Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp6690936imm;
        Wed, 27 Jun 2018 11:36:03 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKK9XxMFbSX2jwoDAocmEa1gyEXEWQAUuZcC/tWKyMB2xGYd3ditrz2EWyltcN1q7+O2gGtj
X-Received: by 2002:a17:902:bf43:: with SMTP id u3-v6mr7273843pls.322.1530124563066;
        Wed, 27 Jun 2018 11:36:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530124563; cv=none;
        d=google.com; s=arc-20160816;
        b=mxdFmSCIIpJRc7405xOxUrYDHXuVd/SjkbUW9t6gxjHmY5Ia9L1HFVx3M0P8BS641I
         3Fby7KrczesEf6k8V8XQ5uRYiE7k6NZ4+YzX3Ubs6/rNMNB+OG1gtUCGDf5J3Si0fI6c
         RaadSlUZY+aeszDOvxykqq6EGr2nn4pjIBuTLiv/rnbzHP2QEZmBl1d7Id7Z6o68ezdK
         q8U7qxJI0qjB8+tHr7YZbANNiweWGJAnyU3N0XVVMDRRTbrYZwd6UldvmPe2fRQNEVl3
         e6GewMauxunKcJhWyN3h4D9otyeEolWbviEjBuRKVp0ytJPML+pwiOU9PPN2FZMvpDQt
         XclA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:from:cc:to:subject
         :content-transfer-encoding:mime-version:references:in-reply-to
         :user-agent:date:arc-authentication-results;
        bh=orcLra1Y7clR730R8Gq+jKMSgELI3GkWAngBRv4pljg=;
        b=ARr79oHqUHN9dCbU4m90NTTc/QIp6J+5lR5qNdaPMcXiMoJZkltgg6rVgYX+HNlJ28
         GUnTQ5HAUVQaBDjPEXMXZqWfBbQjyiHbzIyhu7JPGuZj3g6ahvTIV67Ab3+F6pMub1u/
         Gyz0F3yZ66471wW0z1SawcaE1CF/jIllJA4oEcDQPJrGpvgAjFZRVEMALrox/cu+Ktld
         iLLxdYIYzbLy75kop15ks5e5m17DtGcx2APIdxO+XRSR9t+9UwVwERjOoEzzudzMZ2rH
         mjmttYHDuuwuOx4+rr3itcIj9AnBU+DPpW5PuPiylEbga8iPa2NeAo76foN2kziXKV+D
         CMRA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w17-v6si4678513pfl.215.2018.06.27.11.35.49;
        Wed, 27 Jun 2018 11:36:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965909AbeF0Sdn convert rfc822-to-8bit (ORCPT
        <rfc822;gklkml16@gmail.com> + 99 others);
        Wed, 27 Jun 2018 14:33:43 -0400
Received: from terminus.zytor.com ([198.137.202.136]:43313 "EHLO
        mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1754551AbeF0Sdm (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 27 Jun 2018 14:33:42 -0400
Received: from [IPv6:2607:fb90:a499:54e8:9c2f:b614:be0b:6380] ([172.58.33.215])
        (authenticated bits=0)
        by mail.zytor.com (8.15.2/8.15.2) with ESMTPSA id w5RIXaTu2173237
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
        Wed, 27 Jun 2018 11:33:37 -0700
Date:   Wed, 27 Jun 2018 11:33:30 -0700
User-Agent: K-9 Mail for Android
In-Reply-To: <27F6CB18-8E20-487B-B55B-1DAEF9DF9E2C@zytor.com>
References: <20180621211754.12757-1-h.peter.anvin@intel.com> <20180621211754.12757-2-h.peter.anvin@intel.com> <CALCETrWerhEUMw+JS4p5MVEopiMnUjbUtX58Ci7UYfYT=Y5Cvw@mail.gmail.com> <408ed97a-c64d-c523-c403-4e066d1f34c3@intel.com> <FB113DE3-5841-49B2-A11E-CE785EF0C763@amacapital.net> <CALCETrX30hRA_8OJ4uv4GQDf_Tu+DNRhgbo5XF60kTyH9+4G=Q@mail.gmail.com> <27F6CB18-8E20-487B-B55B-1DAEF9DF9E2C@zytor.com>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: 8BIT
Subject: Re: [PATCH v3 1/7] x86/ldt: refresh %fs and %gs in refresh_ldt_segments()
To:     Andy Lutomirski <luto@kernel.org>,
        "H. Peter Anvin" <h.peter.anvin@intel.com>
CC:     LKML <linux-kernel@vger.kernel.org>,
        "H. Peter Anvin" <hpa@linux.intel.com>,
        Ingo Molnar <mingo@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        "Bae, Chang Seok" <chang.seok.bae@intel.com>,
        "Metzger, Markus T" <markus.t.metzger@intel.com>
From:   hpa@zytor.com
