Received: by 10.223.185.116 with SMTP id b49csp2005962wrg; Mon, 12 Feb 2018 02:40:00 -0800 (PST) X-Google-Smtp-Source: AH8x225K7/VhM6iHdYooOXEamPD96EubVm2UspdOdqpX/O7O9lU7swPy92N21FpunxR9lfNn1D5H X-Received: by 10.101.100.213 with SMTP id t21mr1884071pgv.19.1518432000378; Mon, 12 Feb 2018 02:40:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518432000; cv=none; d=google.com; s=arc-20160816; b=L/WR4PO02zz/4TuVn2Kz8oaWsYKxj7u/KPNPzuKj+Ko7UBWcerfMHQy6qxtuUZRf9G ln3Fw9iQLQoriNbT1RUNvMUM8fWfvQjwzULytxgI5j+4hiF8N+FjbqsUn+UuathPYqBH ILctPw5EyMsYKcO63mRMPgi3Eq+XeRhWJi5wbYIhdPE6s2Bz3X9MVVOzaZ6DBGJyTjYN ueqFzHtI3L9NmBHcDnjU7uULtNIF3ska3CP3+ejQ+xDCKyrbT+CYVmg5+pji2fpt0Qek nANCSCGOsIN9TyRoTNcUH3tFwZwEzSG5BRGLODIWAg0EkVbKK38oZcZqbM3VJRn9UvjM cobw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=jEbWxLYe649kPfm8H0/tfCSRlSSaUXEI7JzVlpDxnag=; b=SBU1hACWs65tw/g6xftufW/tKAJbtEmQ1vi8caJ0VvhhMtYfg0y8TjE7kHXmX22WTp 39/tZsV6esvbtpPXgcRupkGCHxD80FzY8cXJwauM1X3M1Y+QCbiC+1yXc8EJCoqQna00 gExJCGBQbEQ/ilRgDdCKWLzSHbaxpMxZ2OwzWYzj2H0o4IRGkyamUdbV46AYAOrdXaoF TxA8+FrEnhyWHEKFfmQcBBMDWKTsJqusU0DRVyRsk+JrQM0Vtli7pS5txSasmT4GJ0Ks ASpFfYlPNk1loH0ltS50AUSNgiva1M9zlYa1W+RpawDPuZ0hB7sy0h6AoOETsvm+Pp+e 7I1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=Nxz4twZ6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c1si2075534pgt.390.2018.02.12.02.39.46; Mon, 12 Feb 2018 02:40:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=Nxz4twZ6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933835AbeBLKWS (ORCPT + 99 others); Mon, 12 Feb 2018 05:22:18 -0500 Received: from mail-wr0-f195.google.com ([209.85.128.195]:43377 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932868AbeBLKWQ (ORCPT ); Mon, 12 Feb 2018 05:22:16 -0500 Received: by mail-wr0-f195.google.com with SMTP id b52so14578263wrd.10; Mon, 12 Feb 2018 02:22:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=jEbWxLYe649kPfm8H0/tfCSRlSSaUXEI7JzVlpDxnag=; b=Nxz4twZ6C4D5rSONg8RkQ3bIT8qKGZ7MHwTvafJ0dtNaei5lU/fJjyYmeMHwWnEeeg qK62fBqHefuHwrUQiMaJk4iFfqblXBAqiEJTMdvoKUF161ah+7Hd/pPqml23+tw4r+8Z D9eVGjiK5WQp+cxtYbEIPl+MLvCXx39tSDOF69Vmxb584o7yPX1fcSJmtseFP5lk4ocK LlF7O1MGYgvF92XVloIpsQOMndQvollOG86LNFkTJFrU/QEQCH3IdJOJI2+U02B+cFwI /WyNb2j/N9RSxBaKnofXFFL/LhWd6V9pHKCT9HL2GlityjRMOIsItqKiEBYWFCpJDx5h DCCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=jEbWxLYe649kPfm8H0/tfCSRlSSaUXEI7JzVlpDxnag=; b=mPasHDc9GftYqlbdd3YxCONAUwqqyY/WDXlaKHuvHmobyGl+czYLM349s7qVQpDLzA BdLIjISRauRsmEuYEgE+rV43sppjHgfdoiFaBvvO5Ng+s7I8phJQzCX7KQYrOXOj/nsi n3Q07vsiv0v+fKuBC0t2ZONRfWeI6PjNs7diXP2tf4H1dZLZh8RKWPhonnCXe5yOIkNm 1NZnKulyEDJHkZHtJ2JiHdZC8+2yHGnKZczXoeUEXVBtgBBtmgUwUMhpKxi6IyVdkL5c prCM56jNpNynTQcffupLTN5Jn7wwpIIANhYi41olV/OL2trFWRerLABs/bSCU4oIw65N +VaA== X-Gm-Message-State: APf1xPD34uqTB1VPXZcDn7x+q/TYBKrQGOnh863te3z4tbJHE6zYspUZ 9hATpztDWrRvln48nLFj6+fAGA== X-Received: by 10.223.208.198 with SMTP id z6mr9137974wrh.194.1518430934894; Mon, 12 Feb 2018 02:22:14 -0800 (PST) Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213]) by smtp.gmail.com with ESMTPSA id z74sm6086738wmz.21.2018.02.12.02.22.