Received: by 10.223.176.5 with SMTP id f5csp3621962wra;
        Mon, 29 Jan 2018 16:24:22 -0800 (PST)
X-Google-Smtp-Source: AH8x224UrkYu9NaQQjYrqr1efmlw+q8xHcho8MCBr9zGNJ762s9+EtIfeWxh8DY1Y8ge54svq84d
X-Received: by 10.99.113.15 with SMTP id m15mr23659817pgc.236.1517271862597;
        Mon, 29 Jan 2018 16:24:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517271862; cv=none;
        d=google.com; s=arc-20160816;
        b=D8Suujt8IikteOskdCstWxc2mkAHP1YOJqi+2ZNt1wybz+IfW2Rb52DcTmEYPvCxHv
         nUN+2STuZmBSooI7L4hLdwXXaNtcXErVVw8Nxo6MFwYjh1mlwt/Zs66G5IbzQV/XWKfz
         moaPYhvVLqG7mjvKWbftEksv5ssBPj9bTzGw0QYtFWEW9wX5cbSp98ueBsv+J/YTBCTF
         1FPdG6TDDyitTBW+zJBEp2OJZtK8ATuhcXAMjRz6rdT2qRKb/1ebE18/p0/jc4cR0h/7
         8bIGezf1mGz9W8QgPNgjMvWz06Vnk6d/VrKZIEZXKRYdJZf15qhry9+nGhsnyr5bLSuz
         Ahwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=dTWEETC8n1HLBXNDPduY7SQvo0SOvBP720bORgy0Ba8=;
        b=YFzdsNE0WTVKXV/YdvV4Ihu4RYcFtqQTrxh+AMajLQ6WL+0UIg+cykPMLOOhiW/dBb
         RcUEtmwy+tTNwkYILsH6LN+wP+Lc09XRywMP4iIYbLMRYSipO0BCCqrT+pnd5zRRir7q
         mRphx2r+b4Ktv4b+8HkpgJFzW2XSP145EyzbcW0idKKj65IYF9zz8fplmfwV6oYYrEN1
         XfXs0hO4kLjxEh9aWZQo42iHZsMbk4PwRHe0y4L/qgnFQONsjDzbJ6vk8/WxJZ+ytstb
         vJ7/vhjpy5m6cxMBBQDPkMsk8mLMXETRL/k3lXYQBi4uDhD7N00rAukIfbrgf36pjIvA
         e6BQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=Wr+MlbLd;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b3-v6si10429512plx.805.2018.01.29.16.24.08;
        Mon, 29 Jan 2018 16:24:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=Wr+MlbLd;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752302AbeA3AXd (ORCPT <rfc822;vladislav.valtchev@gmail.com>
        + 99 others); Mon, 29 Jan 2018 19:23:33 -0500
Received: from mail-oi0-f45.google.com ([209.85.218.45]:34517 "EHLO
        mail-oi0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752076AbeA3AXa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Jan 2018 19:23:30 -0500
Received: by mail-oi0-f45.google.com with SMTP id k15so6511914oib.1;
        Mon, 29 Jan 2018 16:23:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=dTWEETC8n1HLBXNDPduY7SQvo0SOvBP720bORgy0Ba8=;
        b=Wr+MlbLd511TM++DJ1RnFNs7pkZLGoX+MrfCPqa4SGPRNCyD2891OQD/5qZX4mGdKf
         LRFmK/LnN8y9UEvBO15UZcevdrGvnE/PYdfn9SNu4hNRN7hflOmbCztivN+OoqG61IF/
         1XmLiZ8eBlfj4TELr42VUm7uQ8KR0GIVFdLxBrvKRixtvZcRaf/Zol4dUfE75ehbUYcx
         6oV453Fi5FbpMjd0D/IHk6NE4lBJCrE2j+hL5HfOyXzUKCi2TfdevewnR1eSWCqIYplC
         7ifLdw/W+UPsChDl/VCUxMkTjqlu+mradnWHb69sll5wd6ESxdvPus/AwWKxuSC0AxOU
         xfeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=dTWEETC8n1HLBXNDPduY7SQvo0SOvBP720bORgy0Ba8=;
        b=H+DgU920HU5a+Bx9HulX0jYEgg+BUktm699PdRZJdv3HDL3vQy+AQTsOuyQVqeU4Zq
         WEbvzHPA/0W3lGRXAMgXfcGV/3jmN/o9x6V5hzY0QB9Oh1mPKR6HFGlqnpRT4hChWfux
         NkLflFU9Cm71XoDUolRMg/lP185k8At38y51SubQAD0PXC9lxe0bczJOX+AFcskert/U
         EpKlupJ7/kUCKhevMy6FYgEpIFDhguU8I9DGh0S14IwEI3JW8y7sNp4RLvGBI4V56M1x
         jECDJ4ia01EXXkbv2NkpSiDPmkIJGgHGhHEiqbVDHcCVx8GWYkgvddl3OP/P7OOifRSR
         utng==
X-Gm-Message-State: AKwxytcD22vF3dGhBSYjvSFz+HuIAhDEPCgKLlgsLDurMnbaswPjBNBL
        jQ/gqcUQiE7GHB8LjYL5Wt7i7NqXKEIBSb3umdrXAQ==
X-Received: by 10.202.236.3 with SMTP id k3mr3480981oih.215.1517271809773;
 Mon, 29 Jan 2018 16:23:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.165.145 with HTTP; Mon, 29 Jan 2018 16:23:28 -0800 (PST)
In-Reply-To: <1517259759.18619.38.camel@infradead.org>
References: <1516476182-5153-6-git-send-email-karahmed@amazon.de>
 <20180129201404.GA1588@localhost.localdomain> <1517257022.18619.30.camel@infradead.org>
 <20180129204256.GV25150@localhost.localdomain> <31415b7f-9c76-c102-86cd-6bf4e23e3aee@linux.intel.com>
 <1517259759.18619.38.camel@infradead.org>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Mon, 29 Jan 2018 16:23:28 -0800
X-Google-Sender-Auth: wxfEIZLPZ7SdUPZSzGTN7iTFFgI
Message-ID: <CA+55aFxBh3LvsQq9wy313NQCn3iu+yuAmsi0zNVxWmGDUUds-A@mail.gmail.com>
Subject: Re: [RFC,05/10] x86/speculation: Add basic IBRS support infrastructure
To:     David Woodhouse <dwmw2@infradead.org>
Cc:     Arjan van de Ven <arjan@linux.intel.com>,
        Eduardo Habkost <ehabkost@redhat.com>,
        KarimAllah Ahmed <karahmed@amazon.de>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Andi Kleen <ak@linux.intel.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        Ashok Raj <ashok.raj@intel.com>,
        Asit Mallick <asit.k.mallick@intel.com>,
        Borislav Petkov <bp@suse.de>,
        Dan Williams <dan.j.williams@intel.com>,
        Dave Hansen <dave.hansen@intel.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
        Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>,
        Joerg Roedel <joro@8bytes.org>,
        Jun Nakajima <jun.nakajima@intel.com>,
        Laura Abbott <labbott@redhat.com>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        KVM list <kvm@vger.kernel.org>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jan 29, 2018 at 1:02 PM, David Woodhouse <dwmw2@infradead.org> wrote:
>
> On Mon, 2018-01-29 at 12:44 -0800, Arjan van de Ven wrote:
>>
>> the objective is to have retpoline be safe everywhere and never use IBRS
>> (Linus was also pretty clear about that) so I'm confused by your question

