Received: by 10.223.185.116 with SMTP id b49csp2439899wrg; Thu, 22 Feb 2018 13:53:36 -0800 (PST) X-Google-Smtp-Source: AH8x226hWvvl+sGyFMLxavEZNfyhPgT/OlCs24Dx17/uZCs27lRHZ14UD0OnLqqzef8z5kWENUO5 X-Received: by 10.98.61.133 with SMTP id x5mr5291957pfj.181.1519336416263; Thu, 22 Feb 2018 13:53:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519336416; cv=none; d=google.com; s=arc-20160816; b=Dp6t4UhzLbJZhlrFA2U5PaK0bOCslXh7ocVJYoLTubpfShRXfBf+Ie4UJSAjIL4n9n cTh0RaK3uz6j62OehrFe6UF5Ja6ymVc9xevaDjntz4ZcIaGxklWSZvnaD11l7/LyvjA3 QewWsntrwWIjqjf5+DQSqAtTPsVTMz0nYTA8ahOTZepkPokdd/V7Usou7rbN14jLhdMY PR35EkqZVxEqJOVj1fbiVuZdRBnk8lhl9ojA9pHWC1deDZKOrq3cNP/0u2qL5R9d0VjJ 9v9d+e8/HBpVoRIJjCiP2RO9YWO6OWMZEyDXy+HULrtmbLft/RCzqI5mqXEdgPJt371u OwjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=P1A31r+lRdnMdLeA5Hnk93iJ8+GHWrGhAmNd7zbVHDI=; b=NnWw2BjWxRl4YdFOj/mkCuWXAjxZ/FxfV7KmQpz7RN6IOJWEvmQ3S7++4KMsVx1xKr jxEOSHkMwp67L3Tc7N5slApaJfuXtK6VufColKAmDEiXC8LSSMJzpiptjK1ra5w85Xmw icVZyZuGtbdSQEKTf8fX3OCsnlBI0fk5bXdNH89lfM8c8gS6MMCmnDc4Fdtd2k1gqbRt oBdwQhmZS+0DIXSXslrb800LIOZvPg4qUVwIk9nbQpQgXgXE1hx/RtqBiNRFJyDzucCG LAZGUh9AzgC6MS13VW5c7moZtN4XJXDU2SfQ4EQ5dP2ZA+Vqgp3lbXGORIBdl8HNl6se MJlg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MshxVr72; dkim=fail header.i=@linux-foundation.org header.s=google header.b=OIS4t0lq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e90-v6si609178plb.749.2018.02.22.13.53.21; Thu, 22 Feb 2018 13:53:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MshxVr72; dkim=fail header.i=@linux-foundation.org header.s=google header.b=OIS4t0lq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751634AbeBVVw1 (ORCPT + 99 others); Thu, 22 Feb 2018 16:52:27 -0500 Received: from mail-it0-f68.google.com ([209.85.214.68]:34493 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751602AbeBVVwY (ORCPT ); Thu, 22 Feb 2018 16:52:24 -0500 Received: by mail-it0-f68.google.com with SMTP id a203so3037283itd.1 for ; Thu, 22 Feb 2018 13:52:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=P1A31r+lRdnMdLeA5Hnk93iJ8+GHWrGhAmNd7zbVHDI=; b=MshxVr72gq2ajNRo4XeynHOKiJQeCZ5GCalk6EKG7hyq/fCske2CxRo1s2wcDJ4YDy SwDQr28WdifeLa4CqZ48OCg4ZzN+ns8+E/yEuYkHmODGdknY+DzZkJYpJOQHDOvnp1M5 5IJv1hBZGGFwtlLUgiDKcY3cCtEpcJ0HdASfbmUyXajLrJ+z/Ul0meCLpS84Q++i+fyF gZuLcS6oVppYlORUnepGSflt/vDpapAy4bIH0/6BaWJyUsZkezC02u/9R6lc0JnVnaUj 1Q8mreJ/bapEVgGRbHcBbKFQ7pISynfECZg6B2YIIhdt6XJabDnrFLpXw1/PxaJB7rmN HOJQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=P1A31r+lRdnMdLeA5Hnk93iJ8+GHWrGhAmNd7zbVHDI=; b=OIS4t0lqdbRphfcZmC81g/qTgH7lpVGBfBJ5ZOqZsfybqcxFLjGVzY2w+ypVjuGykx kHmiRVxBn4/AMFDxNo/NO5a7YkpeuhXCxrxzBrA1o2n76tvdb0VEdjP+HsygR+BYQFtC e527Cpk2Ah/6s/L6G9dO8uap3hZhG6jhTuwlo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=P1A31r+lRdnMdLeA5Hnk93iJ8+GHWrGhAmNd7zbVHDI=; b=fdUyv8tLznJIi6TDs4CLU66UVSB/oCManltVYtyxaJVlVIgH7aj5A6X9AwgqlrYvPi