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 12 Feb 2018 02:22:14 -0800 (PST) Date: Mon, 12 Feb 2018 11:22:11 +0100 From: Ingo Molnar To: hpa@zytor.com, tglx@linutronix.de, torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, dwmw@amazon.co.uk, peterz@infradead.org Cc: linux-tip-commits@vger.kernel.org, Dave Hansen , Borislav Petkov , "H. Peter Anvin" , Arjan van de Ven Subject: Re: [tip:x86/pti] x86/speculation: Use IBRS if available before calling into firmware Message-ID: <20180212102211.cdrrqqd4hdw7xu5y@gmail.com> References: <1518362359-1005-1-git-send-email-dwmw@amazon.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * tip-bot for David Woodhouse wrote: > Commit-ID: 670c3e8da87fa4046a55077b1409cf250865a203 > Gitweb: https://git.kernel.org/tip/670c3e8da87fa4046a55077b1409cf250865a203 > Author: David Woodhouse > AuthorDate: Sun, 11 Feb 2018 15:19:19 +0000 > Committer: Ingo Molnar > CommitDate: Sun, 11 Feb 2018 19:44:46 +0100 > > x86/speculation: Use IBRS if available before calling into firmware > > Retpoline means the kernel is safe because it has no indirect branches. > But firmware isn't, so use IBRS for firmware calls if it's available. > > Signed-off-by: David Woodhouse > Cc: Linus Torvalds > Cc: Peter Zijlstra > Cc: Thomas Gleixner > Link: http://lkml.kernel.org/r/1518362359-1005-1-git-send-email-dwmw@amazon.co.uk > Signed-off-by: Ingo Molnar > --- > arch/x86/include/asm/apm.h | 6 ++++++ > arch/x86/include/asm/cpufeatures.h | 1 + > arch/x86/include/asm/efi.h | 17 +++++++++++++++-- > arch/x86/include/asm/nospec-branch.h | 37 +++++++++++++++++++++++++++--------- > arch/x86/kernel/cpu/bugs.c | 12 +++++++++++- > drivers/watchdog/hpwdt.c | 3 +++ > 6 files changed, 64 insertions(+), 12 deletions(-) > --- a/arch/x86/include/asm/nospec-branch.h > +++ b/arch/x86/include/asm/nospec-branch.h > +/* > + * With retpoline, we must use IBRS to restrict branch prediction > + * before calling into firmware. > + */ > +static inline void firmware_restrict_branch_speculation_start(void) > +{ > + alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, > + X86_FEATURE_USE_IBRS_FW); > +} > + > +static inline void firmware_restrict_branch_speculation_end(void) > +{ > + alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, > + X86_FEATURE_USE_IBRS_FW); BTW., there's a detail that only occurred to me today, this enabling/disabling sequence is not NMI safe, and it might be called from NMI context: > --- a/drivers/watchdog/hpwdt.c > +++ b/drivers/watchdog/hpwdt.c > @@ -38,6 +38,7 @@ > #endif /* CONFIG_HPWDT_NMI_DECODING */ > #include > #include > +#include > > #define HPWDT_VERSION "1.4.0" > #define SECS_TO_TICKS(secs) ((secs) * 1000 / 128) > @@ -486,11 +487,13 @@ static int hpwdt_pretimeout(unsigned int ulReason, struct pt_regs *regs) > if (!hpwdt_nmi_decoding) > return NMI_DONE; > > + firmware_restrict_branch_speculation_start(); > spin_lock_irqsave(&rom_lock, rom_pl); > if (!die_nmi_called && !is_icru && !is_uefi) > asminline_call(&cmn_regs, cru_rom_addr); > die_nmi_called = 1; > spin_unlock_irqrestore(&rom_lock, rom_pl); > + firmware_restrict_branch_speculation_end(); > > if (allow_kdump) > hpwdt_stop(); But ... this is a (comparatively rare) hardware-watchdog tick function, and the chance of racing with say an EFI call seems minuscule. The race will result in an EFI call being performed with speculation enabled, sporadically. Is this something we should worry about? Thanks, Ingo