Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1878984ybb;
        Sat, 21 Mar 2020 07:47:44 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvqXZhJTyXpOthsZuh/Qv6y5ZuxM9d2fmXty9g3hK/oohUtuLrgHc26d1yLTlSFUgDhkxle
X-Received: by 2002:aca:4243:: with SMTP id p64mr10821622oia.21.1584802064750;
        Sat, 21 Mar 2020 07:47:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584802064; cv=none;
        d=google.com; s=arc-20160816;
        b=NCjd5induQzfGgN7/rOdusl5PYoAyjiTu4oh8SMA4btpH5nJnvT2UASM+Y4JP+rF6w
         vQQdz1jovpRjW6EqgxylsLl655EmljEJdGsRuEOxjuwU0Xhc82t6lQqETJOC4Tq1FwAH
         B7lcrGOxrAZlT8fzNwQJdDRq2qvTwS2QcieIxN0XJzlAGAcQyhtp+60Kju45zLyLZ+zv
         RexYi9u9Hmqk9P5rgYugDHrgzeJdMvmnZILVO4jjuHwWn+ZbTCR2G52vEn6FqluvuC6g
         8r51PVla7Tp5j8zf06SvnRDsKvn/+WXwVaesCl2Y1C0nHTYzPgksN6qR0UG1FyZurIkL
         KMjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:references
         :in-reply-to:subject:cc:to:from;
        bh=OZekDxmA7bCWeXHCKnDBGaiANf9TfR0ZvtUZtkv6eAs=;
        b=HstzxC5Kh0i9bD1vcDBouECuxyQVfMPXg4CQ7J5p2SbN+6x7zNPNPvR5b2bBm5B1CM
         1epO8x+2QWLVPyxEX62k1QXCPp4G8C6hnZ461UcNu71b0ULDabiINkRqaxeRISko2fkx
         /537TFpCjEOuaYWsd+UbmJ9zBK+9zjHU/i5Nduu3N6OFN7UAXsP/dCA6zJfjrkqlRtGe
         AtgxCsO3HN9bHckswMobGexq/dwkQc7KXcaacdaFxrNFXVOzdfZ8oHkf9yCDP1ba1nFo
         DI5ixfo0MMuJcnywv6megh7pWJTrY6rNps1x1r5HdPjJUb23WNOEDQrAzFiFBgizdR5o
         my7A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e8si4657221oif.218.2020.03.21.07.47.32;
        Sat, 21 Mar 2020 07:47:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727133AbgCUOqg (ORCPT <rfc822;linuxbirdgao@gmail.com>
        + 99 others); Sat, 21 Mar 2020 10:46:36 -0400
Received: from Galois.linutronix.de ([193.142.43.55]:38824 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726652AbgCUOqg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 21 Mar 2020 10:46:36 -0400
Received: from p5de0bf0b.dip0.t-ipconnect.de ([93.224.191.11] helo=nanos.tec.linutronix.de)
        by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
        (Exim 4.80)
        (envelope-from <tglx@linutronix.de>)
        id 1jFfOQ-0004Ys-C2; Sat, 21 Mar 2020 15:46:30 +0100
Received: by nanos.tec.linutronix.de (Postfix, from userid 1000)
        id A798FFFC8D; Sat, 21 Mar 2020 15:46:29 +0100 (CET)
From:   Thomas Gleixner <tglx@linutronix.de>
To:     Andi Kleen <andi@firstfloor.org>, x86@kernel.org
Cc:     linux-kernel@vger.kernel.org, Andi Kleen <ak@linux.intel.com>,
        Kees Cook <keescook@chromium.org>,
        Andy Lutomirski <luto@amacapital.net>,
        Will Drewry <wad@chromium.org>
Subject: Re: [PATCH] x86/speculation: Allow overriding seccomp speculation disable
In-Reply-To: <20200312231222.81861-1-andi@firstfloor.org>
References: <20200312231222.81861-1-andi@firstfloor.org>
Date:   Sat, 21 Mar 2020 15:46:29 +0100
Message-ID: <87sgi1rcje.fsf@nanos.tec.linutronix.de>
MIME-Version: 1.0
Content-Type: text/plain
X-Linutronix-Spam-Score: -1.0
X-Linutronix-Spam-Level: -
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,  ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Andi Kleen <andi@firstfloor.org> writes:

Cc+: Seccomp maintainers ....

> From: Andi Kleen <ak@linux.intel.com>
>
> seccomp currently force enables the SSBD and IB mitigations,
> which disable certain features in the CPU to avoid speculation
> attacks at a performance penalty.
>
> This is a heuristic to detect applications that may run untrusted code
> (such as web browsers) and provide mitigation for them.
>
> At least for SSBD the mitigation is really only for side channel
> leaks inside processes.
>
> There are two cases when the heuristic has problems:
>
> - The seccomp user has a superior mitigation and doesn't need the
> CPU level disables. For example for a Web Browser this is using
> site isolation, which separates different sites in different
> processes, so side channel leaks inside a process are not
> of a concern.
>
> - Another case are seccomp users who don't run untrusted code,
> such as sshd, and don't really benefit from SSBD
>
> As currently implemented seccomp force enables the mitigation
> so it's not possible for processes to opt-in that they don't
> need mitigations (such as when they already use site isolation).
>
> In some cases we're seeing significant performance penalties
> of enabling the SSBD mitigation on web workloads.
>
> This patch changes the seccomp code to not force enable,

I'm sure I asked you to do

git grep "This patch" Documentation/process/

before.

> but merely enable, the SSBD and IB mitigations.
>
> This allows processes to use the PR_SET_SPECULATION prctl
> after running seccomp and reenable SSBD and/or IB
> if they don't need any extra mitigation.
>
> The effective default has not changed, it just allows
> processes to opt-out of the default.
>
> It's not clear to me what the use case for the force
> disable is anyways. Certainly if someone controls the process,
> and can run prctl(), they can leak data in all kinds of
> ways anyways, or just read the whole memory map.
>
> Longer term we probably need to discuss if the seccomp heuristic
> is still warranted and should be perhaps changed. It seemed
> like a good idea when these vulnerabilities were new, and
> no web browsers supported site isolation. But with site isolation
> widely deployed -- Chrome has it on by default, and as I understand
> it, Firefox is going to enable it by default soon. And other seccomp
> users (like sshd or systemd) probably don't really need it.
> Given that it's not clear the default heuristic is still a good
> idea.
>
> But anyways this patch doesn't change any defaults, just
> let's applications override it.

It changes the enforcement and I really want the seccomp people to have
a say here.

Thanks,

        tglx

> Signed-off-by: Andi Kleen <ak@linux.intel.com>
> ---
>  arch/x86/kernel/cpu/bugs.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> index ed54b3b21c39..f15ae9bfd7ad 100644
> --- a/arch/x86/kernel/cpu/bugs.c
> +++ b/arch/x86/kernel/cpu/bugs.c
> @@ -1215,9 +1215,9 @@ int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
>  void arch_seccomp_spec_mitigate(struct task_struct *task)
>  {
>  	if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
> -		ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
> +		ssb_prctl_set(task, PR_SPEC_DISABLE);
>  	if (spectre_v2_user == SPECTRE_V2_USER_SECCOMP)
> -		ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
> +		ib_prctl_set(task, PR_SPEC_DISABLE);
>  }
>  #endif
>  
> -- 
> 2.24.1