Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1342781imm; Fri, 17 Aug 2018 16:56:47 -0700 (PDT) X-Google-Smtp-Source: AA+uWPy/m300UQJ5moyK/YT9OEAgO5j6+hxBitfKWPFzHxMumumlaaH9j59BZ0Yr8WfjgNKPqelF X-Received: by 2002:a17:902:1745:: with SMTP id i63-v6mr3398957pli.3.1534550207924; Fri, 17 Aug 2018 16:56:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534550207; cv=none; d=google.com; s=arc-20160816; b=hr1mlDmR/R3SNpBlde6BkPZxeMQNB2RXcyjUvuTi+VdJ47xIX3QDacw4ajfj0YKSJT KcW50U7RW3knQQH4DX42KpdipcRHjCeACawmPOGoJBhF3/ibkNCmcTFbx8uVt0Pmvxtl QMkxzaaNf++TLxKvw4kbrqZbFCGOidMSXuGhnaMNk8kEAdicOz51z3kQ+VkU0gPZWlPw 5oCFR+jnC1sKWlOH/nobmmLrKkHc3XrRPA8aFfDkUReS7rE1fid1ZexStErCbJ3QSI1g Ymmgtg46KXOT27gCJ9ifArCB0L+DjcbINb532aG+TV8tyzRVRM0M4ymAf+hjn6gbdxQS rkPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=Ds396LVoVtBCaofAqS7RtuLP2vc9hietrCDCgYaSKw4=; b=pC+Wiu8HPThizaOWBMLcLZuOShyRprLU1hd0c3RDnfusPhRnlQBfUiKIKdYdZA3V6q ax37pPU9JdVRIrXr8jXrCFO5ZJiIGNy7H76QXbO1NHJbVE+pYqMpG7g5HODeymUztU9s Yq+lI5AMB29Esw4jns2Ryi9/f0yQ4r2Ge8Rkmu5IuKX/5gRAOqCSjuzaDYmMywhhgC54 olff348Qrdb/GHn+X8H+M1370tt6q6WrnrUc/nUwmByiJAZLmTTqhoHAlU+lxwiTwkGE wAPrXTjiXEMaPESA1ntMYojTN8KTYifVWSSAv4shGdbihY3ZBWv+GhEiBzZPNZyn+EXH yhbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=d6c2Yx4M; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j10-v6si3280482pgi.500.2018.08.17.16.56.32; Fri, 17 Aug 2018 16:56:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=d6c2Yx4M; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726300AbeHRDA4 (ORCPT + 99 others); Fri, 17 Aug 2018 23:00:56 -0400 Received: from mail-oi0-f66.google.com ([209.85.218.66]:41526 "EHLO mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725967AbeHRDAz (ORCPT ); Fri, 17 Aug 2018 23:00:55 -0400 Received: by mail-oi0-f66.google.com with SMTP id k12-v6so16807048oiw.8 for ; Fri, 17 Aug 2018 16:55:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ds396LVoVtBCaofAqS7RtuLP2vc9hietrCDCgYaSKw4=; b=d6c2Yx4MSwCHCupcyE1cFwXDnrAiEVYFvfsKXnd5MjYxzqNRV3fHrYPESvGdLJ02uF eH89ksYancvIy9M4y+Slt32DbDpNoDCjvBEO+r0ldMfvZ1SEixV+BEywKYSDt92oeAiO 5aJVcJtz6cSInEgM6NmPd3DpPOLsI0PGo/L0OTJg4M8TN9SncQOkMaXIZZQHmLPXt7LF lIhhOwLO76lJpj0QTalgE/MqFXMtRK5HyuJhHnpgbQuxp3XBjSFJNj+nDI8TobWaun30 nLNTCcchzMdV+EJ510pdusJkRalP18z1kSbVc7k1ox9+hD4zlQMT2EUozVUVOAqSJ1dn YYTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ds396LVoVtBCaofAqS7RtuLP2vc9hietrCDCgYaSKw4=; b=aX1Pezinrucs5GXYS9BmQv+5XTubwJD012HaXK+DX3AQA+ejPQTXTmj56Z2pcPfvzD ziPDTcre0C/7Cg9kWBeX3Y22hxuwc9GbSZ32Q7dUkAPn22szqywZ2b/3mpGvBUqvg7Fs aZgoGlm7D1x9XJH23KresuSYe5ydqldjBv24zPx0SkHqkaH5DKfWT7hPP8V+sOgkFVKJ JzncZKg7wxMYG7dmXEa6Pbfd6uwoyjPsbqPMCXLFFhLG6+hED4l9u7h7IX1jiJbJu2vn bQr3c8YADTFdxdDh1HRIlLbYgP+87kcxWC6E3EaeO32eCx+J772EBrvFIWn4+A9dxrgX /HAw== X-Gm-Message-State: AOUpUlEYr9sTGBEF3kWf1xZhqXWPL1pnPkJ6hYTDpsqyzRxVsT/XL+5e WPU4iVztJWpMSoBedLC/B64qSjIp5JWoi5DfvrBt4hkcEzS/LQ== X-Received: by 2002:aca:c585:: with SMTP id v127-v6mr4769841oif.348.1534550128363; Fri, 17 Aug 2018 16:55:28 -0700 (PDT) MIME-Version: 1.0 References: <20180817221624.10232-1-casey.schaufler@intel.com> <20180817221624.10232-3-casey.schaufler@intel.com> In-Reply-To: <20180817221624.10232-3-casey.schaufler@intel.com> From: Jann Horn Date: Sat, 18 Aug 2018 01:55:02 +0200 Message-ID: Subject: Re: [PATCH RFC v2 2/5] X86: Support LSM determination of side-channel vulnerability To: Casey Schaufler Cc: Kernel Hardening , kernel list , linux-security-module , selinux@tycho.nsa.gov, Dave Hansen , deneen.t.dock@intel.com, kristen@linux.intel.com, Arjan van de Ven Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 18, 2018 at 12:17 AM Casey Schaufler wrote: > > From: Casey Schaufler > > When switching between tasks it may be necessary > to set an indirect branch prediction barrier if the > tasks are potentially vulnerable to side-channel > attacks. This adds a call to security_task_safe_sidechannel > so that security modules can weigh in on the decision. > > Signed-off-by: Casey Schaufler > --- > arch/x86/mm/tlb.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c > index 6eb1f34c3c85..8714d4af06aa 100644 > --- a/arch/x86/mm/tlb.c > +++ b/arch/x86/mm/tlb.c > @@ -7,6 +7,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -270,11 +271,14 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, > * threads. It will also not flush if we switch to idle > * thread and back to the same process. It will flush if we > * switch to a different non-dumpable process. > + * If a security module thinks that the transition > + * is unsafe do the flush. > */ > - if (tsk && tsk->mm && > - tsk->mm->context.ctx_id != last_ctx_id && > - get_dumpable(tsk->mm) != SUID_DUMP_USER) > - indirect_branch_prediction_barrier(); > + if (tsk && tsk->mm && tsk->mm->context.ctx_id != last_ctx_id) { > + if (get_dumpable(tsk->mm) != SUID_DUMP_USER || > + security_task_safe_sidechannel(tsk) != 0) > + indirect_branch_prediction_barrier(); > + } When you posted v1 of this series, I asked: | Does this enforce transitivity? What happens if we first switch from | an attacker task to a task without ->mm, and immediately afterwards | from the task without ->mm to a victim task? In that case, whether a | flush happens between the attacker task and the victim task depends on | whether the LSM thinks that the mm-less task should have access to the | victim task, right? Have you addressed that? I don't see it...