Message-ID: <243f684d-93a3-3aa4-cfc7-cfc0f9fd53cd@intel.com>
Date:   Tue, 31 Jan 2023 18:10:10 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.6.1
Subject: Re: [PATCH 3/7] x86/cpu: Disable kernel LASS when patching kernel
 alternatives
To:     Dave Hansen <dave.hansen@intel.com>,
        "Chen, Yian" <yian.chen@intel.com>, <linux-kernel@vger.kernel.org>,
        <x86@kernel.org>, Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ravi Shankar <ravi.v.shankar@intel.com>,
        Tony Luck <tony.luck@intel.com>,
        Paul Lai <paul.c.lai@intel.com>
References: <20230110055204.3227669-1-yian.chen@intel.com>
 <20230110055204.3227669-4-yian.chen@intel.com>
 <693d8332-3b86-3dcf-fc87-5c3a08a752db@intel.com>
 <ad2da884-c8c8-bc57-e21f-452a08cb10cc@intel.com>
 <b9e73d06-bd95-7c54-3ff1-f9e43c9967a4@intel.com>
Content-Language: en-US
From:   Sohil Mehta <sohil.mehta@intel.com>
In-Reply-To: <b9e73d06-bd95-7c54-3ff1-f9e43c9967a4@intel.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MHJncmdwNTAzbVFYQWtvRVVTbkJmeUdOUWRNS1Y3cFFaTG5ZZWtsM2FSRi80?=
 =?utf-8?B?QU00bytRT2dIVG5RaGhKQ2VrOVpRVkF2akJBbXphQkkzS05Wc1I2QWJob096?=
 =?utf-8?B?QnJqdlR3amZHa1UwSEZrYllzZHRtbHZDa1RMcEtYTVMxTjJrMUZodlpsT2lO?=
 =?utf-8?B?RzlOa1ZUc1JDVUI5YWVtRlAxTDgwSnlDb1hsVktMa0h3L2RFbFViMk81c1NM?=
 =?utf-8?B?cVRjeEFWSVFMdXowUlhmQTFGTlJGaDZxazJ1Y1IvOXZFVkxlSVlmS2NBa3Ir?=
 =?utf-8?B?ZnVTNlV1azlXQno5b3V1NWdqT0dvdVE4b3hYdjR5RjZWZElUbUVkbW0yWjdW?=
 =?utf-8?B?akVXUE12aklaUGdSU3AzeWNQemVCbmZNM1o1TXgyZ1orZ2VJWEFqL0cxMmVa?=
 =?utf-8?B?N2tHZ2hTaHBGc0tZWWwvSTZwb1ZHV0daTzlTdVhTbFdiL3BSeStrVCtUWTdk?=
 =?utf-8?B?WXdCVFR4bUlJUHloSnBDdFY4bVVPS2FzbEVxMTlybGswbHVQTlQyQVI2MUVT?=
 =?utf-8?B?QXUycExWczZJYW5OVWRWNG9CelNqbjcwR2l2TTVKaXI4VG9SaGhRUTJhZkJt?=
 =?utf-8?B?NStvVFVya25vSHlHT0pranVOdFlUSVhOaGlzNk9ROENreDcxMVlRRTc4M091?=
 =?utf-8?B?cmVEdlcvZWVKTDhaamh6R0luRlZXMjdJTXhJbnNINUhOZ3VBVVlsR0dTd0Jz?=
 =?utf-8?B?Nk9wemNUY04ycFVZL1ZCT0c1bERqUGl5SVl1VGc4Q1EvbytQeWFaN2pKcFBr?=
 =?utf-8?B?b1ByTjljOSt1alloeE4ydVFmSFFwYVQ0Q01OUEZ3SUorQnYvU05iYXFiQW1s?=
 =?utf-8?B?bXBHaUczOUI2ZWFwRy9xMnJPRUFtVEk2QmdaUWZiOWsxKzJEN2d5RWdNQ0NJ?=
 =?utf-8?B?WG5VajJZdDB3QVpuSnp6MjlITXAyMEdJaTFwUnV4bmxNTUJGMGxBV2JrYlhM?=
 =?utf-8?B?dUgvQll3K0VXcHFVcWVRSVNBbDJtMDA2VGhjSlhsZnZLV1Fqa29qWm9MaEhT?=
 =?utf-8?B?cG1KWm9tQkFMNVJWbldIZHpRWEtJZllDZ0dWTEpmbWRxTTkxcHNkZ01nVFla?=
 =?utf-8?B?dUtUcnRBSjJaajRCMlIxRXJucXRtRDhiNFFFSXZqc2RoaWJndlJZQ0U0a0Rj?=
 =?utf-8?B?MDVTM1ZFSThCNHJicGxyVlI4bnZWYU5zTmxaQ3QyMkoyblBGQkJnUWRnTzVn?=
