Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4577469imm; Tue, 11 Sep 2018 14:16:37 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYv4orldhJID9+HTzU+/XBBIEGc05bdqP/S7JI+6j/kJB5sKbQEo3XFWkxId/pX7hoVQ0mR X-Received: by 2002:a17:902:28a4:: with SMTP id f33-v6mr29347697plb.297.1536700597943; Tue, 11 Sep 2018 14:16:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536700597; cv=none; d=google.com; s=arc-20160816; b=eVIgqCcnBsVIG6r6bqJgd5WvLkfiyjswCGqxnwsE2qzChBFmdl9lHkNDOwu1MxugSf QAWpXOvD7vha6UBwJsCgbam0CsGx3s0xeHQKtHpXbQ2Lc2dxudowQCOkiXvfK8bYPinI n+WjlBk+ECghA/611zFLwh1AFmlQAoJxMs3rfMICQS5YyKenMFIGqR8Csvopl6jKjR6Y P0EOiMSAGndSJWZkCLZKY7a+IM9JWw0CV+gHqYrU9hLortV/aGOrG9zSUWaqCd9HCDM9 T+O0IiXKLMoYF2P0r/KrzvLpxiZ2GZ/qwnNaS+VrI1ISG0gXjJrzBOsv2I9Fq6xd4ZvA +yHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=+mWfEIQeYnYWQVbKbQTym7lDoJkFGyWyFRD2GaLx6pc=; b=Ns/KqDcOj8xIU8Cw/x0q0cZDkxOXOe6e/zH1XLXnefRxMGH3rr3G5u96MGTD4OVypY 5j4PF+PuMjSxEO+nN/CnxUd9XTfMc0p9h91x8t2C/tTKx3MBkKVOy6imEFhFGKDhZazN KDkz0mi8kxAiF4IVVFCl2ENX0owSYJWSyXy2vd/gLF9buRr1/kle4f7J7D47glxRRqLD H/Y/gfkhiLCOviUtgvzkeyDvhNeM4Sjr8zTES3v5jDXYPlXfV4sHxdJ4WIrySrEHeXg1 cUO8sCTscRMqAtJ2SZq5KV2L/oZJXfymbL62Zo77vuIhdi85zPlzHPZrsPS9GxRUubR+ P86A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f21-v6si23037145pgk.418.2018.09.11.14.16.22; Tue, 11 Sep 2018 14:16:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727756AbeILCQ5 (ORCPT + 99 others); Tue, 11 Sep 2018 22:16:57 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:42443 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726980AbeILCQ5 (ORCPT ); Tue, 11 Sep 2018 22:16:57 -0400 Received: from p4fea45ac.dip0.t-ipconnect.de ([79.234.69.172] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fzq0M-00065g-FT; Tue, 11 Sep 2018 23:15:26 +0200 Date: Tue, 11 Sep 2018 23:15:25 +0200 (CEST) From: Thomas Gleixner To: "Schaufler, Casey" cc: Jiri Kosina , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , "Woodhouse, David" , Andi Kleen , Tim Chen , "linux-kernel@vger.kernel.org" , "x86@kernel.org" Subject: RE: [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to avoid cross-process data leak In-Reply-To: <99FC4B6EFCEFD44486C35F4C281DC6732144AF87@ORSMSX107.amr.corp.intel.com> Message-ID: References: <99FC4B6EFCEFD44486C35F4C281DC6732144ADF9@ORSMSX107.amr.corp.intel.com> <99FC4B6EFCEFD44486C35F4C281DC6732144AEC9@ORSMSX107.amr.corp.intel.com> <99FC4B6EFCEFD44486C35F4C281DC6732144AF24@ORSMSX107.amr.corp.intel.com> <99FC4B6EFCEFD44486C35F4C281DC6732144AF87@ORSMSX107.amr.corp.intel.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 10 Sep 2018, Schaufler, Casey wrote: > > -----Original Message----- > > From: Jiri Kosina [mailto:jikos@kernel.org] > > Sent: Monday, September 10, 2018 1:42 PM > > To: Schaufler, Casey > > Cc: Thomas Gleixner ; Ingo Molnar ; > > Peter Zijlstra ; Josh Poimboeuf > > ; Andrea Arcangeli ; > > Woodhouse, David ; Andi Kleen ; > > Tim Chen ; linux-kernel@vger.kernel.org; > > x86@kernel.org Casey, can you please spare us the completely redundant copy of the mail header? > Short of a patch to show the changes (which I wish I could do today, but > really can't) what I want to see is: > > - Put ptrace back to using the security module interfaces. > - Identify where this causes locking issues and work with the module > owners (a reasonable lot, all) to provide lock safe paths for the IBPB case. > > Otherwise, I have to add a new LSM hook right after your ptrace call and > duplicate a whole lot of what you've just turned off, plus creating lock > safe code that duplicates what ptrace already does. While I would rather > have the side-channel checks be separate from the ptrace checks I can't > justify doing both. I'm not yet convinced that making these decisions purely based on LSM is a good idea. The LSM based decision can optionally replace the built in default decision at runtime, but it cannot replace it because its simpler for most people to install a new kernel than fiddling with LSM. We want a halfways sane default solution for this ASAP and Jiri's patch is straight forward providing one without preventing you from adding your magic LSM stuff once you have time to work on it including all (locking) problems it creates. Nice try to offload that to Jiri. Thanks, tglx