Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2620391imm; Thu, 11 Oct 2018 13:17:35 -0700 (PDT) X-Google-Smtp-Source: ACcGV61Lm2qrbICmr064cmJJl+uh2JonKTGmEs9QcQfbt26LSSAgPuLRY/HDZVPc8dk7Wa6iHqJu X-Received: by 2002:a62:9850:: with SMTP id q77-v6mr2937724pfd.249.1539289055192; Thu, 11 Oct 2018 13:17:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539289055; cv=none; d=google.com; s=arc-20160816; b=KiuIbq4YMzXi33yFjWapsKRf0Q90xJDM6lX3dsIiUChdH3de7D59FYDOr740vd6SD/ BlnbJSvHYbuavoWXLlKnovz9gHwqjkokeVp74pu+LMIbU981g8QNJxvCBobFEhLsJXHb yubQM58pH6iJBULtsz3G/OJyfujVWLJuLJFINHFapkRvDqL77V0Q6fChMsyDdWUmtknZ qXxO1bdmD5CBm/saoszT79o0pdV6T6nVhVUaIWXwF6ldYICBq5WeDv8i22w5e5EFkFxq 3zkkDNEVuCFdkWYhb2iyDEFx3R07Wb042bgywWX53p1HL2PvWHpnXDQoGzYThdChc3dI EkYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id; bh=q/GTiPaF70BXMwabYedbzrPeKOOXh9JDHPpUe5Ykuwg=; b=H0QN1fta1WIpm41SDEAu7j+LGM64rBogFQ33A9P5a8bQfsVPUaYFsc1Z8mZkB0wPT8 Kr8Ty1aWCHoy06Fwo2P36r49a6vgtGTi6mNgEtgnsIYyKlNT1mBIDlZw7kMdu/Gbv3MM OqA8wg9xSoGepbri8YN6hFOwyDG7Ur4tln+/0vyBEjSWnqhANTMRpwASOQFI7ewVOaE5 VDQLWk12avI/I8THULaWtWRRiJBf7Ame/Oc4M5oHXY+htKDjR5Lp+757VRQ1C5rIftUq HFofO8LuLIZ5IuENKEHZ6mU4MUksHqBRnB4mPZC18cEmlv5N5k9jyn3A2zBaMEBfCaAN wULA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y76-v6si23703613pfd.254.2018.10.11.13.17.19; Thu, 11 Oct 2018 13:17:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726714AbeJLDol (ORCPT + 99 others); Thu, 11 Oct 2018 23:44:41 -0400 Received: from mga12.intel.com ([192.55.52.136]:20288 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726040AbeJLDol (ORCPT ); Thu, 11 Oct 2018 23:44:41 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Oct 2018 13:15:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,369,1534834800"; d="scan'208";a="264936467" Received: from kcaccard-mobl3.jf.intel.com ([10.24.8.209]) by orsmga005.jf.intel.com with ESMTP; 11 Oct 2018 13:15:50 -0700 Message-ID: <1539288950.3566.11.camel@linux.intel.com> Subject: Re: [PATCH] x86: entry: flush the cache if syscall error From: Kristen C Accardi To: Andy Lutomirski Cc: Kernel Hardening , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , X86 ML , LKML Date: Thu, 11 Oct 2018 13:15:50 -0700 In-Reply-To: References: <20181011185458.10186-1-kristen@linux.intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 (3.26.6-1.fc27) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-10-11 at 12:25 -0700, Andy Lutomirski wrote: > On Thu, Oct 11, 2018 at 11:55 AM Kristen Carlson Accardi > wrote: > > > > This patch aims to make it harder to perform cache timing attacks > > on data > > left behind by system calls. If we have an error returned from a > > syscall, > > flush the L1 cache. > > > > It's important to note that this patch is not addressing any > > specific > > exploit, nor is it intended to be a complete defense against > > anything. > > It is intended to be a low cost way of eliminating some of side > > effects > > of a failed system call. > > > > A performance test using sysbench on one hyperthread and a script > > which > > attempts to repeatedly access files it does not have permission to > > access > > on the other hyperthread found no significant performance impact. > > > > +__visible inline void l1_cache_flush(struct pt_regs *regs) > > +{ > > + if (IS_ENABLED(CONFIG_SYSCALL_FLUSH) && > > + static_cpu_has(X86_FEATURE_FLUSH_L1D)) { > > + if (regs->ax == 0 || regs->ax == -EAGAIN || > > + regs->ax == -EEXIST || regs->ax == -ENOENT || > > + regs->ax == -EXDEV || regs->ax == -ETIMEDOUT || > > + regs->ax == -ENOTCONN || regs->ax == > > -EINPROGRESS) > > + return; > > + > > + wrmsrl(MSR_IA32_FLUSH_CMD, L1D_FLUSH); > > + } > > +} > > Ugh. > > What exactly is this trying to protect against? And how many cycles > should we expect L1D_FLUSH to take? As I mentioned in the commit message, this is not addressing any specific exploit. It is removing any side effects from a failed system call in the L1 cache. > > ISTM that, if we have a situation where the L1D can be read by user > code, we lose, via hyperthreading, successful syscalls, /dev/random, > and may other vectors. This seems like a small mitigation at a > rather > large cost. I pinned an evil task to one hyperthread that just caused L1 flushes by issuing failed system calls. On the other hyperthread, I ran a performance benchmark (sysbench). I did not see any difference between the baseline and the kernel with the patch applied. Is there a more appropriate test you'd be interested in seeing the results of? I'd be happy to design a different test.