Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8603936imu; Tue, 4 Dec 2018 10:59:36 -0800 (PST) X-Google-Smtp-Source: AFSGD/VeET6NY+eeSMKX2gx+i0zOSFZ0llEbPa05VzaEN/NyjIsJAYGkl6vFjQf8i3lUVymqny8t X-Received: by 2002:a17:902:6b09:: with SMTP id o9mr21079147plk.208.1543949976171; Tue, 04 Dec 2018 10:59:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543949976; cv=none; d=google.com; s=arc-20160816; b=ZGyQoSfFdbfmrL4dHjSStU/GeIh6IMiky5P4JFwkUhWoU2OLj66URXhd59DiEeNjlg +zbwPFIyhM2smZK45CO5zjLzdY59VLzhz0856gBQsthbtqj38IXJzOYSt3iKntBvy0rv 1kte5FzKLmf8FL5T67KA5TGjV7xkSmyAjN4ok0bn4Tk7s/Nn9NQgulXJ4xmNFqU0pH7N 8ZtmH9txvyzE7PCszXwkPRAcv8ZNwmaI6nmgaBLIK+ghc0CnyRaR3SCDf58s7pjbOebQ 0/D8GIUIGQ04LGECyGZY1mcJVf3W7Cwl8/MaQLtaOlzhV1MLhy67R8kbqSVGbjeShHcB dfdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:subject:autocrypt:openpgp:from:references:cc:to; bh=4soHgmIeFXdfZLLB25Hev8pytxbXtqt4leEv5SJCPnI=; b=Bmii7C1JG35mMndPYMF//SWgmEmB9tt/uaS7v0HUDZdAuETnsDAmeCGaPE9MTEXE+y RjwLZOADP9SqRrgi+qKf6ctQaMghYNg9Hzai0DGTeU3DC0qtUpxJQ6NCbg09zIyySHd1 8AkV/KrHvW4WdSwl8pCVJm8+ciQCNTSuprqdvt8HIDjivn0QfHMpnSRw7AoE9PvK/4v4 3Pr+UTrGeC0X64hWfw1mjGlUtZ71GKYfpdg25wMY5OdKhhZwi0ANvKI63Uf2cJR8dw5C DlRgL2gLaAiXf/9MWlyHKCmWPNmjAKONnDJ0BWIsu+ckWcDDEDFOGvS9fT/4I41c9Wsn jPGQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r197si21506752pfr.192.2018.12.04.10.59.21; Tue, 04 Dec 2018 10:59:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726208AbeLDS6M (ORCPT + 99 others); Tue, 4 Dec 2018 13:58:12 -0500 Received: from mga18.intel.com ([134.134.136.126]:40575 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725797AbeLDS6M (ORCPT ); Tue, 4 Dec 2018 13:58:12 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Dec 2018 10:58:11 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,315,1539673200"; d="scan'208";a="127064811" Received: from schen9-desk.jf.intel.com (HELO [10.54.74.144]) ([10.54.74.144]) by fmsmga001.fm.intel.com with ESMTP; 04 Dec 2018 10:58:10 -0800 To: Linus Torvalds Cc: Thomas Gleixner , Linux List Kernel Mailing , the arch/x86 maintainers , Peter Zijlstra , Andrew Lutomirski , Jiri Kosina , thomas.lendacky@amd.com, Josh Poimboeuf , Andrea Arcangeli , David Woodhouse , Andi Kleen , dave.hansen@intel.com, Casey Schaufler , "Mallick, Asit K" , "Van De Ven, Arjan" , jcm@redhat.com, longman9394@gmail.com, Greg KH , david.c.stewart@intel.com, Kees Cook , jason.w.brandt@intel.com References: <20181125183328.318175777@linutronix.de> <20181125185006.051663132@linutronix.de> From: