Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp6002714imm;
        Wed, 12 Sep 2018 14:46:20 -0700 (PDT)
X-Google-Smtp-Source: ANB0Vdb6jLbwWtFK8XHONtjyOx0USkgor5wsErWPhWVhxz7DLaEtVqpZ3G/P+VDssAQtY3sGsXOO
X-Received: by 2002:a63:e206:: with SMTP id q6-v6mr4094055pgh.223.1536788780347;
        Wed, 12 Sep 2018 14:46:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536788780; cv=none;
        d=google.com; s=arc-20160816;
        b=I5KO/wrt+ThXzvFru/TGtacpqAEIEA9ocxSA+FrxfaM5h/4ex/qMPlYDlCb0YOe/Yc
         lRYsrPr4/i+KPzthCdiNb2r0FkA0Sa/ZC/lm7KT/CO/LgAcjnMzsC+9eMu6fSoU1ssq1
         CjPcS6j+++soutl/0F6BP//o0LaksOIn/cJXUe5AjDeKP+0GdA9uQ7Aa18G03oli/Dr0
         VVqVrTyiJ99dk36hJ58Df8dovWjABfMqvBWd9Hinkgbj+nl1NE5t8oH3npSGTbtlUTNN
         SMOaGxhkHMOsbeKS/z9TjkL1cHPh0PYt8ZJNHDNqPmnPDarx4dHx1TX2HSOmof4K8czV
         PadA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=UA2lDTlQC2qigWAHsjhTRhWr+p/xb3RxjNFSTyVqbD4=;
        b=Vd2yNDjXWGkd7Sll9pfu7pOqRuQbVM/px7dzjrHQCBuamYh2H7kx1qPPCsE0nfVbAM
         3VXcq06eshw458/eXskt/0c7HYAU4UCvL689VEqXHeNPi6lVrPa7gcXPD0bnFRT/UhOZ
         J6UNTgUKtW08r2omPvV64YEh6W0Ua5GjcxhbXvbOeivlqwfkza/YzwtIxWjxJK8Zd5L5
         3cj+/z6PiryJVMzhu7DsS98Turx5HCjHqWIIJdV8Z733EbGBUft+/8KQVdLwcNRi5yJ8
         ljqLqGPLaV03Ob2kg4nQrkm5PiD0qAxXBWlpcLN+slRmpDRcdnpJqNCBzTcsdCSEUcPA
         RBuQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j15-v6si2143798pgm.502.2018.09.12.14.46.05;
        Wed, 12 Sep 2018 14:46:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727866AbeIMCw0 (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Wed, 12 Sep 2018 22:52:26 -0400
Received: from mx2.suse.de ([195.135.220.15]:47502 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726675AbeIMCw0 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 Sep 2018 22:52:26 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (unknown [195.135.220.254])
        by mx1.suse.de (Postfix) with ESMTP id 8AD04B062;
        Wed, 12 Sep 2018 21:45:57 +0000 (UTC)
Date:   Wed, 12 Sep 2018 23:45:54 +0200 (CEST)
From:   Jiri Kosina <jikos@kernel.org>
To:     Tim Chen <tim.c.chen@linux.intel.com>
cc:     Tom Lendacky <thomas.lendacky@amd.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        "Woodhouse, David" <dwmw@amazon.co.uk>,
        Andi Kleen <ak@linux.intel.com>,
        "Schaufler, Casey" <casey.schaufler@intel.com>,
        linux-kernel@vger.kernel.org, x86@kernel.org
Subject: Re: [PATCH v5 2/2] x86/speculation: Enable cross-hyperthread spectre
 v2 STIBP mitigation
In-Reply-To: <d098fa9b-f244-68d2-77f2-e3f5dd30f174@linux.intel.com>
Message-ID: <nycvar.YFH.7.76.1809122330090.15880@cbobk.fhfr.pm>
References: <nycvar.YFH.7.76.1809101119280.15880@cbobk.fhfr.pm> <nycvar.YFH.7.76.1809101123520.15880@cbobk.fhfr.pm> <alpine.DEB.2.21.1809101158080.1402@nanos.tec.linutronix.de> <nycvar.YFH.7.76.1809101259520.15880@cbobk.fhfr.pm> <nycvar.YFH.7.76.1809101343370.15880@cbobk.fhfr.pm>
 <f0fcbcd9-4619-391e-3c1b-34d06b00de50@linux.intel.com> <alpine.DEB.2.21.1809112315320.1427@nanos.tec.linutronix.de> <f95c28d6-70f2-3f18-4ab9-c756c7581126@amd.com> <d098fa9b-f244-68d2-77f2-e3f5dd30f174@linux.intel.com>
User-Agent: Alpine 2.21 (LSU 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 12 Sep 2018, Tim Chen wrote:

> I'm working on a patch for choosing the Spectre v2 app to app
> mitigation option.
> 
> Something like the following:
> 
> enum spectre_v2_app2app_mitigation {
>         SPECTRE_V2_APP2APP_NONE,
>         SPECTRE_V2_APP2APP_LITE,
>         SPECTRE_V2_APP2APP_IBPB,
>         SPECTRE_V2_APP2APP_STIBP,
>         SPECTRE_V2_APP2APP_STRICT,
> };
> 
> static const char *spectre_v2_app2app_strings[] = {
>         [SPECTRE_V2_APP2APP_NONE]               = "App-App Vulnerable",
>         [SPECTRE_V2_APP2APP_LITE]               = "App-App Mitigation: Protect only non-dumpable process",
>         [SPECTRE_V2_APP2APP_IBPB]               = "App-App Mitigation: Protect app against attack from same cpu",
>         [SPECTRE_V2_APP2APP_STIBP]              = "App-App Mitigation: Protect app against attack from sibling cpu",
>         [SPECTRE_V2_APP2APP_STRICT]             = "App-App Mitigation: Full app to app attack protection",
> };
> 
> So the APP2APP_LITE protection's intention is to turn on STIBP and IBPB for non-dumpable
> process.  But in my first version I may limit it to IBPB as choosing
> STIBP based on process characteristics will require some frobbing of
> the flags as what we've done in SSBD.  That will require more careful
> work and tests.
> 
> The STRICT option will turn STIBP on always and IBPB always on
> non-ptraceable context switches.
> 
> Is this something reasonable?

It's probably 100% correct, but it's also 100% super-complex at the same 
time if you ask me.

Try to imagine you're a very advanced senior sysadmin, who has heard that 
spectre and meltdown existed of course, but figured out that updating to 
latest kernel/distro vendor update fixes all the security issues (and it 
actually indeed did).

Now, all of a sudden, this new option pops up, and the poor sysadmin has 
to make a decision again.

	"Do you care only about security across non-dumpable process 
	 boundaries?"

	"Scheduled to same CPU at the time of attack? Can you guarantee that this 
	 is (not) happening?"

	"If the processess can actually ptrace/debug each other, are you okay with 
	 them attacking each other?"

	 "Shared HT siblings return target buffer, do you want it or 
	  not?"

These are the questions that even an excellent sysadmin might not have 
qualified answers to so far. Now, all of a sudden, he/her has to make 
these decisions?

I don't think that's how it should work. It all should be digestible by 
"linux end-users" (where users are also super-advanced sysadmins) easily.

We currently have "I do care about spectrev2 / I don't care about 
spectrev2" boot-time switch, and I don't see us going any deeper / more 
fine-grained without sacrificing clarity and sanity.

Or do you see a way how to do that nicely?

Thanks,

-- 
Jiri Kosina
SUSE Labs