Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp4097011ybh; Tue, 17 Mar 2020 12:09:18 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuOPwI/f0mvV7P8rcuNgeasfXyr/YvAT+lFjf1aLy+00YnojwQhuLGhbleZf4yffUkiTkHO X-Received: by 2002:a9d:7698:: with SMTP id j24mr683613otl.370.1584472157807; Tue, 17 Mar 2020 12:09:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584472157; cv=none; d=google.com; s=arc-20160816; b=awTpa9Oa6nKFHpEMIfhBybENYl4zDg4TMLCxlyv9hSKBKFD0Biqlv2wGy1S+J9jhB4 bu7rGNQ94Gz2mQGDAVP8JCtocxzUiH+Tk54wqBwdQmIy0+YcCkQTwRiCvrLaBRNfsP3z T66NmXfnQTSqbZ6UdVzz/yrMPbUa3z7+YhonsmBK15Zw+pW4C9MDYw3Ev2kirNuIhBQ9 phDdiRf7kTaDtnTy3Gp7iBdA2iF5F5rYr82zBQ8A9bkKUIig2n84jPbVp2cpe82Ot97y +O2fm+Zrj6J+LG1OaafBj2ethuXPEbX/vL7yMiUtOvI8I7/KWAfq/oB5CT0oDqnoC1Yw 5Sxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:subject:from:ironport-sdr:ironport-sdr; bh=MmC5nBIaVShdKZvy34NRyZBRJowHMBTNKhloTJbGXJw=; b=kjnB27tA4sR6gg9pb3FotLS7GeVWCBAoc5HY3Cn4OW/vjFy5ba4ytzDVLXBGgGcRif 9R9R3c0sHeGmb9CytjRqKFphISmBCVJsxcslCaR4NedlOZSv1aghQQ5A/luTYuqbqIKD pW4b3+ApFcZbZ/ejqnCYQr5g0V3S0Yn/Zuk43mduqoIZVsWp5UiwJa7ozTEHZjcp9eX0 aAmBPLT45EmQOTzZLHCk+Xw5NP7tcYrMqMaGi++Ztx2yj8erke40PpSQtUFZo5Ko+fRX 7JH45Z86pOrdPUdUkoqWHtcqPnXJV86rUXbMKMFdJu7f2fthjNl2VS8ljQVAzZ/qioAs LRHQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 184si1972563oig.33.2020.03.17.12.09.05; Tue, 17 Mar 2020 12:09:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726623AbgCQTHs (ORCPT + 99 others); Tue, 17 Mar 2020 15:07:48 -0400 Received: from mga01.intel.com ([192.55.52.88]:11723 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726494AbgCQTHs (ORCPT ); Tue, 17 Mar 2020 15:07:48 -0400 IronPort-SDR: h2UnIB6Mo8HiYrwzSIo8x64z8mNZr9crnGhdEAznRPDLyrSjwkLU0dN2kzYJQh6xzcMXpG6r8c CMHFDP87D7aQ== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2020 12:07:47 -0700 IronPort-SDR: BNgwjUB08FpzBbWznhz+T+qyrbP+bGbCVf1DIlcszOOSQjd9SUhXOMNuMlLBHmwLqN4g/YqSJC XzLr0Sz6JYpw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,565,1574150400"; d="scan'208";a="355456537" Received: from rkarmazi-mobl1.amr.corp.intel.com (HELO schen9-mobl.amr.corp.intel.com) ([10.134.81.123]) by fmsmga001.fm.intel.com with ESMTP; 17 Mar 2020 12:07:43 -0700 From: Tim Chen Subject: Re: [RFC PATCH v4 00/19] Core scheduling v4 To: Joel Fernandes , Julien Desfossez , Peter Zijlstra Cc: Vineeth Remanan Pillai , Aubrey Li , Nishanth Aravamudan , Ingo Molnar , Thomas Gleixner , Paul Turner , Linus Torvalds , Linux List Kernel Mailing , Dario Faggioli , =?UTF-8?B?RnLDqWTDqXJpYyBXZWlzYmVja2Vy?= , Kees Cook , Greg Kerr , Phil Auld , Aaron Lu , Valentin Schneider , Mel Gorman , Pawan Gupta , Paolo Bonzini , "Luck, Tony" References: <3c3c56c1-b8dc-652c-535e-74f6dcf45560@linux.intel.com> <20200212230705.GA25315@sinkpad> <29d43466-1e18-6b42-d4d0-20ccde20ff07@linux.intel.com> <20200221232057.GA19671@sinkpad> <20200317005521.GA8244@google.com> Message-ID: Date: Tue, 17 Mar 2020 12:07:43 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <20200317005521.GA8244@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Joel, > > Looks quite interesting. We are trying apply this work to ChromeOS. What we > want to do is selectively marking tasks, instead of grouping sets of trusted > tasks. I have a patch that adds a prctl which a task can call, and it works > well (task calls prctl and gets a cookie which gives it a dedicated core). > > However, I have the following questions, in particular there are 4 scenarios > where I feel the current patches do not resolve MDS/L1TF, would you guys > please share your thoughts? > > 1. HT1 is running either hostile guest or host code. > HT2 is running an interrupt handler (victim). > > In this case I see there is a possible MDS issue between HT1 and HT2. Core scheduling mitigates the userspace to userspace attacks via MDS between the HT. It does not prevent the userspace to kernel space attack. That will have to be mitigated via other means, e.g. redirecting interrupts to a core that don't run potentially unsafe code. > > 2. HT1 is executing hostile host code, and gets interrupted by a victim > interrupt. HT2 is idle. Similar to above. > > In this case, I see there is a possible MDS issue between interrupt and > the host code on the same HT1. The cpu buffers are cleared before return to the hostile host code. So MDS shouldn't be an issue if interrupt handler and hostile code runs on the same HT thread. > > 3. HT1 is executing hostile guest code, HT2 is executing a victim interrupt > handler on the host. > > In this case, I see there is a possible L1TF issue between HT1 and HT2. > This issue does not happen if HT1 is running host code, since the host > kernel takes care of inverting PTE bits. The interrupt handler will be run with PTE inverted. So I don't think there's a leak via L1TF in this scenario. > > 4. HT1 is idle, and HT2 is running a victim process. Now HT1 starts running > hostile code on guest or host. HT2 is being forced idle. However, there is > an overlap between HT1 starting to execute hostile code and HT2's victim > process getting scheduled out. > Speaking to Vineeth, we discussed an idea to monitor the core_sched_seq > counter of the sibling being idled to detect that it is now idle. > However we discussed today that looking at this data, it is not really an > issue since it is such a small window. > > My concern is now cases 1, 2 to which there does not seem a good solution, > short of disabling interrupts. For 3, we could still possibly do something on > the guest side, such as using shadow page tables. Any thoughts on all this? > + Tony who may have more insights on L1TF and MDS. Thanks. Tim