K6nTMjqcZW/aCCe/DTzCXwRAOfn7FCwmFEzuLvqVYWB+IKuuBPgyy2+9LXKMUZg0+CIs lR+M5ASyxKueMBJlj7k+Qx9SLRQUGsO1CuuxFUTe8d8ecNT4m1JlQz2cQw5AJTnZtHui 22FEB4kOzF3hmQeQK8k8DRxnRaaCIo0PEgEK5lbFdnLunH70MC5xcN24gOOHUt7N+obq FT2DddNRYsQD+4yvhJKIkSS2YC5USaw+JEZBuJxZO388BwkNM+ioGIQQgVZ+vWxNwJn+ jaQA== X-Gm-Message-State: APf1xPDmXeb+EXxIXgB29a6gjLOMeHT/BsuDvaG/yJPQ0w34ZBhwig7y C7WkXJfV4j9ZQjA+FTTatTFng4QXL6tsKjl/FNE= X-Received: by 10.36.150.134 with SMTP id z128mr877997itd.108.1519336343381; Thu, 22 Feb 2018 13:52:23 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Thu, 22 Feb 2018 13:52:22 -0800 (PST) In-Reply-To: <20180222203651.B776810C@viggo.jf.intel.com> References: <20180222203651.B776810C@viggo.jf.intel.com> From: Linus Torvalds Date: Thu, 22 Feb 2018 13:52:22 -0800 X-Google-Sender-Auth: L_4c6ut9G9LZ2v8rU7YwQORxOO4 Message-ID: Subject: Re: [RFC][PATCH 00/10] Use global pages with PTI To: Dave Hansen Cc: Linux Kernel Mailing List , Andrea Arcangeli , Andrew Lutomirski , Kees Cook , Hugh Dickins , =?UTF-8?B?SsO8cmdlbiBHcm/Dnw==?= , "the arch/x86 maintainers" , namit@vmware.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Side note - and this may be crazy talk - I wonder if it might make sense to have a mode where we allow executable read-only kernel pages to be marked global too (but only in the kernel mapping). Yes, yes, that potentially means that you can run meltdown on recently run kernel code that is still in the TLB, but even if so, that may be something people are ok with. Because it would leak data that can generally be gotten other ways (aka "just download the vendor kernel from a website"), and from a security standpoint the biggest issue is likely that you can break KASLR. But again, that is something that some people may be perfectly fine with - it's certainly much less of an issue than leaking actual *data*. And it might be an easy option to give people, with something like "pti=data" or similar. It's also quite possible that depending on how separate the ITLB and DTLB is, an ITLB entry might not even really be amenable to Meltdown leaking at all. Since the pages wouldn't actually exist in the user page tables, the only sign of them would be in the TLB entries, and if the ITLB is separate enough it might be practically impossible to really use those ITLB entries for meltdown. Of course, maybe the performance advantage from keeping the ITLB entries around isn't huge, but this *may* be worth at least asking some Intel architects about? Because my gut feel is that a noticeable amount of the TLB cost from PTI comes from the code side. I suspect a lot of kernel code has a bigger instruction footprint than data. (And yes, like this set of global bit patches, it probably matters a whole lot more on CPU's that don't have PCID. With PCID it's probably not all that noticeable at all). Linus