Received: by 10.223.176.5 with SMTP id f5csp2914877wra;
        Mon, 29 Jan 2018 06:09:07 -0800 (PST)
X-Google-Smtp-Source: AH8x2272P6Co3MFmRdM5BGfnNgogcmGr9rYAhnuSXAdBGKS3g/N+lZZ9jWgwa/rvDhD47/kgAPaa
X-Received: by 10.99.180.67 with SMTP id n3mr20521743pgu.169.1517234947590;
        Mon, 29 Jan 2018 06:09:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517234947; cv=none;
        d=google.com; s=arc-20160816;
        b=boujNZH0LPV8w3EUbTrFroJM4x5JXEFgEHtrxHAr9FSxbpWQmRlE8oUegw+uokE6kb
         oppuigJaQjMdJ9AWpc3hhTgJ0Eo7yVto+KtX9GSdwddKU+JNg/A7CNb4e7rG7XoMFcyv
         UGKzrFS6ku9B/cApf7rA4zaV5vzp9RBpG6WIq92vr5mK+ux2RfgpEqIA5rGmjhn/wY/8
         IfR3MtZfNvY6/sX80fWNbYvbvdIfC5V9avx3F6+rCEa838XAaUJFog7ffh8fbOrZ6uor
         0w2A/RAq6VWCbtmj1Ldi77JtHB5+9hNzGIxQHZocq2+vEGYTFoOU9EeZ0M7jt4qVkp0J
         lG1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=tKPE/0mThwTy84OqwbZe0iku/+clJMhmTYtzh5tOP5A=;
        b=p5rngyI3VBAdY5ZKQPp0py9kCBLnXYPgigSL1kxdzVjhMycB7kpp+zo3SHqyjZyLDT
         dHBkYBc6+AqrgplPYuPfjy6MiJ1fsMGvvQbxN7dg1KewWlrsnSzfNtlJwkz8n/Fh21zG
         eZkyiqvpyWa4UdzHj+QdNRe5rXRE/P72EBZcGQqwWsKK1i8Pl+Ldiu4xTMUbiA51YC0h
         KVQCa1UxLcFkB7N5xUh+1JmGQgmE/bUWTHML0ZhqwhvzeciP34r5yZ7eYRmfA8gcinor
         5LamLLfNNp+DQoTZc+bR/LN5tVZkZx7ZF3TYDL3n+cVqO8DlVj6DoOeNUiN6roCse6ox
         afGg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=ayVOGL+U;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a11-v6si1229873pls.644.2018.01.29.06.08.52;
        Mon, 29 Jan 2018 06:09:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=ayVOGL+U;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751920AbeA2OIV (ORCPT <rfc822;mohamedabbas.us@gmail.com>
        + 99 others); Mon, 29 Jan 2018 09:08:21 -0500
Received: from merlin.infradead.org ([205.233.59.134]:56194 "EHLO
        merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751337AbeA2OIT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Jan 2018 09:08:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version:
        References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
        Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=tKPE/0mThwTy84OqwbZe0iku/+clJMhmTYtzh5tOP5A=; b=ayVOGL+U4gO86D8nlnxqrXYxF
        f+TD8gGOC1slM7CRMJGanHIrKosxqJrUhtzkmLTGrPTSMaUr8/ATRgSdrUwDIAKy1C2l4jdr2iA1O
        ILmhuKNgndqqJEPQwQ86ryKjoxmbut2425LNBX7PwBeJPuOF9jW+NcS4un7j15TntAUCZqstI1s0L
        SPw0f11vHx5LBaTze43yWnFFVKBetPfCcqHnalV0cBZgA0yWQZYDo+ZSpb5XwRIKOGH3Orcktl+9f
        VJWg8MKe/P5AgVH5P4hDYNgktfM3dVyq08ens6+6WL67Gyco5fU451rBluTAZsZYeYOh7vJRlsC1/
        4xPrNnh7g==;
Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net)
        by merlin.infradead.org with esmtpsa (Exim 4.89 #1 (Red Hat Linux))
        id 1egA60-0002LO-5r; Mon, 29 Jan 2018 14:07:41 +0000
Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000)
        id 9D60B20298BA7; Mon, 29 Jan 2018 15:07:37 +0100 (CET)
Date:   Mon, 29 Jan 2018 15:07:37 +0100
From:   Peter Zijlstra <peterz@infradead.org>
To:     Jon Masters <jcm@jonmasters.org>
Cc:     KarimAllah Ahmed <karahmed@amazon.de>,
        linux-kernel@vger.kernel.org, Andi Kleen <ak@linux.intel.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        Arjan van de Ven <arjan@linux.intel.com>,
        Ashok Raj <ashok.raj@intel.com>,
        Asit Mallick <asit.k.mallick@intel.com>,
        Borislav Petkov <bp@suse.de>,
        Dan Williams <dan.j.williams@intel.com>,
        Dave Hansen <dave.hansen@intel.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
        Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>,
        Joerg Roedel <joro@8bytes.org>,
        Jun Nakajima <jun.nakajima@intel.com>,
        Laura Abbott <labbott@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>, kvm@vger.kernel.org,
        x86@kernel.org
Subject: Re: [RFC 04/10] x86/mm: Only flush indirect branches when switching
 into non dumpable process
Message-ID: <20180129140737.GS2269@hirez.programming.kicks-ass.net>
References: <1516476182-5153-1-git-send-email-karahmed@amazon.de>
 <1516476182-5153-5-git-send-email-karahmed@amazon.de>
 <20180121112224.GH2269@hirez.programming.kicks-ass.net>
 <a0c832af-cfcf-cde0-199f-298466a70948@jonmasters.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <a0c832af-cfcf-cde0-199f-298466a70948@jonmasters.org>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jan 29, 2018 at 01:35:30AM -0500, Jon Masters wrote:
> > So if I understand it right, this is only needed if the 'other'
> > executable itself is susceptible to spectre. If say someone audited gpg
> > for spectre-v1 and build it with retpoline, it would be safe to not
> > issue the IBPB, right?
> 
> More importantly, rebuilding the world introduces a lot of challenges
> that need to be discussed heavily before they happen (I would like to
> see someone run a session at one of the various upcoming events on
> userspace, I've already prodded a few people to nudge that forward). In
> particular, we don't have the infrastructure in gcc/glibc to dynamically
> patch userspace call sites to enable/disable retpolines.

