Received: by 10.213.65.68 with SMTP id h4csp41390imn; Mon, 19 Mar 2018 18:54:50 -0700 (PDT) X-Google-Smtp-Source: AG47ELuMJ7TlD06BtgqkhI3ea8JeU4HlpmrouF/3cSb79rmUYfYHC4t1JD04qGLVtJ70lHzd3SNc X-Received: by 10.98.51.129 with SMTP id z123mr12097855pfz.132.1521510890559; Mon, 19 Mar 2018 18:54:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521510890; cv=none; d=google.com; s=arc-20160816; b=mplrW+3tyiiqga9hrj83hEi0ckjSf59KWYUi5pAOskQRpdsZ84+i3rWuzgkBbwg8pA eJ2Wr0NpuzWo6n7lZ1xJbjs9P0EFG1FxAwyWMepSIzg3UqycBF8riPVq716ZGXpMYrRZ IItUoRPKI3qZDxnjUgNfaz9jyfyACpWTGoeEmaCj8uhQnmd0rlwIqkinB1Tth9dZpmFl w9RWSyLRsx/SuuS0ilgON3B0YJ3lQk0WiRhcCDeQJQAreSc/8rjy52DcmzUBxBpS03Im b8rJSMHckh+TBJsEKXLYE10fHVHwyJE8APYdHGUrdQHzWXOum6dg1QuV45iP47xXQ+Dy QaUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from :arc-authentication-results; bh=4Nn7sNQYzzYK2adYSkgtZjspufwvYUw1AtjqVvl6QPw=; b=GlhW8IAGHNS3EZLSU46z9fabOEQe+ypvBu0VxpXAPwa/HZXq28VpFUafvWJXcog4nf sHFj1tdmeNC5hHbPSMlSZuHDw4NhigMUezRXCTknYZAroTztl9JT7wC4Pf4uaM3KaOym EXXBFeS9iHv/5EtkapRkRUL+/6EypO+l3fVVArnLPqZnEF/f2z4i91LOY06BTJtypgeG E5xDeusmhiA0dlr9Oa7fLnNWVVMPV+wbC2wF1C4EP6k9kLkXfvzfuNwLJnE9iGsfQb3o PAgXtzr4YpAQMznycO/RAidMOFy9P5WscmGXGojbEheq3n4t1lOvVzK0kPfR7aINmfPh OjAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f5si378658pgq.806.2018.03.19.18.54.37; Mon, 19 Mar 2018 18:54:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S969636AbeCSVMd convert rfc822-to-8bit (ORCPT + 99 others); Mon, 19 Mar 2018 17:12:33 -0400 Received: from mga05.intel.com ([192.55.52.43]:1223 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S969549AbeCSVMV (ORCPT ); Mon, 19 Mar 2018 17:12:21 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Mar 2018 14:12:21 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,332,1517904000"; d="scan'208";a="40345155" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by orsmga001.jf.intel.com with ESMTP; 19 Mar 2018 14:12:20 -0700 Received: from fmsmsx113.amr.corp.intel.com (10.18.116.7) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 19 Mar 2018 14:12:20 -0700 Received: from crsmsx152.amr.corp.intel.com (172.18.7.35) by FMSMSX113.amr.corp.intel.com (10.18.116.7) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 19 Mar 2018 14:12:20 -0700 Received: from crsmsx101.amr.corp.intel.com ([169.254.1.143]) by CRSMSX152.amr.corp.intel.com ([169.254.5.72]) with mapi id 14.03.0319.002; Mon, 19 Mar 2018 15:12:18 -0600 From: "Bae, Chang Seok" To: Dave Hansen , "x86@kernel.org" CC: "luto@kernel.org" , "ak@linux.intel.com" , "hpa@zytor.com" , "Metzger, Markus T" , "Luck, Tony" , "Shankar, Ravi V" , "linux-kernel@vger.kernel.org" Subject: RE: [PATCH 13/15] x86/fsgsbase/64: With FSGSBASE, compare GS bases on paranoid_entry Thread-Topic: [PATCH 13/15] x86/fsgsbase/64: With FSGSBASE, compare GS bases on paranoid_entry Thread-Index: AQHTv61aFYaSukXqZEajMVMtZoAMNaPYYJOA//+n1Zw= Date: Mon, 19 Mar 2018 21:12:17 +0000 Message-ID: References: <1521481767-22113-1-git-send-email-chang.seok.bae@intel.com> <1521481767-22113-14-git-send-email-chang.seok.bae@intel.com>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.19.9.41] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/19/2018 01:05 PM, Dave Hansen wrote: >> When FSGSBASE is enabled, SWAPGS needs if and only if (current) >> GS base is not the kernel's. > Do you mean "SWAPGS is needed..."