Received: by 2002:a4a:301c:0:0:0:0:0 with SMTP id q28-v6csp852576oof; Tue, 25 Sep 2018 05:38:31 -0700 (PDT) X-Google-Smtp-Source: ACcGV609FQUZCVxDh0I0kwjiI3D7Mi+VETNvGDtlje1usM/8YrNpVGiPI2E4EfX8oI9tg7Oohimc X-Received: by 2002:a62:6781:: with SMTP id t1-v6mr958940pfj.200.1537879111888; Tue, 25 Sep 2018 05:38:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537879111; cv=none; d=google.com; s=arc-20160816; b=Fr4ieTYZ9AfhOOQnDDmOjAvCl1x6H1g/v0wjNeK1ToKruxWozL1WF6RrXcMbIs5R4p dPKfT9lnAsTtWEMGUqPfmBEX9EaSrAL50dziXKNMqnkA1pgMNKxeSylFXKpgVeMicZSB 5YtxnaGJSaPTntroawp836Qv7QG3hE5ixkRsADprcRlh86kGx2TEvvQOSPJ/4+WNqkE1 X2KDnJiLDQWPpWon4hmN+W96evyZqdVD3BlhkMh45GFvtHSXYxmzMeyUSDbwv9EmanF/ ePcAr2HHBBfyp5ltcgaVqYUj270tp3GrMP04zrgdmTd/Zg+SnK3nvdUyVOH4D/z7ZysI ORJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :subject:cc:to:from:date; bh=G6ygNzkH6SVmRdTTVZDdwNJA3FJ5JMsufay9W+Dn0U4=; b=JbOk51YqxRXXOjqljQFaidi1m5yPZL8X0aNCDwY4dZP/P87RCp4Zqgg+lPGUBHw5zP esDdokrgGYgg7YP36ELivDPLhgCI6thaWeGhyx97MLzbCQy3SBwVrJJNFWZ2i6tmAi0F CZMrlI+fT+das3yEa1YB3pmUxMNBRwbONXv/P52WcQIBFHJmKMfgiLeCfBqP7dzgFrOc nDA9cjbJOVUFaWiSiDVJbngIpajCRiOegw7U1eAAunitU0Hv2gnQpBdhNaki+58Uk7UY xuhm+e63+94Qgn8UQjEVLCl2OyfPU+4DTGORQX37y46/JIrE9nK4zPqqC4q9ADiPC0Me m7Ag== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q23-v6si1988733pfh.353.2018.09.25.05.38.16; Tue, 25 Sep 2018 05:38:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729158AbeIYSov (ORCPT + 99 others); Tue, 25 Sep 2018 14:44:51 -0400 Received: from mx2.suse.de ([195.135.220.15]:34410 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728588AbeIYSov (ORCPT ); Tue, 25 Sep 2018 14:44:51 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 16AB1AEA3; Tue, 25 Sep 2018 12:37:28 +0000 (UTC) Date: Tue, 25 Sep 2018 14:37:25 +0200 (CEST) From: Jiri Kosina To: Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , "Woodhouse, David" , Andi Kleen , Tim Chen , "Schaufler, Casey" cc: linux-kernel@vger.kernel.org, x86@kernel.org Subject: [PATCH v7 0/3] Harden spectrev2 userspace-userspace protection Message-ID: User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently, linux kernel is basically not preventing userspace-userspace spectrev2 attack, because: - IBPB is basically unused (issued only for tasks that marked themselves explicitly non-dumpable, which is absolutely negligible minority of all software out there), therefore cross-process branch buffer posioning using spectrev2 is possible - STIBP is completely unused, therefore cross-process branch buffer poisoning using spectrev2 between processess running on two HT siblings thread s is possible This patchset changes IBPB semantics, so that it's now applied whenever context-switching between processess that can't use ptrace() to achieve the same. This admittedly comes with extra overhad on a context switch; systems that don't care about could disable the mitigation using nospectre_v2 boot option. The IBPB implementaion is heavily based on original patches by Tim Chen. In addition to that, we unconditionally turn STIBP on so that HT siblings always have separate branch buffers. We've been carrying IBPB implementation with the same semantics in our (SUSE) trees since january disclosure; STIBP was more or less ignored up to today. There is more work going on by Tim Chen, that will go on top, and enable prctl()-based more fine-grained per-process tuning of this mitigation. v1->v2: include IBPB changes v2->v3: fix IBPB 'who can trace who' semantics wire up STIBP flipping to SMT hotplug v3->v4: dropped ___ptrace_may_access(), as it's not needed fixed deadlock with LSM/audit/selinux (Andrea Arcangeli) statically patch out the ptrace check if !IBPB v4->v5: fix MSR writing logic (Thomas Gleixner, Josh Poimboeuf) v5->v6: propagate X86_FEATURE_RSB_CTXSW setting to sysfs propagate STIBP setting to sysfs (Thomas Gleixner) simplify arch_smt_update() (Thomas Gleixner) v6->v7: PTRACE_MODE_NOACCESS_CHK -> PTRACE_MODE_SCHED and PTRACE_MODE_IBPB (Thomas Gleixner) drop unnecessary x86_spec_ctrl_base mutex in cpu_show_common() Jiri Kosina (3): x86/speculation: apply IBPB more strictly to avoid cross-process data leak x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation x86/speculation: Propagate information about RSB filling mitigation to sysfs arch/x86/kernel/cpu/bugs.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++------ arch/x86/mm/tlb.c | 31 ++++++++++++++++++++----------- include/linux/ptrace.h | 4 ++++ kernel/cpu.c | 11 ++++++++++- kernel/ptrace.c | 12 ++++++++---- 5 files changed, 96 insertions(+), 22 deletions(-) -- Jiri Kosina SUSE Labs