Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp2407141imw; Sun, 17 Jul 2022 08:08:43 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sQoN4dxXcLc8nsUOXQ5bzY9LUZJVCsZLUpupOlSbmq9EdqMlxwZQ51dKUY7YhcVHKuNBs2 X-Received: by 2002:a05:6402:524d:b0:43a:72fe:76b7 with SMTP id t13-20020a056402524d00b0043a72fe76b7mr32178492edd.398.1658070522998; Sun, 17 Jul 2022 08:08:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658070522; cv=none; d=google.com; s=arc-20160816; b=R5yKVfuXcvdBV5aakcI4aInJ4PvPj+pBog6ddt+O2wsv710sfXIL3pODhmCf9ffvhP +1er9ZjN3+a6xMF+YggbQgl3Q3qaFAHUyN2Gr0zL9rqypPW7Lw11oPDkC4kO9Nxnjp5f QQkZQ6D+RvSdSgn5heED//UN08i+NxekOaKAVGx37BaA5IETcju/n4VWJJMeytMAdnns 9AxiLlEuMT4Y9FGL4Y+Srxpj3MmTg8nRVm8MTnHk2kKVSmu9ZS20eyeV87OsEiGDmDC2 FO7woQXs+OyaWdEgiTlPk4ed0dMyP7LzoAfsx/vWp+lryTXwWEKSMe0eSxAr6bI6W4kL Gsgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:dkim-signature:dkim-signature:from; bh=ZVhjvDfDQixKqcv7rbnVPiugVbLq2QvYm/mTkodge1I=; b=ve9B/2GZvnRm/eReRKWqkAEELGcIJnuiBdZOoLaSbTOfUxEESnIQp5bywtljJtJlmI WlC6msm5jequivO3sbgWsSO+o8m6VUBQbG8pLAaCUyGJwWiPhOYk4s6XzjxTtMhvqx88 AV+NcGbV1WWSm1iI9jFj4xbcUrrlH6Mp68THCnlHftrrEKoKwgqJRy3TFF3AUILoE+Wh vPC8EUS8jHJBqrzg/DzgrXFYFub6XmRiUzi1QKVd4U8NUV34HtEybaFRxsu0INLhA4YX YQenDUsDNshj5q5dJauPVoHiMlTjxJsDHcekNIuYPvyljdlqKyPvSZvGFGP3SQCwDQOv Lh8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=yO+R1k7I; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d16-20020a170906545000b007262944c626si9472355ejp.873.2022.07.17.08.08.17; Sun, 17 Jul 2022 08:08:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=yO+R1k7I; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232937AbiGQPHU (ORCPT + 99 others); Sun, 17 Jul 2022 11:07:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232503AbiGQPHQ (ORCPT ); Sun, 17 Jul 2022 11:07:16 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31FC013CF3 for ; Sun, 17 Jul 2022 08:07:15 -0700 (PDT) From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1658070432; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ZVhjvDfDQixKqcv7rbnVPiugVbLq2QvYm/mTkodge1I=; b=yO+R1k7IAmxmGLlwA3VaJhLrNu0rmPQcohqXTZe7Eqw7dJcbBtJUjGRppfDIe8NMCH2+Wb B82IuhY/pAqUaw+JuWbiEqIyqf7VLK/xR+/t5aRyb4M3laweRxGJKlmozA45Spd8ALBWQ3 ANb/3I+GWvAUk1w9zOpV6A7TUIjPYNU8fqR7tA1u2oK1uvNpz8f6og0kK27NzsrwfMQ7XH G5RY0m5RP13PfTCH0mOTk8LQwvMQwe26D9s37v051ai9FYXXBE8BnjfS+6V26WaKUDA+IM 5njKtKUbuCD09Pv2jHNMXO4aCUqPEBxle38r2rc0bG3+4WzXhIEbJTicwQcQFA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1658070432; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ZVhjvDfDQixKqcv7rbnVPiugVbLq2QvYm/mTkodge1I=; b=1aQOwYHwSGUsFr2pCujcNBrOw+S0gHyiAfH4CiOePnc5RhtApUfP78EZ5/z5YZ486EniRy QY6U9PXYGe9DttDA== To: David Laight , LKML Cc: "x86@kernel.org" , Linus Torvalds , Tim Chen , Josh Poimboeuf , Andrew Cooper , Pawan Gupta , Johannes Wikner , Alyssa Milburn , Jann Horn , "H.J. Lu" , Joao Moreira , Joseph Nuzman , Steven Rostedt , Juergen Gross , "Peter Zijlstra (Intel)" , Masami Hiramatsu , Alexei Starovoitov , Daniel Borkmann Subject: RE: [patch 00/38] x86/retbleed: Call depth tracking mitigation In-Reply-To: References: <20220716230344.239749011@linutronix.de> Date: Sun, 17 Jul 2022 17:07:11 +0200 Message-ID: <8735ezye00.ffs@tglx> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 17 2022 at 09:45, David Laight wrote: > From: Thomas Gleixner >> >> 3) Utilize the retbleed return thunk mechanism by making the jump >> target run-time configurable. Add the accounting counterpart and >> stuff RSB on underflow in that alternate implementation. > > What happens to indirect calls? > The above would imply that they miss the function entry thunk, but > get the return one. > Won't this lead to mis-counting of the RSB? That's accounted in the indirect call thunk. This mitigation requires retpolines enabled. > I also thought that retpolines would trash the return stack? No. They prevent that the CPU misspeculates an indirect call due to a mistrained BTB. > Using a single retpoline thunk would pretty much ensure that > they are never correctly predicted from the BTB, but it only > gives a single BTB entry that needs 'setting up' to get mis- > prediction. BTB != RSB The intra function call in the retpoline is of course adding a RSB entry which points to the speculation trap, but that gets popped immediately after that by the return which goes to the called function. But that does not prevent the RSB underflow problem. As I described the RSB is a stack with depth 16. Call pushs, ret pops. So if speculation is ahead and emptied the RSB while speculating down the rets then the next speculated RET will fall back to other prediction mechanism which is what the SKL specific retbleed variant exploits via BHB mistraining. > I'm also sure I managed to infer from a document of instruction > timings and architectures that some x86 cpu actually used the BTB > for normal conditional jumps? That's relevant to the problem at hand in which way? Thanks, tglx