Received: by 10.213.65.68 with SMTP id h4csp226598imn; Wed, 21 Mar 2018 17:11:01 -0700 (PDT) X-Google-Smtp-Source: AG47ELvyGz4eeP0XUyvlhmjV06/y3DhaEjOTVnPAI/2ms30ArAX6p5i0hu5+Uh6fDBqAvN1r3Eqe X-Received: by 10.98.62.71 with SMTP id l68mr14373020pfa.98.1521677461667; Wed, 21 Mar 2018 17:11:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521677461; cv=none; d=google.com; s=arc-20160816; b=HkL6H1bP4ZZLP0IxM+4V/CXQZWHLsa7cYm0ce9mCh3jWKnhgQpVcIDoXpoeCv6+EqX A9nK+pnkkq1PBAEd5pFCQjY6/GpVyNU8uLJtIhOfXUdU6PANNyqvp9Va6IoONxnzxD1q I/4wcqe3sIvRWp6HNeQ4rOsLNx7wUwJ6Z4GWDWQz/j1nSxv2OucxBknqsXPIA0bMLxZa Gya5AXFCxzXFe+vPG0+EVMcPkb9JETlKn7c8FtoP59XiNtlTHwwtz51lOyq0cQE0Bjf9 tXBJluGiPPFWJ/cx5vgIieN1/YyWu5V/wkw1LgU9u8b3AkKjrJfk45eAxCNxWPL7ncCs XVvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=hXwQlGr0E93i5j9QteLr5Zr6r6bemQhOY/PKqh7tgO4=; b=Z//BPN7zygWxZqUFpVGySYexTUSrK9Q22lx7Zsqtl8xmjksm4HXL4/FV7Pm4X9RxoK 88OweptygKHmUx4CTKfTjQX6tRNgMWoYGGdiecAbsdDGH5+z8u0TLnmBxXVktY7uYIPi P2NZ0VFsihE+rwAZKWNdptFy2OkgUFT3SPOmE6eBAd3x+rh76R7pE27GX6j2Lk8ZJnHd Dn03hFWWSTnSoGn/8+jsavPhUuLEDAnfbsiypiCYG62Vfr+QyduJtCB1z5IErFn1Tc59 bukncsK5XmailgHUb7jwZcksWUOVxDdvsB0jAotE8ZCShYmzGduPavVq2M8oETs5eJRZ ff6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 30-v6si4801936plc.446.2018.03.21.17.10.45; Wed, 21 Mar 2018 17:11:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754166AbeCVAJs (ORCPT + 99 others); Wed, 21 Mar 2018 20:09:48 -0400 Received: from vps-vb.mhejs.net ([37.28.154.113]:60380 "EHLO vps-vb.mhejs.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753732AbeCVAJr (ORCPT ); Wed, 21 Mar 2018 20:09:47 -0400 Received: by vps-vb.mhejs.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) (envelope-from ) id 1eynnT-0005bk-Cn; Thu, 22 Mar 2018 01:09:35 +0100 Subject: Re: [PATCH] x86/speculation: Fill the RSB on context switch also on non-IBPB CPUs To: Dave Hansen Cc: Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , David Woodhouse , KarimAllah Ahmed , Andi Kleen , Tim Chen , thomas.lendacky@amd.com, x86@kernel.org, linux-kernel@vger.kernel.org References: <9eb945bd-f77e-0301-d977-d1acf931b19d@maciej.szmigiero.name> <757282b8-8b59-bcc6-1f6b-3383ae8a8575@intel.com> From: "Maciej S. Szmigiero" Message-ID: <4d7cfea4-a86a-c8f2-aaff-c8429fc107b8@maciej.szmigiero.name> Date: Thu, 22 Mar 2018 01:09:34 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <757282b8-8b59-bcc6-1f6b-3383ae8a8575@intel.com> Content-Type: text/plain; charset=US-ASCII Content-Language: en-US Content-Transfer-Encoding: 7BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22.03.2018 00:30, Dave Hansen wrote: > On 03/20/2018 04:17 AM, Maciej S. Szmigiero wrote: >> Since it is unlikely that existing RSB entries from the previous task match >> the new task call stack we can use the existing unconditional >> RSB-filling-on-context-switch infrastructure to protect against such >> userspace-to-userspace attacks. >> >> This patch brings a change in behavior only for the following CPU types: >> * Intel pre-Skylake CPUs without updated microcode, >> * AMD Family 15h model >60h, Family 17h CPUs without updated microcode. >> >> Other CPU types either already do the RSB filling on context switch for >> other reasons or do support IBPB for more complete userspace-to-userspace >> protection. > > I think I misunderstood your reasoning a bit. Let me see if I can > restate the problem a bit. > > IBPB provides provides userspace-to-userspace protection because it > prevents all indirect branch predictions after the barrier from being > controlled by software executed before the barrier. We only use IBPB > for KVM and when processes clear their dumpable flag. > > You're saying that, even if we don't have IBPB, we can do *some* > userspace-to-userspace protection with RSB manipulation. The RSB > manipulation obviously only helps 'RET' instructions and not JMP/CALL, > but it does do *something* useful. > > Is that right? Yes. As far as I understand the issue this should provide a good protection for userspace processes that were recompiled with retpolines as they won't have any indirect jumps and calls. > Do you really want this behavior on all context switches? We don't do > IBPB on all context switches, only the ones where we are switching *to* > a non-dumpable process. > > Do you perhaps want to do RSB manipulation in lieu of IBPB when > switching *to* a non-dumpable process and IBPB is not available? > Is it worth differentiating such processes in this case? IBPB is supposed to be very expensive so certainly it is worthwhile to do it only for high-value processes (=non-dumpable). However, it is unlikely that existing RSB entries from the previous task match the new task call stack anyway. We already do unconditional RSB-filling-on-context-switch in many cases. Maciej