Received: by 10.223.185.116 with SMTP id b49csp1008119wrg; Fri, 16 Feb 2018 10:42:58 -0800 (PST) X-Google-Smtp-Source: AH8x2265JZbENR3ugmW4SPRKwWeuVMxutZDNLvLUt3C9ulXuI8rmgA7PPkgURThKS+Mq3jJdPOl9 X-Received: by 10.99.126.75 with SMTP id o11mr5896742pgn.97.1518806578625; Fri, 16 Feb 2018 10:42:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518806578; cv=none; d=google.com; s=arc-20160816; b=W9c4nNCpQpYL3+qynybHYvWVeNaWWrhRtfPgEqO7GDQ7yMqxwk72zvKfWv9OjlgLfV I4AxcqpT3B6osr0VzJ9fbF0sIxqkWj+xQVWdazfOBX51LYN6Eu9R5FZ2Kka6iIOEUDod 4gknkieTA6zx9Xstdd2yyW6QAp3IqRxM58yKz6qmyfDOlmpj8aKEm13B010PfabgQuM5 QTY3d4aQRoUARaqoxpnFBNiLML46yU8+8e8kuL8XtRBH8C3KuRju+tlsPNkWOR9nBve3 F7wM98LILPxBYvUC3gXHg4tF8DUdIBq90Y6ZZb2OmbyDivW7gfHJmV83UyK1kGOBXhwu FGFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=L7EYIzP114hL1CHmbH8RoBV1urXtdrn8J16dJXPxWaI=; b=0GoE6f5V4YGRNnRW5CBw586VUqQqqgkUJv4TASVKxW7/yfXoMUNhZwvZeZ+TmmTUeJ lurmN1y4zqeW7psWfqU4bmPJfNLmA2Dv3iK9jgxpCh8G0iowwjAoeqtOZ/aACyW/Y7Lf b+xpbIV5rDR9EivFTYPTDIF4DwLjs2By+NX5TN4UA7UALqhZ/UOzqxqsmcszDmGh3zPf Okgeuh8+G6uDjZ5LXfDAb3UlSxbreNzWAxtaJaMEY6ZlclohD3tolB4fj9zJZstWFsp3 ieSMnqwN1mZDtd7aj2YtqKTYRI0vgIcFzfF2IMKv3PXy7heO7S9ud76oU5PEbchKZZwM /Nrw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si6395157ple.726.2018.02.16.10.42.44; Fri, 16 Feb 2018 10:42:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757356AbeBPDDt (ORCPT + 99 others); Thu, 15 Feb 2018 22:03:49 -0500 Received: from mail.kernel.org ([198.145.29.99]:41440 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757345AbeBPDDs (ORCPT ); Thu, 15 Feb 2018 22:03:48 -0500 Received: from mail-io0-f172.google.com (mail-io0-f172.google.com [209.85.223.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C87D1217C9 for ; Fri, 16 Feb 2018 03:03:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C87D1217C9 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f172.google.com with SMTP id t22so2861263ioa.7 for ; Thu, 15 Feb 2018 19:03:47 -0800 (PST) X-Gm-Message-State: APf1xPAQbjB48zyhY4xK9H//S9+eBZgCjdxuRlYqDomWBaW7QzOsEEIc KAklQ2InnWFPwOo+aaQy2biMZvhnmlZYjFbd2W7oSQ== X-Received: by 10.107.170.132 with SMTP id g4mr6059227ioj.183.1518750227148; Thu, 15 Feb 2018 19:03:47 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.84 with HTTP; Thu, 15 Feb 2018 19:03:26 -0800 (PST) In-Reply-To: References: <20180215163602.61162-1-namit@vmware.com> <20180215163602.61162-5-namit@vmware.com> <9EB804CA-0EC9-4CBB-965A-F3C8520201E7@gmail.com> From: Andy Lutomirski Date: Fri, 16 Feb 2018 03:03:26 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH RFC v2 4/6] x86: Disable PTI on compatibility mode To: Linus Torvalds Cc: Nadav Amit , Andy Lutomirski , Pavel Emelyanov , Cyrill Gorcunov , Ingo Molnar , Thomas Gleixner , Peter Zijlstra , Dave Hansen , Willy Tarreau , X86 ML , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 16, 2018 at 12:42 AM, Linus Torvalds wrote: > On Thu, Feb 15, 2018 at 4:22 PM, Nadav Amit wrote: >> >> It is not too pretty, I agree, but it should do the work. There is only one >> problematic descriptor that can be used to switch from compatibility-mode to >> long-mode in the GDT (LDT descriptors always have the L-bit cleared). >> Changing the descriptor's present bit on context switch when needed can do >> the work. > > Sure, I can see it working, but it's some really shady stuff, and now > the scheduler needs to save/restore/check one more subtle bit. > > And if you get it wrong, things will happily work, except you've now > defeated PTI. But you'll never notice, because you won't be testing > for it, and the only people who will are the black hats. > > This is exactly the "security depends on it being in sync" thing that > makes me go "eww" about the whole model. Get one thing wrong, and > you'll blow all the PTI code out of the water. > > So now you tried to optimize one small case that most people won't > use, but the downside is that you may make all our PTI work (and all > the overhead for all the _normal_ cases) pointless. > There's also the fact that, if this stuff goes in, we'll be encouraging people to deploy 32-bit binaries. Then they'll buy Meltdown-fixed CPUs (or AMD CPUs!) and they may well continue running 32-bit binaries. Sigh. I'm not totally a fan of this.