Note on the unhappiness with some of the patches involved: what I do
*not* want to see is the "on every kernel entry" kind of garbage.

So my unhappiness with the intel microcode patches is two-fold:

 (a) the interface is nasty and wrong, and I absolutely detest how Intel did it.

 (b) the write to random MSR's on every kernel entry/exit is wrong

but that doesn't mean that I will necessarily end up NAK'ing every
single IBRS/IBPB patch.

My concern with (a) is that unlike meltdown, the intel work-around
isn't forward-looking, and doesn't have a "we fixed it" bit. Instead,
it has a "we have a nasty workaround that may or may not be horribly
expensive" bit, and isn't all that well-defined.

My dislike of (b) comes from "we have retpoline and various wondrous
RSB filling crud already, we're smarter than that". So it's not that I
refuse any IBRS/IBPB use, I refuse the stupid and _mindless_ kind of
use.

> The question is about all the additional RSB-frobbing and call depth
> counting and other bits that don't really even exist for Skylake yet in
> a coherent form.
>
> If a guest doesn't have those, because it's running some future kernel
> where they *are* implemented but not enabled because at *boot* time it
> discovered it wasn't on Skylake, the question is what happens if that
> guest is subsequently migrated to a Skylake-class machine.

So I actually have a _different_ question to the virtualization
people. This includes the vmware people, but it also obviously
incldues the Amazon AWS kind of usage.

When you're a hypervisor (whether vmware or Amazon), why do you even
end up caring about these things so much? You're protected from
meltdown thanks to the virtual environment already having separate
page tables.  And the "big hammer" approach to spectre would seem to
be to just make sure the BTB and RSB are flushed at vmexit time - and
even then you might decide that you really want to just move it to
vmenter time, and only do it if the VM has changed since last time
(per CPU).

Why do you even _care_ about the guest, and how it acts wrt Skylake?
What you should care about is not so much the guests (which do their
own thing) but protect guests from each other, no?

So I'm a bit mystified by some of this discussion within the context
of virtual machines. I think that is separate from any measures that
the guest machine may then decide to partake in.

If you are ever going to migrate to Skylake, I think you should just
always tell the guests that you're running on Skylake. That way the
guests will always assume the worst case situation wrt Specte.

Maybe that mystification comes from me missing something.

               Linus