Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp835818imm; Fri, 12 Oct 2018 07:28:21 -0700 (PDT) X-Google-Smtp-Source: ACcGV60M80RVBGlx7X3ffzWMv9JadDNT6xaKS80c/Psft1htgT9z9L2AE5vbxMyin7jogGHfi9+9 X-Received: by 2002:a17:902:15c5:: with SMTP id a5-v6mr6174242plh.137.1539354501342; Fri, 12 Oct 2018 07:28:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539354501; cv=none; d=google.com; s=arc-20160816; b=fBmBO8LqVFU5eWIlMXC56Nif0XbBdCrhylm/Acu3vlNg7l9+9ZOSGMsFnBAuOMOjf9 FoC6uccAFoONHl2Ro+jVz0G7EOE6Kh8Xv4Fn2wIwxuIUsWwlSOyFeeG/gpA5W5NqTJIa UUJn7NJKQyWDbU6TTpzcZNv8qBofoxjTD2EFTm8y0LrIijblEmgoGHGBIaSBdIN+coSs mQprRyU/TId87xi3qfsLseL7HE5PyKTK09igJuFblnbkQ6fc/49m/fT5YctZKP3MF708 yaD38vPh2lOcIz+Jhe2jvqVjTl2EWLs6PTrvm1Wge3KS6Xxqwjm0mYPd5SWfaUAokgWB U2PQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=Kv175zZLaOqgMt3BUz4QfEqjbGmyZ1mBvv570Ls9lT8=; b=g48HDRLN4vO3sDOnu9vTpXLttOZg6TmPZABHQLEsrkXIhc7cwWoLKiRRJhyOTO3QGP PszDT+OaYLuu45fJd9HF0R8AwdpfJaOzYUjm2GRJz1wsuCvYUFpvjuT96YR2yMGbvTnd GEcBw7iD9zBxqYX02FbAOZat0f1EyDKpZFGH5cR2vOF/UZUad9N3NjbqhEYUvDBQYo/G OO8RbPgu+rcYeHVexj4RRF10owoSrc/kgl+vWj5U9DreB1rPfW6vo0ZM0Ag84eiSpdpa BoDPaoamZVC1NC1jHudwqrXzUm6w2CH66qIQwyWS5HXkQuXBTK9zEID0UXOGoBHJjTzd SAtQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s27-v6si1380218pgl.405.2018.10.12.07.28.06; Fri, 12 Oct 2018 07:28:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728786AbeJLWA0 (ORCPT + 99 others); Fri, 12 Oct 2018 18:00:26 -0400 Received: from www.llwyncelyn.cymru ([82.70.14.225]:49600 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728354AbeJLWA0 (ORCPT ); Fri, 12 Oct 2018 18:00:26 -0400 Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226]) by fuzix.org (8.15.2/8.15.2) with ESMTP id w9CEPFi9025556; Fri, 12 Oct 2018 15:25:15 +0100 Date: Fri, 12 Oct 2018 15:25:15 +0100 From: Alan Cox To: Andy Lutomirski Cc: Kees Cook , Kristen Carlson Accardi , Kernel Hardening , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , X86 ML , LKML Subject: Re: [PATCH] x86: entry: flush the cache if syscall error Message-ID: <20181012152515.1d816906@alans-desktop> In-Reply-To: References: <20181011185458.10186-1-kristen@linux.intel.com> Organization: Intel Corporation X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > But this really needs to be clarified. Alan said that a bunch of the > "yet another Spectre variant" attacks would have been mitigated by > this patch. An explanation of *how* would be in order. Today you have the situation where something creates a speculative disclosure gadget. So we run around and we try and guess where to fix them all with lfence. If you miss one then it leaves a trace in the L1D cache, which is what you measure. In almost every case we have looked at when you leave a footprint in the L1D you resolve to an error path so the syscall errors. In other words every time we fail to find a if (foo < limit) { gadget(array[foo]); } else return -EINVAL; we turn that from being an easy to use gadget into something really tricky because by the time the code flow has gotten back to the caller the breadcrumbs have been eaten by the L1D flush. The current process of trying to find them all with smatch and the like is a game of whack-a-mole that will go on for a long long time. In the meantime (and until the tools get better) it's nice to have an option that takes a totally non-hot path (the fast path change is a single test for >= 0) and provides additional defence in depth. They are not hot paths: when I started playing with this idea I did indeed strace my entire desktop for a day. There are couple of other cases I would add to the pass list (EAGAIN, EWOULDBLOCK)). Tracing other stuff you see the same - real world workloads simply don't generate vast spews of erroring syscalls. Look just how many examples we are still committing like de916736aaaadddbd6061472969f667b14204aa9 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 46feb6b495f7628a6dbf36c4e6d80faf378372d4 55690c07b44a82cc3359ce0c233f4ba7d80ba145 This approach turns the ones we miss into if (type > = [speculatively create breadcrumb] condition resolves, return -EINVAL L1D flush No breadcrumbs At best you have a microscopic window to attack it on the SMT pair. Alan