Tim Chen Openpgp: preference=signencrypt Autocrypt: addr=tim.c.chen@linux.intel.com; prefer-encrypt=mutual; keydata= xsFNBE6ONugBEAC1c8laQ2QrezbYFetwrzD0v8rOqanj5X1jkySQr3hm/rqVcDJudcfdSMv0 BNCCjt2dofFxVfRL0G8eQR4qoSgzDGDzoFva3NjTJ/34TlK9MMouLY7X5x3sXdZtrV4zhKGv 3Rt2osfARdH3QDoTUHujhQxlcPk7cwjTXe4o3aHIFbcIBUmxhqPaz3AMfdCqbhd7uWe9MAZX 7M9vk6PboyO4PgZRAs5lWRoD4ZfROtSViX49KEkO7BDClacVsODITpiaWtZVDxkYUX/D9OxG AkxmqrCxZxxZHDQos1SnS08aKD0QITm/LWQtwx1y0P4GGMXRlIAQE4rK69BDvzSaLB45ppOw AO7kw8aR3eu/sW8p016dx34bUFFTwbILJFvazpvRImdjmZGcTcvRd8QgmhNV5INyGwtfA8sn L4V13aZNZA9eWd+iuB8qZfoFiyAeHNWzLX/Moi8hB7LxFuEGnvbxYByRS83jsxjH2Bd49bTi XOsAY/YyGj6gl8KkjSbKOkj0IRy28nLisFdGBvgeQrvaLaA06VexptmrLjp1Qtyesw6zIJeP oHUImJltjPjFvyfkuIPfVIB87kukpB78bhSRA5mC365LsLRl+nrX7SauEo8b7MX0qbW9pg0f wsiyCCK0ioTTm4IWL2wiDB7PeiJSsViBORNKoxA093B42BWFJQARAQABzTRUaW0gQ2hlbiAo d29yayByZWxhdGVkKSA8dGltLmMuY2hlbkBsaW51eC5pbnRlbC5jb20+wsF+BBMBAgAoAhsD BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCWfPBPgUJDyfxUQAKCRCiZ7WKota4SReFEACa 5ruzJM/hXJguHJY8i95rxHfLOgE7QoDgsR2aK2C1BSu84StTcT9BMikndQ0em28mpd1zROCs FvJ8Dzpp923699FU7s70+bFG9zIWtAOLWt2QyIMYImILzKkzkyLZo2RTcLNdUWS5fkAtjspQ QPg29W+kcbX1NhB6WDdbvk2HNeZoDh4A5ucOzKjEPqbSFIbw2Wt3RUmXxezjH1NzZG3fMkEN cT7JezYhUxvi2PrJlD+mo26q2/PQmFgF49tneRJXmYyie5o2+ClfFVO9I6Rd1k7hS9uXQLg3 udpnDKobNYZ7/+O5+ucp0Y/MwzTfBYmtJ5fBjUTi2L1RMDJee8WqCNY1VU6cQ8MD4KstxUp2 bxlSRAYaDtNa1Omr61E7BA1Cc2E3cIt/O1mMfudWUjCND8qrAtEnugqKjk5tJJZzmzIKSHPY dCiJtOBQaVAYYchXF2hwOKhpFS43V4FdWLlM1CnFXsmbk48hGbiA8XHU85JBCXmG0i4qUlKn x2ilChvq4A102ahnlGbEmFaSwxuqR/5lhai6lOkwHXDFUT6jblaSs24L3MTn/vXtvwaLEEKh SPzNaj7yFvEhrJoLiZmDm0SZuPbQ+wrmPWUbzyf5te2Oq0JyrHTQJoQqn+CwGqwF/JaUq60f VuUD3T0icgsfljsOA4apyH7kyfxXGP0hOM7BTQROjjboARAAx+LxKhznLH0RFvuBEGTcntrC 3S0tpYmVsuWbdWr2ZL9VqZmXh6UWb0K7w7OpPNW1FiaWtVLnG1nuMmBJhE5jpYsi+yU8sbMA 5BEiQn2hUo0k5eww5/oiyNI9H7vql9h628JhYd9T1CcDMghTNOKfCPNGzQ8Js33cFnszqL4I N9jh+qdg5FnMHs/+oBNtlvNjD1dQdM6gm8WLhFttXNPn7nRUPuLQxTqbuoPgoTmxUxR3/M5A KDjntKEdYZziBYfQJkvfLJdnRZnuHvXhO2EU1/7bAhdz7nULZktw9j1Sp9zRYfKRnQdIvXXa jHkOn3N41n0zjoKV1J1KpAH3UcVfOmnTj+u6iVMW5dkxLo07CddJDaayXtCBSmmd90OG0Odx cq9VaIu/DOQJ8OZU3JORiuuq40jlFsF1fy7nZSvQFsJlSmHkb+cDMZDc1yk0ko65girmNjMF hsAdVYfVsqS1TJrnengBgbPgesYO5eY0Tm3+0pa07EkONsxnzyWJDn4fh/eA6IEUo2JrOrex O6cRBNv9dwrUfJbMgzFeKdoyq/Zwe9QmdStkFpoh9036iWsj6Nt58NhXP8WDHOfBg9o86z9O VMZMC2Q0r6pGm7L0yHmPiixrxWdW0dGKvTHu/DH/ORUrjBYYeMsCc4jWoUt4Xq49LX98KDGN dhkZDGwKnAUAEQEAAcLBZQQYAQIADwIbDAUCVEAL2AUJC1VvawAKCRCiZ7WKota4SWWrD/9L 