Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp844586imw; Fri, 15 Jul 2022 14:05:09 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uqIB619RkcR0SmlNnJJAPcioGp/g6bB6R/B5BaaiHCHBeAAvb79+9qHrQjQRpT7zt5Tnou X-Received: by 2002:a17:902:e551:b0:16c:5a22:4823 with SMTP id n17-20020a170902e55100b0016c5a224823mr15096197plf.38.1657919108768; Fri, 15 Jul 2022 14:05:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657919108; cv=none; d=google.com; s=arc-20160816; b=NOubuPhAuPpmPmWnGuTfBNr3KML8cChZuFEaUGwGSk/Dxn15mhU3Ml1EvthK2668+J +bpxU9pHBnjca2NE5g3lDexZEn3nRX9hXPAURmENlg+7PtCNO4h9VAW+K0K7Q7TeOoWF qPKkXYP6+DQlbw1GssW1/Y9gRE74MzOBNfFredhLQJPckVzfLmAUcLW0bPQyOZq/hJ0X TUFCi3ePh6VSjSjPNjRo9zGD3/M8bVOHwopF4RmQ9PflQNwwDdRtBDDy0CRZnec3oX7p AlqABxuLBq9ZJl/WBY8jMaNLVvjKsWf+l/qe+GPhbTYeXpWXRyoQ03lJwfM71BKpn0OE 0lAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=UClsEqV3JD19ACu3JsNCWl/cLZeryKIb1irorP73Kww=; b=LGgB8GPX0VY4fEo+h7G9mC28WathbAATRhsqkPZF5IZvhi6JQYrM9hgxDzCF5XEJpt XFu4K1LkmffdHtzdMiDvSFkE+TfRODvYn5CEj93vO18gQBeNApD4dmg7WTmE9/4yhimg 4X7O7WwndodQq1ruQA+vn/7cdJ6oO4uUZAHgK06k/X2PWC16D0PJ4RVARcmfN35+MhCB GiQEwwfYwzbTGXpj4fuIiqTbQTwVSZZnoM58XqF6rd1eKh6mH+wAtwZMdOBBs4cUyVu7 iWbtXYTL0oimt0Mv71hMyUzujN3pPcg14ImrUHLTkvDJwJfKL0tZy9gbiDlMjGbwzqbs pw1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=RVUd2g3P; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x184-20020a6386c1000000b00419e88d4eeasi2129309pgd.299.2022.07.15.14.04.50; Fri, 15 Jul 2022 14:05:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=RVUd2g3P; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229597AbiGOUkT (ORCPT + 99 others); Fri, 15 Jul 2022 16:40:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229471AbiGOUkQ (ORCPT ); Fri, 15 Jul 2022 16:40:16 -0400 Received: from mail-oa1-x2c.google.com (mail-oa1-x2c.google.com [IPv6:2001:4860:4864:20::2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B341A528A6 for ; Fri, 15 Jul 2022 13:40:15 -0700 (PDT) Received: by mail-oa1-x2c.google.com with SMTP id 586e51a60fabf-10bd4812c29so8644660fac.11 for ; Fri, 15 Jul 2022 13:40:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UClsEqV3JD19ACu3JsNCWl/cLZeryKIb1irorP73Kww=; b=RVUd2g3PIrxABLRIB1PNNTftaU79wvj5UgCLSgXOAFRI4kW3+YteNAOmOYEvtd5aEg NF9EHuEcCgzN7/GDIJPlhLl+rxA9j8Yhx4LwFUQPW60/Wf+hEcqlR9Q9V8FgHZt6q+Gp U5QACBFUVwS1hHAYaIWlTNQ7TxJF2wM2ut0aPMXNt2nYKA5xaWLhaaW9XXSVXnbG+Jc2 u08x2aCitbp+mejBem5CxkqiiKYVhMkuNw6kFAhnvIBTv98gdQhEYMUjncv78a1nq9vT slXdcanwItyVoZgzdBaTrVL+bM38aB/FSZsIiq+okBUw7cdWVPfky50mBo0+D/JP5G42 B1IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UClsEqV3JD19ACu3JsNCWl/cLZeryKIb1irorP73Kww=; b=WhmvLV7pxgUawtmdSCZ276nkFXdHc1kwqaCfPLygMDJzfR4JoqrnxCSVf7XmZml8ii epujiRLyY/CajXjUYhF/ZUBW9+NQZI53dOwp2317SO4u53pFwMqVmqKdL2VY3DGRO/h8 