM -0800, Linus Torvalds wrote: > > On Fri, Jan 26, 2018 at 1:11 AM, David Woodhouse wrote: > > > > > > Do we need to look again at the fact that we've disabled the RSB- > > > stuffing for SMEP? > > > > Absolutely. SMEP helps make people a lot less worried about things, > > but it doesn't fix the "BTB only contains partial addresses" case. > > > > But did we do that "disable stuffing with SMEP"? I'm not seeing it. In > > my tree, it's only conditional on X86_FEATURE_RETPOLINE. > > For Skylake we need RSB stuffing even with SMEP to avoid falling back to the > BTB on underflow. > > It's also always needed with virtualization. -ECONFUSED, see ==> Is this incorrect then? I see: 241 * Skylake era CPUs have a separate issue with *underflow* of the 242 * RSB, when they will predict 'ret' targets from the generic BTB. 243 * The proper mitigation for this is IBRS. If IBRS is not supported 244 * or deactivated in favour of retpolines the RSB fill on context 245 * switch is required. 246 */ which came from this: commit c995efd5a740d9cbafbf58bde4973e8b50b4d761 Author: David Woodhouse Date: Fri Jan 12 17:49:25 2018 +0000 x86/retpoline: Fill RSB on context switch for affected CPUs On context switch from a shallow call stack to a deeper one, as the CPU does 'ret' up the deeper side it may encounter RSB entries (predictions for where the 'ret' goes to) which were populated in userspace. This is problematic if neither SMEP nor KPTI (the latter of which marks userspace pages as NX for the kernel) are active, as malicious code in userspace may then be executed speculatively. Overwrite the CPU's return prediction stack with calls which are predicted to return to an infinite loop, to "capture" speculation if this happens. This is required both for retpoline, and also in conjunction with IBRS for !SMEP && !KPTI. On Skylake+ the problem is slightly different, and an *underflow* of the RSB may cause errant branch predictions to occur. So there it's not so much overwrite, as *filling* the RSB to attempt to prevent it getting empty. This is only a partial solution for Skylake+ since there are many ==>other conditions which may result in the RSB becoming empty. The full <== ==>solution on Skylake+ is to use IBRS, which will prevent the problem even <== when the RSB becomes empty. With IBRS, the RSB-stuffing will not be required on context switch. Signed-off-by: David Woodhouse Signed-off-by: Thomas Gleixner Acked-by: Arjan van de Ven The "full solution" is what is making me confused. > > -Andi