4H3kHUR9qPTfSpwFBV0+PspkpMQmRQ9cQauIRXL+qIqCYfx48Jz/WZkq47COhY4d1tAvX4qv lviIoCwShAHhVkxD2rWFpa6Yang7cyPDjS6sNChsZ9aTAP0zX4LLHN8ub5LwCcU9JA4Avwdy NDSeeSeqNq9QOvVd2bDmyHxgVv4zRgLTNPH28hXAnDODy0wCJWg53PWvlp35XfWdIsC0ZAPK vgA1Bh+FYYKfT8Uzj8J/SYH+chmeYMt+8Y+FZa+NybivWJg6+UaJ2fCTuKCc7TgqLneBudox izWQMnBso0tHOT6+ju+L+ewPWc0OrJdKJeadrE2T1E949vMup5jG0lJLeSpBNmELODNL0xz6 Erjs/pwX7cYGKUbJfBaQcC9frPfpWfSqnK5X+12HFDxAxquXKC4ejBJOhbo3xx0sziiPTC3m 4LvLkEa9evQNtMvRcnWY5qIC4YdT5waC0stYNpyCiBXpYArKYCmlra3xpgAe0MRL94PHU4UW yxxdxRubFYna9LeNcWL7C0w2ngg1jd0tjRjLnimrOL8rSVUzwjNSQOV37tWTueTr40M/SfjU B6bifflZQpeSY8IpqzKqB0vvxo2xD0rU7JqUh7rW8U6rg2JEzVgYiHS4cf/vJMHuauHAjH7a ys7DYlLhlOVo3o0jOor4xuZPrWbSp4w51sLBZQQYAQIADwIbDAUCWfPBJQUJDyfxOAAKCRCi Z7WKota4SZKQD/wLu3j8kgATic+wF3ekngjwPcW3JhbQJeHxUZwsb9OgVMHumlrZHGoltKQu FfAhG/sOfuAh5f7QMzzA1M+2JD1Q6lr74vUHNBu+xBFMgZstE6hpkKmn0pNZ5JS3iZRVRLBx dWw63DYr0GM80vmbHjAhwxoF2PsO2/PkWTc68+pFyl3Dy0heZSJii81hkzh8FnF8CaMH0VXu MJoWyuYgnC058hHj0QqXvlNx9LzMtmrsskTmPvwqXTgG/dTEfTkQ4RfX3enrBy55cg9tMc88 BEQ/0/JV1bCDwyWXKRpz6FsHbICGQ4G9TTD4pS5QJ+oRQccMjfiDM3rFTcG1RYP2lHXjSm9c 0VnimpQBz3LarrdHJilmTHbAWf5KLmtWfYXHrlncnhnCtw2nfwBBdy8cQW4tUyniSVRLOwGm eJziyuPJ5SVVZcil2oN5/o7js7BYAeAV/WVF2Sk/blnXaaObIYIVqnDhV4N0oUz1KXq1Leem Uvjo5rljmmhOBdgl6D0scXCWICbuuWN9eW2fZl38hBSI3M0MX0jnV2e+0FY+76iNmKadpTDw gY3OaQAZ/UlJVI+pRV4JtRrajtpo9Vb38SBPXwp9moWmwVQyIdFUXjCTQARvxjRsUoPVu9oA SCd9W74oOgrqC1hadvVU867d07PlWksfYwCeYP4bs+4GSLzI1w== Subject: Re: [patch V2 27/28] x86/speculation: Add seccomp Spectre v2 user space protection mode Message-ID: <84a1bd5c-bdc5-4902-d543-5b276f097d04@linux.intel.com> Date: Tue, 4 Dec 2018 10:58:10 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/04/2018 09:20 AM, Linus Torvalds wrote: >> STIBP >> ^^^^^ >> Implementations of STIBP on existing Core-family processors (where STIBP >> functionality was added through a microcode update) work by disabling >> branch predictors that both: >> >> 1. Contain indirect branch predictions for both hardware threads, and >> 2. Do not contain a dedicated thread ID bit > > Honestly, it still feels entirely misguided to me. > > The above is not STIBP. It's just "disable IB". There's nothing "ST" about it. > > So on processors where there is no thread ID bit (or per-thread > predictors), Intel simply SHOULD NOT EXPOSE this at all. > > As it is, I refuse to call this shit "STIBP", because on current CPU's > that's simply a lie. > > Being "technically correct" is