GCC/GLIBC do in fact have some infrastructure for this; see
target_clones/ifunc function attributes. We can at (dynamic) link time
select between alternative functions.

With this we could select different retpoline thunks for different
systems, much like what we end up doing for the kernel.

> We discussed nasty hacks last year (I even suggested an ugly kernel
> exported page similar to VDSO that could be implementation patched for
> different uarches), but the bottom line is there isn't anything in place
> to provide a similar userspace experience to what the kernel can do, and
> that would need to be solved in addition to the ELF/ABI bits.

Not sure where you discussed what, but I spoke with a bunch of the
facebook people at plumbers about kernel support for (runtime) userspace
patching a-la asm-goto/jump-labels.

And while that would be entirely fun, I don't see how we'd need this
here.

> > So would it make sense to provide an ELF flag / personality thing such
> > that userspace can indicate its spectre-safe?
> > 
> > I realize that this is all future work, because so far auditing for v1
> > is a lot of pain (we need better tools), but would it be something that
> > makes sense in the longer term?
> 
> So I would just caution that doing this isn't necessarily bad, but it's
> far more than just ELF bits and rebuilding. Once userspace is rebuilt
> with un-nopable retpolines, they're there whether you need them on
> $future_hardware or not, and that fancy branch predictor is useless. So
> we really need a way to allow for userspace patchable calls, or at least
> some kind of plan before everyone runs away with rebuilding.

Just rebuild world again; there's plenty distros where this is not in
fact a difficult thing to do :-) You just don't happen to work for one
... :-)