Received: by 10.223.185.116 with SMTP id b49csp1000448wrg; Fri, 16 Feb 2018 10:34:36 -0800 (PST) X-Google-Smtp-Source: AH8x225+gCVVVy9n6H2NJ+MvbEBCTN08kHpAMnnn0RF5QTGpbDuVs44+QV3A/dXgy+QJHJq08kva X-Received: by 10.101.69.9 with SMTP id n9mr6032634pgq.317.1518806075939; Fri, 16 Feb 2018 10:34:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518806075; cv=none; d=google.com; s=arc-20160816; b=aTyR+TWxO01BxZPyJw4d9NZVjYhkxn0UMjLyE0S9EnLp8n124ei64ZXnxxl4HHeZQ0 O7DTi0+g7E59N5VnuFsQSZOLILpdbYJxXHkz9sWI2uP3epfo0tUaM/6+EV9CJywEAUtj 9r44D4deD5Y0k9rvN3nIFwure9pzmiUwhk81YbP7T3pg4ShaTdUGMuWr31tjXV30IrAR khuyHZq5b6t+yqCQ5E9+yAiAAMneCyZ9KPS0ysBcad0ZoDYCvx+USx3trhoNcUUmXp8F sQYtd1b/kXSgzatTfzz2Ev0TrKeESq3lM08hXxhSVL97qYTYbrJw9Ld0WkhLwvHq/MIA EYyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=oVq0ukWOgAS/TKPEg3xhBQljXORZBV+Qcc0DmH0zlps=; b=u0C7MEwljb7Ch2Q2ZD1gSeI3X+64XVopk+8/NP8bxBaXQDsL0chE37jmicCVW75v8+ 1FlwwRqKMRWFOhjKM+lS+GWyH03IWqpIwb2/IWXW5ezO/h+FOp4SQZd3pK8XY5AxAhRh 4A34nTsCEBUaZVJW/V9jfg4t/jX1ko5Dwsld2EyeBpoIIYy2vc45cM6S6TD0ARFXg7Za D+yYrRY/U7mA8Lt3GntXgVliKm+CZqu9G5pX4tgShviA1iaJj7WgtPN+AS+DiGdkbj6p YmRoGWwP8/1jVoautZUB82Yi+MgyLTpicqLuL/CdxK7hfw59EWIVBuvmdPzCGmOoDVwE GAsQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n9-v6si146327pll.334.2018.02.16.10.34.21; Fri, 16 Feb 2018 10:34:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756996AbeBPBEJ (ORCPT + 99 others); Thu, 15 Feb 2018 20:04:09 -0500 Received: from ppsw-40.csi.cam.ac.uk ([131.111.8.140]:33270 "EHLO ppsw-40.csi.cam.ac.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756984AbeBPBEI (ORCPT ); Thu, 15 Feb 2018 20:04:08 -0500 X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from 88-111-108-209.dynamic.dsl.as9105.com ([88.111.108.209]:50212 helo=[192.168.1.6]) by ppsw-40.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:587) with esmtpsa (PLAIN:amc96) (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) id 1emURa-000NHJ-k8 (Exim 4.90_1) (return-path ); Fri, 16 Feb 2018 01:04:06 +0000 Subject: Re: [PATCH RFC v2 0/6] x86: Disabling PTI in compatibility mode To: Nadav Amit Cc: Dave Hansen , Ingo Molnar , Thomas Gleixner , Andy Lutomirski , Peter Zijlstra , Willy Tarreau , X86 ML , linux-kernel@vger.kernel.org References: <20180215163602.61162-1-namit@vmware.com> <27a0082c-fadb-792a-740e-70932d51f1b5@linux.intel.com> <91CEEFA7-86C8-4731-BC7E-6AF5CC3A1BA4@gmail.com> From: Andrew Cooper Message-ID: Date: Fri, 16 Feb 2018 01:04:07 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-GB Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16/02/2018 00:51, Nadav Amit wrote: > Andrew Cooper wrote: > >> On 16/02/2018 00:25, Nadav Amit wrote: >>> Dave Hansen wrote: >>> >>>> On 02/15/2018 08:35 AM, Nadav Amit wrote: >>>>> I removed the PTI disabling while SMEP is unsupported, although I >>>>> must admit I did not fully understand why it is required. >>>> Do you mean you don't fully understand how PTI gives SMEP-like behavior >>>> on non-SMEP hardware? >>> No. I understand how it provide SMEP-like behavior, and I understand the value >>> of SMEP by itself. >>> >>> However, I do not understand why SMEP-like protection is required to protect >>> processes that run in compatibility-mode from Meltdown/Spectre attacks. As >>> far as I understand, the process should not be able to manipulate the kernel >>> to execute code in the low 4GB. >> Being 32bit is itself sufficient protection against Meltdown (as long as >> there nothing interesting of the kernels mapped below the 4G boundary). >> >> However, a 32bit compatibility process try to attack with Spectre/SP2 to >> redirect speculation back into userspace, at which point (if successful) >> the pipeline will be speculating in 64bit mode, and Meltdown is back on >> the table. SMEP will block this attack vector, irrespective of other >> SP2 defences the kernel may employ, but a fully SP2-defended kernel >> doesn't require SMEP to be safe in this case. > Based on Jann Horn’s description of the branch predictor, it basically only > holds the lowest 31-bits of the target address. There might be a subtle > problem if the prediction wrapsaround, but excluding this case, I do not see > how Spectre v2 can be used to jump into running user code. RSB poisoning is also part of SP2, and does have full width addresses. ~Andrew P.S. Consider yourself lucky that the 32bit code isn't running in Ring1.  Xen has a substantially more interesting time in this regard.