Received: by 10.223.185.116 with SMTP id b49csp423825wrg; Fri, 16 Feb 2018 01:05:20 -0800 (PST) X-Google-Smtp-Source: AH8x224M1L7XCH+NcxvkGQLyXvSR2FnJ9I5MyI1YEAU/yHMftmFRtraio7V3MdlDxrY7khtcmYFD X-Received: by 2002:a17:902:b942:: with SMTP id h2-v6mr5230575pls.45.1518771920304; Fri, 16 Feb 2018 01:05:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518771920; cv=none; d=google.com; s=arc-20160816; b=Hv1q6+EWAJUfxOdSxfOBqikzVf77aDsBmqokyH4Wh3cHTFQ0LPGWFjEwnl3J5CxSye OOkOyb5BCfH6Ar3KflzdjyovLky+ZqRs4CmFYAHpd7/TDT6qZQmahITO+yZghfUmJb9p Kb9PrLHtZ2m1jlTURSpf4EVp4F5c5n6G0TcVM+SmWjng8mK9CTZV9+nXO4TvZElYtziv EeAAUB0W4HcOYBsHLFCAg1g2Ha0eKCARIJrgUq0b8sPE2VfRq6c146cAXgUTwQADU5QO 6J54aeuXWOYKy0lJOg0rSp1YkySMS1XgvboSHiwmkqYaqiwoS8mE4cMS6IT7biOFge2e N6rA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=xZUsnFxBt4Q3P6z9HoyWQWNJhzSHoRgG1IY/+LViX90=; b=tx3gCvIhHmLgSLvjg3J3rir+pKcq8duhiLgPe5GlYlxqWBrz1qN1XeXFy2P2O0Qkhq W09vdpsBahrwU9V8FXMdvdhse3NjEbFrvDs2L47xyBmfCt2s50EJtg03CR1DIQgmX334 YXH+EqWEs2O5Rt+7WcxpAsUfkWuIw7PLEWPYSpSJ2BKofmnXE/MDM6T2i0O8K/nexsl0 kWpzCP3j071i5LXaVLlPgsCo3lQS9M6RjMY+adLj2bk+wUZ4riElopN48dDycVWphkrO U06AjevhKpm7hH/C/n6oOyqpzEW5iBNZW2D2aJYkotvif5u63ECCYQg0nUyozw92Q3wX Lm9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l59-v6si1200094plb.391.2018.02.16.01.05.06; Fri, 16 Feb 2018 01:05:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1426101AbeBOQgW (ORCPT + 99 others); Thu, 15 Feb 2018 11:36:22 -0500 Received: from ex13-edg-ou-001.vmware.com ([208.91.0.189]:57791 "EHLO EX13-EDG-OU-001.vmware.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1423965AbeBOQgQ (ORCPT ); Thu, 15 Feb 2018 11:36:16 -0500 Received: from sc9-mailhost3.vmware.com (10.113.161.73) by EX13-EDG-OU-001.vmware.com (10.113.208.155) with Microsoft SMTP Server id 15.0.1156.6; Thu, 15 Feb 2018 08:36:07 -0800 Received: from ubuntu.localdomain (unknown [10.2.101.129]) by sc9-mailhost3.vmware.com (Postfix) with ESMTP id 4B01240B35; Thu, 15 Feb 2018 08:36:15 -0800 (PST) From: Nadav Amit To: Ingo Molnar CC: Thomas Gleixner , Andy Lutomirski , Peter Zijlstra , Dave Hansen , Willy Tarreau , Nadav Amit , , , Nadav Amit Subject: [PATCH RFC v2 0/6] x86: Disabling PTI in compatibility mode Date: Thu, 15 Feb 2018 08:35:56 -0800 Message-ID: <20180215163602.61162-1-namit@vmware.com> X-Mailer: git-send-email 2.14.1 MIME-Version: 1.0 Content-Type: text/plain Received-SPF: None (EX13-EDG-OU-001.vmware.com: namit@vmware.com does not designate permitted sender hosts) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Compatibility mode should be safe of Meltdown, since the pointers are only 32-bit long. This can allow us to disable PTI selectively as long as x86-32 processes are running and to enable global pages throughout this time. These patches may also be a basis for later disabling PTI selectively for "trusted" processes. The patches are marked as an RFC since they (specifically the last one) do not coexist with Dave Hansen's enabling of global pages, and might have conflicts with Joerg's work on 32-bit (although in this case, it should be easily resolvable). They are also based on Linux 4.15. I removed the PTI disabling while SMEP is unsupported, although I must admit I did not fully understand why it is required. IIUC, Intel's indirect branch prediction only predicts the low 32-bits of the target, which would still not allow to manipulate the kernel to jump to userspace code through Spectre v2. RFC v1 -> RFC v2: - Handling the use of CS64 in compatibility mode (Andy) - Holding the PTI disable indication per mm and not task (Andy) - No PTI disabling if SMEP is unsupported (Dave, Ingo) - Self-test and cleanup - Enabling global pages while running in compatibility mode Nadav Amit (6): x86: Skip PTI when disable indication is set x86: Save pti_disable for each mm_context x86: Switching page-table isolation x86: Disable PTI on compatibility mode x86: Use global pages when PTI is disabled selftest: x86: test using CS64 on compatibility-mode arch/x86/entry/calling.h | 33 ++++++++ arch/x86/include/asm/mmu.h | 3 + arch/x86/include/asm/pti.h | 70 +++++++++++++++++ arch/x86/include/asm/tlbflush.h | 35 ++++++++- arch/x86/kernel/asm-offsets.c | 1 + arch/x86/kernel/process_64.c | 13 +++- arch/x86/kernel/traps.c | 23 +++++- arch/x86/mm/init.c | 14 ++-- arch/x86/mm/pgtable.c | 4 +- arch/x86/mm/pti.c | 139 +++++++++++++++++++++++++++++++++- arch/x86/mm/tlb.c | 28 ++++++- tools/testing/selftests/x86/ldt_gdt.c | 41 ++++++++++ 12 files changed, 386 insertions(+), 18 deletions(-) -- 2.14.1