Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1777855ybb; Thu, 26 Mar 2020 07:11:46 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvoyHr0d8pS5Zc81+ozlJ4dPGVvuV7zmSPfEpdlWwU4OPYouAwc8SGJWNEzzqGLxYYsc4Xl X-Received: by 2002:a4a:a88a:: with SMTP id q10mr4756728oom.17.1585231906480; Thu, 26 Mar 2020 07:11:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585231906; cv=none; d=google.com; s=arc-20160816; b=j6BBPpkncZ/cHT6XUiY5tS7TiubTAEB8OxTAIHCIQ88odEpMHEfU0aD+Y6H8L8sMTx gETuYuCi4Pw/KDnNhhxon0ig9Z9yEgUSp/S1Z0glk8yJ7PZibUnmYCQsvAsGYoc4iIHX Llmu9qqi3UOSvQ7axjGDe7w2x6iTpAweUhFmIcd9aDF1CDJiVlYDuU+bUq+4cNfrLzTJ 8MkO1GBlTWpfyozI5P+SqiFvbHp3Mhc97y/gtVOe0Oozx4b3XONr2ggN6k/b8aPmIfZE UQpDC401urCKeSnlcvGQ93PgoRRrNUlXTPFJJ8Gsd3KUVlVLzcoTzmpSeND3AhHvK0er K0pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=J6BVYInrhdU+IPanPPeLyN3AefPS5mGR5R96qsQ/X7A=; b=0hXPQB9PK/CoUSNwXeXHhHDjx064AuhHnimoM6BSB+9azPHPNgwD+pZPH8M7Z/nWdt 8vFUuk1GBFfvEojjdpPrAKScOnZymSqe5yuYoZCn8QEaNleffV3rdkkJmlupWH7oroca f89v4jYkIrkr4aPtlt4uOQzFn0287NEvX8Q2IyCkoZMe1YmPQ3RISH9Uv8E7w6dklTnN 5XvT1JqxsGqilRjUpBDwrscQpfkg9bKyUMYIUk15IAUYrqIvKODdamFejTLn2TEHo3Vz SJTSSS37CrD7gD0wxVSWN0xw4W9gwzBEi93wc4MjWQichGRVP0r5rtbAKDBCLLRh/YKH EbgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@firstfloor.org header.s=mail header.b="Atl/wt6R"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d20si992213oti.311.2020.03.26.07.11.32; Thu, 26 Mar 2020 07:11:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@firstfloor.org header.s=mail header.b="Atl/wt6R"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727868AbgCZOKu (ORCPT + 99 others); Thu, 26 Mar 2020 10:10:50 -0400 Received: from one.firstfloor.org ([193.170.194.197]:35836 "EHLO one.firstfloor.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725994AbgCZOKu (ORCPT ); Thu, 26 Mar 2020 10:10:50 -0400 Received: by one.firstfloor.org (Postfix, from userid 503) id F138E8733C; Thu, 26 Mar 2020 15:10:47 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=firstfloor.org; s=mail; t=1585231847; bh=gtlaDC8+1MnEKKvFmSZFeaFwgBKvGDYgeKA6K1fcej4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Atl/wt6RZcvoL6jy6Yt0O/5l4UWsejLFnQptGxZ8OnNjWuwJTtUBBJAn9kuDC+KIf SbqlXG+wt08q3iQJ5PjbEVXUBbO3Qg0ro2D0Gs2kr1mjrRJvrggCFDFgcP87nzfl0J brucGMzVB1TAm+GSsqPIjXfEgqD+DS3uvXV+lmf4= Date: Thu, 26 Mar 2020 07:10:47 -0700 From: Andi Kleen To: Kees Cook Cc: Thomas Gleixner , Andi Kleen , x86@kernel.org, linux-kernel@vger.kernel.org, Andi Kleen , Andy Lutomirski , Will Drewry Subject: Re: [PATCH] x86/speculation: Allow overriding seccomp speculation disable Message-ID: <20200326141046.giyacwh46bfcbvjy@two.firstfloor.org> References: <20200312231222.81861-1-andi@firstfloor.org> <87sgi1rcje.fsf@nanos.tec.linutronix.de> <202003211916.8078081E0@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202003211916.8078081E0@keescook> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > The point of the defaults was to grandfather older seccomp users into > speculation mitigations. Newly built seccomp users can choose to disable > this with SECCOMP_FILTER_FLAG_SPEC_ALLOW when applying seccomp filters. > The rationale was that once a process knows how to manage its exposure, > it can choose to leave off the automatic enabling. I don't see any > mention of that method in the commit log, so if there is some reason > it's not workable, that would need to be discussed first. SECCOMP_FILTER_FLAG_SPEC_ALLOW doesn't completely solve the problem because it enables everything, including cross process defenses, like Spectre. The motivation of my patch was to only allow to disable SSBD, which is only relevant for in process attacks, which are completely mitigated by process isolation, which is now widely deployed. Completely mitigating Spectre (which could be cross process) is harder, and it doesn't have have as bad a performance impact as SSBD. > > And the force disable matches the design goals of seccomp: no applied > restrictions can be later relaxed for a process. I'm more in favor of It seems to me this design goal is not useful for speculation defenses. If an attacker can call prctl they don't need speculation attacks anymore, they can just read the memory directly. > changing the behavior of SPEC_STORE_BYPASS_CMD_AUTO, but probably not for > another 3 years at least. (To get us to at least 5 years since Meltdown, > which is relatively close to various longer LTS cycles.) The seccomp defenses are mainly for web browsers, whose life cycles have nothing to do with LTS cycles. Web browsers are updated much faster because of their bazillion other security holes. If someone doesn't update their web browser they are completely open to other attacks anyways. So we can assume they do, and the browsers usually enforce it in some way. I'm not aware of anything else that is not a browser that would rely on the seccomp heuristic. Are you? Anyways back to the opt-in: Anyways one way to keep your design goals would be to split the SECCOMP flags into flags for SSBD and SPECTRE. Then at least the web browser could reenable it -Andi