? Yes, will change. >> FSGSBASE instructions allow user to write any value on GS base; >> even negative. Sign check on the current GS base is not >> sufficient. Fortunately, reading GS base is fast. Kernel GS >> base is also known from the offset table with the CPU number. >> >> GS-compatible RDPID macro is included. > This description could use some work. I think you're trying to say > that, currently, userspace can't modify GS base and the kernel's > conventions are that a negative GS base means it is a kernel value and a > positive GS base means it is a user vale. But, with your new patches, > userspace can put arbitrary data in there, breaking the exising assumption. > Correct? Yes. > This also needs to explain a bit of the theory about how we go finding > the kernel GS base value. > Also, this is expected to improve paranoid_entry speed, right? The > rdmsr goes away so this should be faster. Should that be mentioned? I'm a bit reluctant to claim any performance benefit here yet (without having any strong empirical evidence). >> + * SWAPGS needs when it comes from user space. > The grammar here needs some work. > "SWAPGS is needed when entering from userspace". Okay >> To check where-it-from, >> + * read GS base from RDMSR/MSR_GS_BASE and check if negative or not. >> + * This works without FSGSBASE. >> + * When FSGSBASE enabled, arbitrary GS base can be put by a user-level >> + * task, which means negative value is possible. Direct comparison >> + * between the current and kernel GS bases determines the necessity of >> + * SWAPGS; do if and only if unmatched. >> + * >> + * Return: ebx=0: need SWAPGS on exit, ebx=1: otherwise >> */ > I don't think this really belongs in a comment above the function. I'd > just explain overall that we are trying to determine if we interrupted > userspace or not. I'd rather sync-up with you about comments before posting a revision. >> + movl $1, %ebx > I know it wasn't commented before, but please add a comment about what > this is doing. Okay, as long as this comment doesn't go too much. >> + /* >> + * Read current GS base with RDGSBASE. Kernel GS base is found >> + * by CPU number and its offset value. >> + */ >> + ALTERNATIVE "jmp .Lparanoid_entry_no_fsgsbase", \ >> + "RDGSBASE %rdx", X86_FEATURE_FSGSBASE >I'd rather this be: > ALTERNATIVE "jmp .Lparanoid_entry_no_fsgsbase", "nop",\ > X86_FEATURE_FSGSBASE > RDGSBASE %rdx > READ_KERNEL_GSBASE %rax > /* See if the kernel GS_BASE value is in GS base register */ > cmpq %rdx, %rax > ... >It's a lot more readable than what you have. Yes, if it helps your readability. >> + jne .Lparanoid_entry_swapgs >> + ret >> + >> +.Lparanoid_entry_no_fsgsbase: >> + /* >> + * A (slow) RDMSR is surefire without FSGSBASE. >> I'd say: >> FSGSBASE is not in use, so depend on the kernel-enforced >> convention that a negative GS base indicates a kernel value. Okay, as the detail comment at the entry should be moved like that. >> + * The READ_MSR_GSBASE macro scratches %ecx, %eax, and %edx. > "clobbers" is the normal terminology for this, not "scratches". Got it. >> +.Lparanoid_entry_swapgs: >> + SWAPGS >> + xorl %ebx, %ebx >> ret >> END(paranoid_entry) > ^^ Please comment the xorl, especially now that it's farther away from > the comment explaining what it is for. Okay (but if not too much) > +.macro READ_KERNEL_GSBASE_RDPID reg:req > This needs some explanation. Maybe: > /* > * Fetch the per-cpu GSBASE value for this processor and > * put it in @reg. We normally use %GS for accessing per-cpu > * data, but we are setting up %GS here and obviously can not > * use %GS itself to access per-cpu data. > */ Let me think. >> + /* >> + * processor id is written during vDSO (virtual dynamic shared object) >> + * initialization. 12 bits for the CPU and 8 bits for the node. >> + */ >> + andq $0xFFF, \reg > This begs the question: when do we initialize the VDSO? Is that before > or after the first paranoid_entry interrupt? Also, why the magic > number? Shouldn't this come out of a macro somewhere rather than having > to hard-code and spell out the convention? Hoped the comment to be explanatory; but, agree that the hard-code anyways is bad. >> +.macro READ_KERNEL_GSBASE reg:req >> + ALTERNATIVE "READ_KERNEL_GSBASE_CPU_SEG_LIMIT \reg", \ >> + "READ_KERNEL_GSBASE_RDPID \reg", X86_FEATURE_RDPID >> +.endm > Can I suggest a different indentation? > ALTERNATIVE \ > "READ_KERNEL_GSBASE_CPU_SEG_LIMIT \reg", \ > "READ_KERNEL_GSBASE_RDPID \reg", > X86_FEATURE_RDPID Sure, you can.