Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2021001imu; Sun, 18 Nov 2018 13:58:56 -0800 (PST) X-Google-Smtp-Source: AJdET5exbGnw1aDuHHOaJBbUnnwG4/A/KJrYp+x4r/MavhNb+U49daks+qsqmT9+9Utz6S7OQDh3 X-Received: by 2002:a17:902:9a42:: with SMTP id x2-v6mr11876872plv.126.1542578336037; Sun, 18 Nov 2018 13:58:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542578335; cv=none; d=google.com; s=arc-20160816; b=LftqRCt7tM2EgOu1vh+6PuKVhlwpARZGnm4YEJ76XuSMcwWG/ogv0Yb/bCy/cQGiQM jaDy7OMo/anEqYyfywaE2wdmHklIactIIWN9HtX92+lxR0hGGeALViTE0DzePKXYc5au lKR4RPWju3DEqFffsbx1SRgwuU5hDqSzHzF0s0pSXIhoROA5HzTMxcfTLNJ0M9JZfIBQ vBuIurWbR91k+eiKM1yT5Z/cxcaKxivGn12Ud9gr7mrdn/PNFWqacRDtnzr/dibLTPxZ LjiLjGfTt2YGwQaTG3Jm1KwxjJZ3N+2q1vzc6luQpASHVS2+Nn93Fo4yUmfnyec0//WC 0AKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=il9+RRyyF1np1V00wh67gktxL4zX00mWWM3b7osVajY=; b=ERs1maORulgQ3H0hwosrCvqjje3MSpCIojbEke43efupZbm0lJ50VypVxSDgJ68o6R KgL4D3L8tWCJNJyPng+MXqnvk5TiYTWsFBBpmlcnPOzNmhCMJLmsrfj7xaXNzK3hz93y z3XY3fa1kmtZ8/j56t5P7cy5SpMV9C3YQNNo6DshHhMx91gLcNVRIdK9+doEE6OvHMi8 8jVeOoB0aq+dlJ0asjklu2F+/IQcjqcPC7eKvDrT8nC1xy9MH63t48V9GrzTMb/L5oio aTikLTHHOQelbor9QVixYwx2u7grf0L+UjMrddzZa3J5+0BjNjZNYvKa8Yz8nWmxwajt dHbg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g6si24224924pgr.472.2018.11.18.13.58.18; Sun, 18 Nov 2018 13:58:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727281AbeKSILQ (ORCPT + 99 others); Mon, 19 Nov 2018 03:11:16 -0500 Received: from mx2.suse.de ([195.135.220.15]:44472 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725826AbeKSILQ (ORCPT ); Mon, 19 Nov 2018 03:11:16 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 8DC7EAE87; Sun, 18 Nov 2018 21:49:45 +0000 (UTC) Date: Sun, 18 Nov 2018 22:49:44 +0100 (CET) From: Jiri Kosina To: Linus Torvalds cc: Thomas Gleixner , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , David Woodhouse , Andi Kleen , Tim Chen , Casey Schaufler , Linux List Kernel Mailing , the arch/x86 maintainers , stable@vger.kernel.org Subject: Re: STIBP by default.. Revert? In-Reply-To: Message-ID: References: User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 18 Nov 2018, Linus Torvalds wrote: > This was marked for stable, and honestly, nowhere in the discussion > did I see any mention of just *how* bad the performance impact of this > was. Frankly, I ran some benchmarks myself, and am seeing very, very varying/noisy results, which were rather inconclusive across the individual workloads. The article someone pointed me to at Phoronix yesterday also was talking about something between 3% and 20% IIRC. > When performance goes down by 50% on some loads, people need to start > asking themselves whether it was worth it. It's apparently better to > just disable SMT entirely, which is what security-conscious people do > anyway. > > So why do that STIBP slow-down by default when the people who *really* > care already disabled SMT? BTW for them, there is no impact at all. And they probably did it because of crypto libraries being implemented in a way that their observable operation depends on value of the secrets (tlbleed etc), but this is being fixed in the said crypto code. STIBP is only activated on systems with HT on; plus odds are that people who don't care about spectrev2 already have 'nospectre_v2' on their command-line, so they are fine as well. > I think we should use the same logic as for L1TF: we default to > something that doesn't kill performance. Warn once about it, and let > the crazy people say "I'd rather take a 50% performance hit than > worry about a theoretical issue". So, I think it's as theoretical as any other spectrev2 (only with the extra "HT" condition added on top). Namely, I think that scenarios such as "one browser tab's javascript is attacking other browser's tab private data on a sibling" is rather a practical one, I've seen such demos (not with the sibling condition being in place, but I don't think that matters that much). The same likely holds for server threads serving individual requests in separate threads, etc (but yeah, you need to have proper gadgets there in place already in server's .text, which makes it much less practical). For L1TF, the basic argument AFAICS was, that the default situation is "only special people care about strict isolation between VMs". But this is isolation between individual processess. Tim is currently working [1] on a patchset on top of my original STIBP-enabling commit, that will make STIBP to be used in much smaller number of cases (taking prctl()-based aproach as one of the possible ones, similarly as we did for SSBD), and as I indicated in that thread, I think it should be really considered for this -rc cycle still if it lands in tip in a reasonable future. To conclude -- I am quite happy that this finally started to move (although it's sad that some of it is due to clickbaity article titles, but whatever), as Intel didn't really provide any patch / guidance (*) in past ~1 year to those who care about spectrev2 isolation on HT, which is something I wasn't really feeling comfortable with, and that's why I submitted the patch. If we make it opt-in (on kernel cmdline) and issue big fat warning if not mitigated, fine, but then we're bit incosistent how we deal with cross-core (IBPB) and cross-thread (STIBP) spectrev2 security in the kernel code. If we take Tim's aproach, even better -- there would be means available to make system secure, although not sacrifying performance by default. I would not prefer going the plain revert path though, as that leaves no other option to mitigate rather than turning SMT off, which might possibly have even *worse* performance numbers depending on workload. [1] https://lore.kernel.org/lkml/?q=cover.1542418936.git.tim.c.chen%40linux.intel.com (*) no code to implement STIBP sanely, no recommendation about turning SMT off at least for some workloads Thanks, -- Jiri Kosina SUSE Labs