Received: by 10.223.176.5 with SMTP id f5csp2508584wra; Sun, 28 Jan 2018 22:37:22 -0800 (PST) X-Google-Smtp-Source: AH8x227vM9Vb6cPTIPiZPZwE36gC9STvG/b5GChsj9WvfMRK/+9sPv2ghPp3ky2+weSBvxycnJC8 X-Received: by 10.101.101.149 with SMTP id u21mr21346485pgv.251.1517207842651; Sun, 28 Jan 2018 22:37:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517207842; cv=none; d=google.com; s=arc-20160816; b=U/5v+uJY1EDH+fs5qHwIe7+GzfItKg/oVWBegIKCDndQ91wABJUBOhpLeTqgvwxKSC Z1ZAcMXKMP1swqmHDRSR6xE1KJZlXfYulHGhNV58I3nSbKUhk+7xUcOKP4gyuOhsZUek a8ku3+a4uFP0ukDOLH7ykLKX9Z2JJHLavkYLOl/O4YHhT411ZCBWtH8C5aI6Fby9zVDk 6wGKfKPdyt+HzuatbYpGz8D0PE0HQSfO37vrYjYzUV1krnPnUJFPh1WjxgNuGpK5MsLe rygFrP2ZenOWpsT49uGFLSwrJoUwT4d03aKZMR9WIhLBtI2BDHBghQ2IPxBBXS5xZpCY hokA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:organization :from:cc:references:to:arc-authentication-results; bh=MsDL5RZ3XLfmtLLIJ87lPWX94e4xZF/ObKRUiufcB38=; b=MJpVXxIxJ6rjGVC3cQq0qVntOeB3MrI8QX9u6OXQ1nYcK0B4m14jb9bz6Ih2olnNG4 7VrdOWXz/pkhLXazaO7dWkt7z00QRpJxsgBOi+WQWb+ydvV5PqKwhyrtWoQuSbe4Y1fI lpVkwxUqljBay5vV+XX+WmY+LZAud6wXnIUbssJYjGQaP8EUoIfF2a/pMGIFt6VJBL0t t3qHVo5MW27QdkrDMmvAexgJ3r3XsazSG6dC4HbuLBRPNG4m1oxLWTR+vDLWw9Z8UE2l Vspdyt6XV5dzStFA9SjmjhoKspkakrnOAXw9sUIRE5IL+gI3yJ80Vz+gK2vYrtu5ZP1d 7Tvw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u77si11222371pfd.165.2018.01.28.22.37.08; Sun, 28 Jan 2018 22:37:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751296AbeA2Ggm (ORCPT + 99 others); Mon, 29 Jan 2018 01:36:42 -0500 Received: from edison.jonmasters.org ([173.255.233.168]:48184 "EHLO edison.jonmasters.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751032AbeA2Ggl (ORCPT ); Mon, 29 Jan 2018 01:36:41 -0500 Received: from 173-164-135-226-sfba.hfc.comcastbusiness.net ([173.164.135.226] helo=washington.bos.jonmasters.org) by edison.jonmasters.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eg32a-0005bA-1v; Mon, 29 Jan 2018 06:35:40 +0000 To: Peter Zijlstra , KarimAllah Ahmed References: <1516476182-5153-1-git-send-email-karahmed@amazon.de> <1516476182-5153-5-git-send-email-karahmed@amazon.de> <20180121112224.GH2269@hirez.programming.kicks-ass.net> Cc: linux-kernel@vger.kernel.org, Andi Kleen , Andrea Arcangeli , Andy Lutomirski , Arjan van de Ven , Ashok Raj , Asit Mallick , Borislav Petkov , Dan Williams , Dave Hansen , David Woodhouse , Greg Kroah-Hartman , "H . Peter Anvin" , Ingo Molnar , Janakarajan Natarajan , Joerg Roedel , Jun Nakajima , Laura Abbott , Linus Torvalds , Masami Hiramatsu , Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Thomas Gleixner , Tim Chen , Tom Lendacky , kvm@vger.kernel.org, x86@kernel.org From: Jon Masters Organization: World Organi{s,z}ation Of Broken Dreams Message-ID: Date: Mon, 29 Jan 2018 01:35:30 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <20180121112224.GH2269@hirez.programming.kicks-ass.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 173.164.135.226 X-SA-Exim-Mail-From: jcm@jonmasters.org X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on edison.jonmasters.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham version=3.3.1 Subject: Re: [RFC 04/10] x86/mm: Only flush indirect branches when switching into non dumpable process X-SA-Exim-Version: 4.2.1 (built Sun, 08 Nov 2009 07:31:22 +0000) X-SA-Exim-Scanned: Yes (on edison.jonmasters.org) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Peter, David, all, First a quick note on David's earlier comment, about this optimization being still up for debate. The problem with this optimization as-is is that it doesn't protect userspace-to-userspace unless applications are rebuilt and we get the infrastructure to handle that (ELF, whatever). But... On 01/21/2018 06:22 AM, Peter Zijlstra wrote: > On Sat, Jan 20, 2018 at 08:22:55PM +0100, KarimAllah Ahmed wrote: >> From: Tim Chen >> >> Flush indirect branches when switching into a process that marked >> itself non dumpable. This protects high value processes like gpg >> better, without having too high performance overhead. > > So if I understand it right, this is only needed if the 'other' > executable itself is susceptible to spectre. If say someone audited gpg > for spectre-v1 and build it with retpoline, it would be safe to not > issue the IBPB, right? More importantly, rebuilding the world introduces a lot of challenges that need to be discussed heavily before they happen (I would like to see someone run a session at one of the various upcoming events on userspace, I've already prodded a few people to nudge that forward). In particular, we don't have the infrastructure in gcc/glibc to dynamically patch userspace call sites to enable/disable retpolines. We discussed nasty hacks last year (I even suggested an ugly kernel exported page similar to VDSO that could be implementation patched for different uarches), but the bottom line is there isn't anything in place to provide a similar userspace experience to what the kernel can do, and that would need to be solved in addition to the ELF/ABI bits. > So would it make sense to provide an ELF flag / personality thing such > that userspace can indicate its spectre-safe? > > I realize that this is all future work, because so far auditing for v1 > is a lot of pain (we need better tools), but would it be something that > makes sense in the longer term? So I would just caution that doing this isn't necessarily bad, but it's far more than just ELF bits and rebuilding. Once userspace is rebuilt with un-nopable retpolines, they're there whether you need them on $future_hardware or not, and that fancy branch predictor is useless. So we really need a way to allow for userspace patchable calls, or at least some kind of plan before everyone runs away with rebuilding. (unless they're embedded/Gentoo/whatever...have fun in that case) Jon. P.S. This is why for certain downstream distros you'll see IBPB use like prior to this patch - it'll prevent certain attacks that can't be otherwise mitigated without going and properly solving the tools issue.