Received: by 10.223.176.5 with SMTP id f5csp2048185wra;
        Wed, 31 Jan 2018 15:56:44 -0800 (PST)
X-Google-Smtp-Source: AH8x227tfdAvMgka+Czu8lFCwLzj/SaDY2/kzaOp5XlT2Au2voNIzrRC70vmxFS5BvUSBG377R/o
X-Received: by 2002:a17:902:32a2:: with SMTP id z31-v6mr30550639plb.345.1517443004857;
        Wed, 31 Jan 2018 15:56:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517443004; cv=none;
        d=google.com; s=arc-20160816;
        b=E08fycl0LFnxcXZEQkE5kQZq7CSVf57DVQooJ8ntqh3hlGTo/TUXaffAnYtsQZCAj9
         J3V7ptAsl87+aGywXK7tq3x8EQnDBOT2sy8J3aRJ76IdqcS0Ln8YBmlGrGHh7noDRP8u
         mjW7g1MiFZycoqnJ5/TLQK0YVdbZ/sFZTf+RcxEz/hTtPo/OzxiBdmw7SMCG+kQc0JCg
         UUzCT1MwFhOrLWsSYJ+h0tNrINqCaiVz5vIzHXD0hXyuKbcKp/2UaOvBQLQCpwt+ToGx
         atkk6cQE5bAmmOSerN112KinGq3ZpptuArYwLSaoPkdEdSp5Nn9DVNwML1xPA3BmmsXO
         la1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=KyViMQaiRBiUpjNPj7h6e9jQ1pPWCp+qVzdOs07Lo/c=;
        b=m+tlvFzvqfeRxW7aQzNjrI5oS5ODiyuRAN0c5BDfLN5ixpE521/lhAVnoeH1pyFGuJ
         ye4CdfLV0gI/Dx9fs2yVKBqbkZvROc/gANeDBlcghQraWhgJkrpMZoCXuXhH8K51MWNW
         RwOHhHh3lK9XEvg356x4BltjB6czOKeRSgJNqKUpLFIC9954d2rLxgBmU4llpXn8X28L
         pddSn4Vo/rfClOsU3kOUlGTYPaYJbtI9S5mgYxoS/2eMkuHG3mLiluQSbn508N22LaKM
         tGT0HzZ/VfJf557fNkutawL4HuqkehIuEmUkE5NccP/buPrHhx8co7Owd8M+X06pl8eR
         aTNg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q11-v6si449883pls.557.2018.01.31.15.56.30;
        Wed, 31 Jan 2018 15:56:44 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932203AbeAaXZr (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Wed, 31 Jan 2018 18:25:47 -0500
Received: from mga17.intel.com ([192.55.52.151]:52278 "EHLO mga17.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753161AbeAaXZp (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 31 Jan 2018 18:25:45 -0500
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
  by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Jan 2018 15:25:45 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.46,442,1511856000"; 
   d="scan'208";a="14964811"
Received: from schen9-desk3.jf.intel.com (HELO [10.54.74.42]) ([10.54.74.42])
  by orsmga006.jf.intel.com with ESMTP; 31 Jan 2018 15:25:45 -0800
Subject: Re: [PATCH] x86/speculation: Use Indirect Branch Prediction Barrier
 in context switch
To:     Josh Poimboeuf <jpoimboe@redhat.com>
Cc:     David Woodhouse <dwmw@amazon.co.uk>, arjan@linux.intel.com,
        tglx@linutronix.de, karahmed@amazon.de, x86@kernel.org,
        linux-kernel@vger.kernel.org, bp@alien8.de, peterz@infradead.org,
        pbonzini@redhat.com, ak@linux.intel.com,
        torvalds@linux-foundation.org, gregkh@linux-foundation.org,
        mingo@kernel.org, luto@kernel.org, linux@dominikbrodowski.net
References: <1517263487-3708-1-git-send-email-dwmw@amazon.co.uk>
 <20180130174850.bwypk4r5yn2344jb@treble>
 <d4d8111b-5758-7541-cc30-b11d6b4d6bec@linux.intel.com>
 <20180131035907.sye4x7f3e77wnroh@treble>
From:   Tim Chen <tim.c.chen@linux.intel.com>
Message-ID: <2f5614a5-b7c4-52cf-a66f-6f62c2602bee@linux.intel.com>
Date:   Wed, 31 Jan 2018 15:25:44 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.0
MIME-Version: 1.0
In-Reply-To: <20180131035907.sye4x7f3e77wnroh@treble>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 01/30/2018 07:59 PM, Josh Poimboeuf wrote:
> On Tue, Jan 30, 2018 at 01:23:17PM -0800, Tim Chen wrote:
>> On 01/30/2018 09:48 AM, Josh Poimboeuf wrote:
>>> On Mon, Jan 29, 2018 at 10:04:47PM +0000, David Woodhouse wrote:
>>>> From: Tim Chen <tim.c.chen@linux.intel.com>
>>>>
>>>> Flush indirect branches when switching into a process that marked itself
>>>> non dumpable. This protects high value processes like gpg better,
>>>> without having too high performance overhead.
>>>
>>> I wonder what the point of this patch is.  An audit of my laptop shows
>>> only a single user of PR_SET_DUMPABLE: systemd-coredump.
>>
>> This is an opt in approach.  For processes who need extra
>> security, it set itself as non-dumpable.  Then it can
>> ensure that it doesn't see any poisoned BTB.  
> 
> I don't want other users reading my applications' memory.
> 
> I don't want other containers reading my containers' memory.
> 
> I don't want *any* user tasks reading root daemons' memory.
> 
> Those are not unreasonable expectations.
> 
> So now I have to go and modify all my containers and applications to set
> PR_SET_DUMPABLE?  That seems highly impractical and unlikely.
> 
> Plus, I happen to *like* core dumps.
> 
> The other option is to rebuild the entire userland with retpolines, but
> again, that would make this patch completely pointless.
> 
>>> [ And yes, I have gpg-agent running.  Also, a grep of the gnupg source
>>> doesn't show any evidence of it being used there.  So the gpg thing
>>> seems to be a myth. ]
>>
>> I'm less familiar with gpg-agent.  Dave was the one who
>> put in comments about gpg-agent in this patch so perhaps
>> he can comment.
>>
>>>
>>> But also, I much preferred the original version of the patch which only
>>> skipped IBPB when 'prev' could ptrace 'next'.
>>
>> For the A->kernel thread->B scenario, you will need context of A
>> to decide if you need IBPB when switching to B.  You need to
>> worry about whether the context of A has been released ... etc if
>> you want to use ptrace.
> 
> Is that why the ptrace approach was abandoned?  Surely that's a solvable
> problem?  We have some smart people on lkml.  And anyway I didn't see it
> discussed anywhere.  In the worst case we could just always do IBPB when
> switching between kernel and user tasks.
> 

I think dumpable is not the end all policy.  It is a reasonable starting point
to provide us a means to secure the most sensitive processes without
IBPBing the world.  It is on the performance end of the security/performance trade off.

For people who opt for more security, it is reasonable to consider
alternate policies to distinguish friend and foe so we know if we are coming
from a potentially hostile environment.  Ptrace is one means to do so, and probably
there are other ways depending on usages.  I hope we can have a discussion on what we should
use to determine if two processes are friend or foe.  Say do all the processes
from the same containers are considered friends with each other?
I think once we have this decided, actually putting in IBPB will simple.

Tim