Message-ID: <28946700-32A3-428C-898B-1378F8AA22AB@zytor.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On June 27, 2018 11:22:14 AM PDT, hpa@zytor.com wrote:
>On June 27, 2018 11:19:12 AM PDT, Andy Lutomirski <luto@kernel.org>
>wrote:
>>On Fri, Jun 22, 2018 at 11:47 AM, Andy Lutomirski
><luto@amacapital.net>
>>wrote:
>>>
>>>
>>>
>>>> On Jun 22, 2018, at 11:29 AM, H. Peter Anvin
>><h.peter.anvin@intel.com> wrote:
>>>>
>>>>> On 06/22/18 07:24, Andy Lutomirski wrote:
>>>>>
>>>>> That RPL3 part is false.  The following program does:
>>>>>
>>>>> #include <stdio.h>
>>>>>
>>>>> int main()
>>>>> {
>>>>>    unsigned short sel;
>>>>>    asm volatile ("mov %%ss, %0" : "=rm" (sel));
>>>>>    sel &= ~3;
>>>>>    printf("Will write 0x%hx to GS\n", sel);
>>>>>    asm volatile ("mov %0, %%gs" :: "rm" (sel & ~3));
>>>>>    asm volatile ("mov %%gs, %0" : "=rm" (sel));
>>>>>    printf("GS = 0x%hx\n", sel);
>>>>>    return 0;
>>>>> }
>>>>>
>>>>> prints:
>>>>>
>>>>> Will write 0x28 to GS
>>>>> GS = 0x28
>>>>>
>>>>> The x86 architecture is *insane*.
>>>>>
>>>>> Other than that, this patch seems generally sensible.  But my
>>>>> objection that it's incorrect with FSGSBASE enabled for %fs and
>%gs
>>>>> still applies.
>>>>>
>>>>
>>>> Ugh, you're right... I misremembered.  The CPL simply overrides the
>>RPL
>>>> rather than trapping.
>>>>
>>>> We still need to give legacy applications which have zero idea
>about
>>the
>>>> separate bases that apply only to 64-bit mode a way to DTRT. 
>>Requiring
>>>> these old crufty applications to do something new is not an option.
>>>
>>>>
>>>> As ugly as it is, I'm thinking the Right Thing is to simply make it
>>a
>>>> part of the Linux ABI that if the FS or GS selector registers point
>>into
>>>> the LDT then we will requalify them; if a 64-bit app does that then
>>they
>>>> get that behavior.  This isn't something that will happen
>>>> asynchronously, and if a 64-bit process loads an LDT value into FS
>>or
>>>> GS, they are considered to have opted in to that behavior.
>>>
>>> But the old and crusty apps don’t depend on requalification because
>>we never used to do it.
>>>
>>> I’m not convinced we ever need to refresh the base. In fact, we
>could
>>start preserving the base of LDT-referencing FS/GS across context
>>switches even without FSGSBASE at some minor performance cost, but I
>>don’t really see the point. I still think my proposed semantics are
>>easy to implement and preserve the ABI even if they have the sad
>>property that the FSGSBASE behavior and the non-FSGSBASE behavior end
>>up different.
>>>
>>
>>There's another reasonable solution: do exactly what your patch does,
>>minus the bugs.  We would need to get the RPL != 3 case right (easy)
>>and the case where there's a non-running thread using the selector in
>>question.  The latter is probably best handled by adding a flag to
>>thread_struct that says "fsbase needs reloading from the descriptor
>>table" and only applies if the selector is in the LDT or TLS area.  Or
>>we could hijack a high bit in the selector.  Then we'd need to update
>>everything that uses the fields.
>
>Obviously fix the bugs.
>
>How would you control this bit?

I can personally think of these options:

1. A prctl() to disable requalification;
2. Make the new instructions trap until used.  This will add to the startup time of legitimate users of these instructions;
3. Either of these, but start out in "off" mode until one of the descriptor table system calls are called.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.