not an excuse. It's just lying. I would > really hope that we restrict the lying to politicians, and not do it > in technical documentation. > Linus, I consulted our HW architects to get their thinking behind the STIBP name and why it is exposed on CPUs without thread ID bit. 1) Why expose STIBP even when it is just a scratch bit? VM migration pools prefer that bits which guests have direct access to (as we recommend for IA32_SPEC_CTRL) do not cause #GP when they are migrated to different processors in order to prevent guests from crashing or require restricting VM migration targets. That is why we decided to allow the STIBP bit to be set and to return the last value written even on parts where it has no other effect (e.g. Atom parts without multithreading). There was also discomfort with allowing a bit to be set, to return the last value written, and to meet the architecturally documented behavior, but to not enumerate that it is supported. Not enumerating STIBP would make it more difficult for software to understand things like how the CPU does reserved bit checks. That is why we enumerate and support STIBP even when it affects no branch predictors. 2) Why did we not call STIBP "disable IB": * It does not disable all indirect branch predictors (on current Core), just a subset * It does not disable any indirect branch predictors (on future Core) * It does not disable any indirect branch predictors (on Atom parts with no SMT) * It does more than disable some indirect branch predictors (on some non-Core) 3) Philosophy for naming architectural bits. The microcode updates and future hardware changes do a variety of different micro-architectural behaviors in order to achieve the goals behind each MSR bit. This means that the names aren't the most descriptive for each individual project. Had we instead exposed the different functionality/behavior to software for each CPU then it would have been a model-specific feature, likely needing different software behavior for different CPUID family/model/stepping. This would have been painful for the OS, and even more painful for VMMs and VM migration pools. This is why we made these bits architectural and used a common name and definition across the projects. We don't object to the Linux community using an alternative name for STIBP (but not Disable IB), so long as it is accurate across our products. Changing our MSR name in the SDM seems like would it cause unneeded confusion and work. Thanks. Tim