Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp1476628ima;
        Sun, 21 Oct 2018 12:39:06 -0700 (PDT)
X-Google-Smtp-Source: ACcGV61dKAVTQvWPQbi0flYcdOMwpAtJS7JC8vLJarbrCLCQJFVvDvgbalP/opSMaNHMUMxbyq7r
X-Received: by 2002:a17:902:76cb:: with SMTP id j11-v6mr41680040plt.258.1540150746492;
        Sun, 21 Oct 2018 12:39:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540150746; cv=none;
        d=google.com; s=arc-20160816;
        b=GWALfuc1pxQCP+CL6Pg2d9inF0FFlMj+cSukGJ18OaLJ5yBRn6ID6sLyALGMsoCXaj
         mRXya/yi11j4WzTDV83K9C4irrlWlB0ODPHMdRwA/lGEt6bsHG8f8yLNorT/7YTTyfZ0
         PgDeshcEZjurhyaCwp0oOrH+ZB8nC4hS86984D96Cq7mzxBimX4fk4CtyT0Si/mRbdk1
         +eXuIhHJkzFS7arAtHV2PMHecGXe5otF0qutU8X2771V3sZqyrJorj4VM+/y3DXC6qBv
         NCKpOJ6Ahe2qKrWWrv6OBxZLZgoP1kv0CxGa1uez77ydDvMYgB5lGYVAO363E6Pi5LVx
         gltQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=jhvLl3DXyuJQXrM/xPg7lnewhsE/dSDqws/7pfhMz7Y=;
        b=W6g4paJcFE9htsMTPEu5Q75sTQ+jCueihLFZ2f28dc5UzJaBijLMQEP5xqxx9tuHdT
         QxZ4Jt5uBxnMj1DtgPXgCueKpuW5ebAJtwZkvzjc3FELrgr49tUWjXxK0geM8rXCJlOa
         ACVoP8kA5L7LFu6bzEl1/IEiKQk7dlyD8NRYZXBnHgY9LYqqUqZf706TniLYnvpmY9oC
         V1AviPXFwY2hSGmjt0Bq3Rm/2gv0BTTlB9fDdAU5TSrFOq8qcFjbCx50KcZuL0Rl1+co
         O9fILz0uqgs+hLe+v/DBta+KGXRpbSoGgZV70sEX3KMbQ+M23dwOhPgt1dsFK1Ty4ezp
         NnpQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d1-v6si22026297pld.217.2018.10.21.12.38.50;
        Sun, 21 Oct 2018 12:39:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728017AbeJVDxv (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Sun, 21 Oct 2018 23:53:51 -0400
Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:40241 "EHLO
        atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727323AbeJVDxv (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 21 Oct 2018 23:53:51 -0400
Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512)
        id BF59D80703; Sun, 21 Oct 2018 21:38:26 +0200 (CEST)
Date:   Sun, 21 Oct 2018 21:38:27 +0200
From:   Pavel Machek <pavel@ucw.cz>
To:     Jiri Kosina <jikos@kernel.org>
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        "Woodhouse, David" <dwmw@amazon.co.uk>,
        Andi Kleen <ak@linux.intel.com>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        "Schaufler, Casey" <casey.schaufler@intel.com>,
        linux-kernel@vger.kernel.org, x86@kernel.org
Subject: Re: [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to
 avoid cross-process data leak
Message-ID: <20181021193827.GB26042@amd>
References: <nycvar.YFH.7.76.1809101119280.15880@cbobk.fhfr.pm>
 <nycvar.YFH.7.76.1809101123020.15880@cbobk.fhfr.pm>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="z6Eq5LdranGa6ru8"
Content-Disposition: inline
In-Reply-To: <nycvar.YFH.7.76.1809101123020.15880@cbobk.fhfr.pm>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--z6Eq5LdranGa6ru8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

> In order to minimize the performance impact (for usecases that do require
> spectrev2 protection), issue the barrier only in cases when switching bet=
ween
> processess where the victim can't be ptraced by the potential attacker (a=
s in
> such cases, the attacker doesn't have to bother with branch buffers
> at all).

Testing if attacker can ptrace victim is very good approximation, and
certainly better than "dumpable" check, but it is still not correct.

Imagine JIT running evil code (flash, javascript). JIT will prevent
evil code from doing ptrace() (or maybe there is syscall filter in
effect or something like that), but if evil code can poison branch
buffers and do timings, security problem stays.

Do we need prctl(I_DONT_RUN_EVIL_CODE)?

Or maybe we should just do barrier unconditionally for now?

									Pavel
--=20
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo=
g.html

--z6Eq5LdranGa6ru8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlvM1bMACgkQMOfwapXb+vLQNACgvHrW1v9BYJxo13RLG7e3893o
ipgAoK7W5/wQwYkC/UnIeWvPxJiyPv0l
=qIJa
-----END PGP SIGNATURE-----

--z6Eq5LdranGa6ru8--