Received: by 10.223.185.111 with SMTP id b44csp297594wrg; Fri, 9 Mar 2018 05:14:05 -0800 (PST) X-Google-Smtp-Source: AG47ELsQJSxZc7rag4gyuEM/j6vgdahBcsdHfyWQ7UB5+wRafwRLN9AY5ajG4PsdxDphywRQ8kvJ X-Received: by 10.99.95.15 with SMTP id t15mr23885895pgb.183.1520601244926; Fri, 09 Mar 2018 05:14:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520601244; cv=none; d=google.com; s=arc-20160816; b=MVj/NdCpCEqChD8xF7I2mC4aPbJQx8NSIRcci+j4+5n9RJkuPXD26xd6xC0GPhzIy4 bpg+sYvzezbZc1TZ5tTKtouJ2YKi2PmGweu+0qvZNUpo+9+k3rbBTnYqCzR3shny4bxY q4DK9g6J5ok9hVAiChOQg+ADWMY+1g/2PJgtd96UMrBhz0FgGMUFlFCaE+I6Yfw6mBbP cnYRcOls/7SimIgaAiOMIsNgG2LYw9aGly0Ya3zsRca/zn3GAklZs8fcA/iZQtorLHGH ilMNcwxrKkwZHFXL3UR33y42ww+76j5UBbMIhIYuaHMGCbBESAZjLw85qMMWl989wC0c QYrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=M1WDdDSNyMl2z018euZTI7LoQBzUeCUCody940BhgZg=; b=zq3HN8BUr07/1JzyZoWg9LI/WhRix2y8wXVv8xRl+JNB9hLotv9v+w+igkSIHLpfTg Eh/VS9F71HidcOujw4FHwQMRInRBOrYvsfZB9FikCZYBQYMRwzHn+70xKnbR8IML7lWj 0X4mh1O8NZXyS3AkdySsYBGC+OsqF0uPNn4IgR/XyoVN12LjtmLcNchowtb92A3ubGRT pHngwawWE2v6wIknU7crQ+M7n6hc7hq6boaHmz/zIJVG4z0fhK1HivoJGeNeyvo7BGKz WAD/h+JExPKZi1xnDdTgHHAOd7jEXdq0h89qZP8/e1MbX3Zd25jP+e/yGKi0NSFs3Qya wkmA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ba11-v6si875433plb.167.2018.03.09.05.13.50; Fri, 09 Mar 2018 05:14:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932138AbeCINM5 (ORCPT + 99 others); Fri, 9 Mar 2018 08:12:57 -0500 Received: from vps-vb.mhejs.net ([37.28.154.113]:48660 "EHLO vps-vb.mhejs.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751092AbeCINM4 (ORCPT ); Fri, 9 Mar 2018 08:12:56 -0500 Received: by vps-vb.mhejs.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) (envelope-from ) id 1euHor-0002oY-5Z; Fri, 09 Mar 2018 14:12:21 +0100 Subject: Re: x86/retpoline: Fill RSB on context switch for affected CPUs To: "Woodhouse, David" Cc: Andi Kleen , Paul Turner , LKML , Linus Torvalds , Greg Kroah-Hartman , Tim Chen , Dave Hansen , tglx@linutronix.de, Kees Cook , Rik van Riel , Peter Zijlstra , Andy Lutomirski , Jiri Kosina , gnomes@lxorguk.ukuu.org.uk, x86@kernel.org, thomas.lendacky@amd.com, Josh Poimboeuf References: <1515779365-9032-1-git-send-email-dwmw@amazon.co.uk> From: "Maciej S. Szmigiero" Message-ID: Date: Fri, 9 Mar 2018 14:12:20 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <1515779365-9032-1-git-send-email-dwmw@amazon.co.uk> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12.01.2018 18:49, Woodhouse, David wrote: > When we context switch from a shallow call stack to a deeper one, as we > 'ret' up the deeper side we may encounter RSB entries (predictions for > where the 'ret' goes to) which were populated in userspace. This is > problematic if we have neither SMEP nor KPTI (the latter of which marks > userspace pages as NX for the kernel), as malicious code in userspace > may then be executed speculatively. So overwrite the CPU's return > prediction stack with calls which are predicted to return to an infinite > loop, to "capture" speculation if this happens. This is required both > for retpoline, and also in conjunction with IBRS for !SMEP && !KPTI. > > On Skylake+ the problem is slightly different, and an *underflow* of the > RSB may cause errant branch predictions to occur. So there it's not so > much overwrite, as *filling* the RSB to attempt to prevent it getting > empty. This is only a partial solution for Skylake+ since there are many > other conditions which may result in the RSB becoming empty. The full > solution on Skylake+ is to use IBRS, which will prevent the problem even > when the RSB becomes empty. With IBRS, the RSB-stuffing will not be > required on context switch. > > Signed-off-by: David Woodhouse > Acked-by: Arjan van de Ven > --- (..) > @@ -213,6 +230,23 @@ static void __init spectre_v2_select_mitigation(void) > > spectre_v2_enabled = mode; > pr_info("%s\n", spectre_v2_strings[mode]); > + > + /* > + * If we don't have SMEP or KPTI, then we run the risk of hitting > + * userspace addresses in the RSB after a context switch from a > + * shallow call stack to a deeper one. We must must fill the entire > + * RSB to avoid that, even when using IBRS. > + * > + * Skylake era CPUs have a separate issue with *underflow* of the > + * RSB, when they will predict 'ret' targets from the generic BTB. > + * IBRS makes that safe, but we need to fill the RSB on context > + * switch if we're using retpoline. > + */ > + if ((!boot_cpu_has(X86_FEATURE_PTI) && > + !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) { > + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); > + pr_info("Filling RSB on context switch\n"); > + } Shouldn't the RSB filling on context switch also be done on non-IBPB CPUs to protect (retpolined) user space tasks from other user space tasks? We already issue a IBPB when switching to high-value user space tasks to protect them from other user space tasks. Thanks, Maciej