Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2617759imm; Tue, 4 Sep 2018 07:25:42 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdan9Ge83fYP8zpUw37e/zmB2PjnB9/V80lDmBXJMOFdwEV7+VcJ1/u36ir7t23Bx4n3UA4U X-Received: by 2002:a62:4bc6:: with SMTP id d67-v6mr35216307pfj.175.1536071142783; Tue, 04 Sep 2018 07:25:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536071142; cv=none; d=google.com; s=arc-20160816; b=LiRY7c9RBOYiRwC3Y87vpvoUnAsQJHIM8A4vN52FTmUTq5rcsJBM69/w6zc+47wAPJ eQ2gkq19OOt0iUCSpY5mriTFNvUDKh/tR6d0Hp6/3HypUCXKM6gkc0UCdpRWJJ5wzQFu 6Awyb1HFLlCn2RqmL8rlTwa5bqjSMa9ddu3YCU1lHUD7FsiZLndBPLCbjVwdDHa34MDG Fn/BHyVJW72QUEnLUzZvF7z/oM0siNcRKqtZHUUTiAca4FjPSdUyhh+dRxRUpy7AQg4k Jyw/StCQMJ2nKPNAk3VoO5ZD6wA8DQe0eg2W4M6qKFdCP5VtREKTO1ManagvS02EBL2Y B6Og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date :arc-authentication-results; bh=YulBLiYsOuLM/Xc6EfvfTi/Tevh1m1idfd+sp9OzUrA=; b=W+rSM4hxZ2gJngwrG2guEAjROXUYFG54mj04TXZrED5QWkn7NQ36r/azFTAidavwnw /zpX7tce78GyaDbDbyDmYdym8Lf5KGGXrFyij93LQ+24gDEgeP60qNxD+iSqXCH5sozX zmqa/CFvrSPFZGxwz+bF4PuiPm6JuMacFNEt31hhpmwWOabqxBcf+hewKSrydqopt3LU WLeTfZJWG98tUPzBO4n9y8egffVpXDwNlcQmaeF3nlk+M8h3RehUlJlMwdZ+617bDskP GoxzG4nJwWQTQPPhcGLS5luRiyVsTwaKu+g8hPBir1f54edGAMv5bn8AhrVamyo6nmQQ KBkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v23-v6si22010000plo.19.2018.09.04.07.25.26; Tue, 04 Sep 2018 07:25:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727442AbeIDSsi (ORCPT + 99 others); Tue, 4 Sep 2018 14:48:38 -0400 Received: from mx2.suse.de ([195.135.220.15]:58446 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727072AbeIDSsi (ORCPT ); Tue, 4 Sep 2018 14:48:38 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 62FD6B025; Tue, 4 Sep 2018 14:23:18 +0000 (UTC) Date: Tue, 4 Sep 2018 16:23:17 +0200 (CEST) From: Jiri Kosina To: Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , "Woodhouse, David" , Oleg Nesterov , Tim Chen cc: linux-kernel@vger.kernel.org, x86@kernel.org Subject: [PATCH v3 0/3] Harden spectrev2 userspace-userspace protection In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently, linux kernel is basically not preventing userspace-userspace spectrev2 attack, because: - IBPB is basically unused (issued only for tasks that marked themselves explicitly non-dumpable, which is absolutely negligible minority of all software out there), therefore cross-process branch buffer posioning using spectrev2 is possible - STIBP is completely unused, therefore cross-process branch buffer poisoning using spectrev2 between processess running on two HT siblings thread s is possible This patchset changes IBPB semantics, so that it's now applied whenever context-switching between processess that can't use ptrace() to achieve the same. This admittedly comes with extra overhad on a context switch; systems that don't care about could disable the mitigation using nospectre_v2 boot option. The IBPB implementaion is heavily based on original patches by Tim Chen. In addition to that, we unconditionally turn STIBP on so that HT siblings always have separate branch buffers. We've been carrying IBPB implementation with the same semantics in our (SUSE) trees since january disclosure; STIBP was more or less ignored up to today. v1->v2: include IBPB changes v2->v3: fix IBPB 'who can trace who' semantics wire up STIBP flipping to SMT hotplug Jiri Kosina (3): ptrace: Provide ___ptrace_may_access() that can be applied on arbitrary tasks x86/speculation: Apply IBPB more strictly to avoid cross-process spectre v2 leak x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation arch/x86/kernel/cpu/bugs.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ arch/x86/mm/tlb.c | 15 ++++++--------- include/linux/ptrace.h | 15 +++++++++++++++ kernel/cpu.c | 13 ++++++++++++- kernel/ptrace.c | 17 +++++++++++++---- 5 files changed, 109 insertions(+), 14 deletions(-) -- Jiri Kosina SUSE Labs