6hUDGgieVJ6GWlJPeBDvw00E4gAE2nWHy/Y1NYDnaV5+z5N8fEYJznOreMIe6p1+p1g8 v3e5lunYx1Oh3ec++qZPDbjTrHp6Vf8PQ5Km/Ib0IOES3X7u2ucuGJJ8e3kmyWi6/Ar7 3l37YbfEh1yVLLvkFW2LDCKr5hnWa+ZlPAIw2YjAEQxpGGUZNIaVhpSXAo9B0hPMrfPW m37g== X-Gm-Message-State: AJIora/iNzzvJ8jjwwo1zih+fXhN52SsWgkui+UsVKMHrPIdVupI32Ei QQdY4OHk5NpKWEH2wfImhNKuDBmHEdbGZdDcWihZAiBKSTQ= X-Received: by 2002:a05:6808:2292:b0:33a:5ec2:8f63 with SMTP id bo18-20020a056808229200b0033a5ec28f63mr666595oib.112.1657917614793; Fri, 15 Jul 2022 13:40:14 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jim Mattson Date: Fri, 15 Jul 2022 13:40:03 -0700 Message-ID: Subject: Re: Retbleed (RSBA vs BTC) To: Andrew Cooper Cc: LKML Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 14, 2022 at 6:07 PM Andrew Cooper wrote: > > On 15/07/2022 01:29, Jim Mattson wrote: > > What is the value in conflating the Intel and AMD findings under the > > same moniker (arch/x86/kernel/cpu/common.c)? The vulnerabilities seem > > quite different to me. > > They are entirely different, beyond the fact that they both pertain to > the `ret` instruction. BTC affects much more than just the 'ret' instruction. > Suffice it to say that I tried very hard to prevent this confusion... > > > The Intel CPUs tagged with RETBLEED should already report RSBA. The > > paper just highlights this previously disclosed vulnerability. Or are > > there Intel CPUs subject to Retbleed that don't report RSBA, and I'm > > just confused? > > There are CPUs which suffer from RSBA, that don't have MSR_ARCH_CAPS and > therefore can't enumerate it. > > IIRC, MSR_ARCH_CAPS only appeared with Cascade Lake (or thereabouts), so > the earlier Skylake CPUs (which are the majority subject of "Intel > Retbleed") lack the RSBA enumeration. Ah, right. I was thinking that we got IA32_ARCH_CAPABILITIES on older parts with microcode updates, but I was mistaken. > > On the AMD side, however, Branch Type Confusion is a much bigger deal. > > All instructions are subject to steering by BTI, not just returns with > > an empty RSB. > > > > Don't these two vulnerabilities deserve separate names (and don't we > > already have a name for the first one)? > > > > Tangentially, I believe that the following line is wrong: > > VULNBL_INTEL_STEPPINGS(SKYLAKE_X, X86_STEPPING_ANY, MMIO | RETBLEED), > > > > Steppings 5, 6, and 7 are "Cascade Lake," with eIBRS, and I don't > > think Cascade Lake suffers from RSBA. > > As documented, Cascade Lake does suffer RSBA when eIBRS isn't active, so > it's not a binary affliction state. Is there no value in separating RRSBA from RSBA? Per Table 1 in Intel's "Return Stack Buffer Underflow" technical paper, Cascade Lake exhibits RRSBA behavior, but not RSBA behavior.