Received: by 2002:a4a:3008:0:0:0:0:0 with SMTP id q8-v6csp3423315oof; Mon, 10 Sep 2018 14:36:37 -0700 (PDT) X-Google-Smtp-Source: ANB0VdabBiOc3eYw7Pk/AKtqlpFyvEolEEvHH4mZnycr1xtV9t6Vt8hbYO1BkIgbk1b3Aic+GaDT X-Received: by 2002:a63:115f:: with SMTP id 31-v6mr24757282pgr.53.1536615397776; Mon, 10 Sep 2018 14:36:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536615397; cv=none; d=google.com; s=arc-20160816; b=QNJF2caq0HR9kEO2JSyCfGL1WYiTsDwfag0BGziXG81G5obKSb9kop84cx3NIfjRNd Uh95OMWMT19uQ/ShfVlZX9A9xfHlwZpnqMWSQCcHB4XHGL6sCpZ41zdVjdtPgKFW1OQB +NQfGbUjlyiwLuVUAkKBuWjUntbvX4IlBxMoqVK4cJ4rgwrIwaeyhu3qv9OOQvxpUp5V IspEEGnRCz7ca38DdpdHUcXyZgvynw77hFhXdQm+732+BBCMIRrIMjIw1M/EI7v0IV/P yGocI3hwFWKUfXPfKDZXo401lazHsqbssm7Rkxiow9SjHvJ+UzSzIWXJwmW6GrxgjoV7 i1rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=B8absrwKBRu7ZEFYzZmQCKyCjgm1ylpAxVCDm0rLZEM=; b=SVzn48AR+MnnqBfJyVeZQ3R9hAquFNaPeyx3bmKyF8946//iAjNOoushYfNB61qTbz m8RCMW2aIayVJZqeL1gfmF9HVO6DeXX5XOzs5mgLGkJiEj+51CnPu09PU6MCZyDpKR5Y mdTr8GVBAQ/T5ZZv8SJLcJyvTHbXZXGEmnRWYh+rC8uSHPamlYQGtuEcntfZ4BVwn00t t06ne0GdzXDTDsTu/pPjCPpV9/KafGKm7wjdJycDOWV7+eihAPfJgOaaUcfp5thIedj3 ij/+qUtRyQPRvCuGEOW+T1bNLu7Bna4b9XhstcgWnIYyvPut4u6FMHDr6/BxZIoQPZo3 IMvQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p61-v6si17941549plb.55.2018.09.10.14.36.19; Mon, 10 Sep 2018 14:36:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726701AbeIKCcG (ORCPT + 99 others); Mon, 10 Sep 2018 22:32:06 -0400 Received: from mx2.suse.de ([195.135.220.15]:54482 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726141AbeIKCcG (ORCPT ); Mon, 10 Sep 2018 22:32:06 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 794EDAE0A; Mon, 10 Sep 2018 21:36:03 +0000 (UTC) Date: Mon, 10 Sep 2018 23:36:00 +0200 (CEST) From: Jiri Kosina To: "Schaufler, Casey" cc: Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , "Woodhouse, David" , Andi Kleen , Tim Chen , "linux-kernel@vger.kernel.org" , "x86@kernel.org" Subject: RE: [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to avoid cross-process data leak In-Reply-To: <99FC4B6EFCEFD44486C35F4C281DC6732144AF87@ORSMSX107.amr.corp.intel.com> Message-ID: References: <99FC4B6EFCEFD44486C35F4C281DC6732144ADF9@ORSMSX107.amr.corp.intel.com> <99FC4B6EFCEFD44486C35F4C281DC6732144AEC9@ORSMSX107.amr.corp.intel.com> <99FC4B6EFCEFD44486C35F4C281DC6732144AF24@ORSMSX107.amr.corp.intel.com> <99FC4B6EFCEFD44486C35F4C281DC6732144AF87@ORSMSX107.amr.corp.intel.com> User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 10 Sep 2018, Schaufler, Casey wrote: > > So please tell me what exactly you'd like to see changed in the IBPB patch > > and why exactly, I am not seeing it yet. > > Short of a patch to show the changes (which I wish I could do today, but really can't) > what I want to see is: > > - Put ptrace back to using the security module interfaces. > - Identify where this causes locking issues and work with the module > owners (a reasonable lot, all) to provide lock safe paths for the IBPB case. > > Otherwise, I have to add a new LSM hook right after your ptrace call and duplicate > a whole lot of what you've just turned off, plus creating lock safe code that duplicates > what ptrace already does. While I would rather have the side-channel checks be > separate from the ptrace checks I can't justify doing both. So why can't this be then done as 2nd step, once you've audited the LSM callbacks and worked around the locking in LSM callbacks/audit code? Once that is taken care of, of course feel free to undo the changes my patch is doing so that you don't have to duplicate any ptrace code. But before all that is fixed / worked around in LSM/audit (and I don't have spare cycles for doing that myself), why not take the simple aproach for now? Thanks, -- Jiri Kosina SUSE Labs