 =?utf-8?B?WGdkZU5KMHROSkswcCtzWXBNcFVoa296YnZQeXczQ2ZXUlVLeUFDZlBnbVh2?=
 =?utf-8?B?UkplRjMzR3VBS1IxUzBxOFJ1ZWxGV2Vob1UvSUc5dlcvZHlHVjR2c050aXk1?=
 =?utf-8?B?YjdaV2owSnltSXZvWUdKQklOd2xZR1ppcFB2OWZiTkxLQkhHVnRpTXZoejNE?=
 =?utf-8?B?KzVKaENXQnRWTW85aUdOVWlaUFd4SmF0c1BRZTY0VVRtRllXOHNqSHdTem5L?=
 =?utf-8?B?Nk5TQ0h4MG9DTlhSMkZZcmU1alY5cFMyelBmMVJqeEpKSmJmWE9kUUVTN3Rt?=
 =?utf-8?B?NEE2YXQ0NHJmOUIxOERsZzlCRGNMTG9Ra3FtRklncDU2MjVTUDFxYUFVMENw?=
 =?utf-8?B?Mzd5OWsrdmx5ZWhGUmRpUmpQZW0yTDA1M1RleHlZdDlnRitwOUpsUlo0d2xV?=
 =?utf-8?B?OG9ZS3Z0WGEyTTFla1VKT3VTNHBaYWU4VkV4QWp1Tmt4cGVianNzUlVOMk16?=
 =?utf-8?B?YzYzanhPZU1qTDJ4eGdzWlBUTnROckFOTzBXdmhNd3B5aEhmM3ZsOUVGMWFK?=
 =?utf-8?B?ZFBrcVphOU94aWlXN04vVjV0cUt2OTRmcXhhQUdnaUgzb1Z1akpzS2ZBZ29L?=
 =?utf-8?B?TmVOaGp1L1J6Sjg0NEl2VEdxdVpxZDZwSCtHeExZYnN0VGVJWkVPUlNGdzBi?=
 =?utf-8?B?OEw1VVcrRnhpbjcwbUtBNno4YmE3eWhLOHJmbWF3Wld6QjVLVkFGSUhSSWhh?=
 =?utf-8?B?dVJ1R2hCZ01EZTdUUjJ4czQzZStPY2VhRzJBR3J5bWVQSXRpNGNBRzU1UXJJ?=
 =?utf-8?B?VWkrTklSTUNoSGI3TjhhaStqNDMyaXlMMml4bTMySkx4RjhTRW0raTNpTkIv?=
 =?utf-8?B?SmVtMWlPbVEyYXh4eW1BeGxBMnB0RllZSnpVVDJXYnhQNkJKT1VubVg2a0FU?=
 =?utf-8?B?YXBneXVQSTdMZVovc2tuMy9VUE9kNGsrME9mdXg0VDVaWjVLOGx2RkM3MEsy?=
 =?utf-8?B?SXc9PQ==?=
X-MS-Exchange-CrossTenant-Network-Message-Id: 3bdee372-e9a9-4b06-7107-08db03f9735d
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3320.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2023 02:10:12.2488
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 0CBp/hUMNbr/fox0Jdfi8cAILsszpMJeM749OI/FSVM0+OdNDZrKWI2NtT1XDndLnMib8NcyvYo5miu+l+6ZjA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR11MB5476
X-OriginatorOrg: intel.com
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 1/11/2023 4:37 PM, Dave Hansen wrote:
> clearcpuid=smap means that the kernel should be running as if
> CPUID.(EAX=07H,ECX=0H):EBX.SMAP[bit 20]==0.  STAC/CLAC should #UD in
> that case.
> 
> The only reason that it happens to work is that STAC/CLAC apparently
> actually continue to work even if CR4.SMAP==0.
> 

It seems this is by design. I was trying to experiment with
clearcpuid=smap on an older platform (KBL). I noticed that even if
CR4.SMAP==0 the STAC/CLAC instructions do not fault.

The STAC instruction operation in the SDM also suggests that it may be
intentional. It does *not* list CR4.SMAP=0 as a reason for #UD.

#UD	If the LOCK prefix is used.
	If the CPL > 0.
	If CPUID.(EAX=07H, ECX=0H):EBX.SMAP[bit 20] = 0.


> I'm actually a _bit_ surprised by this, but I bet there's a good reason
> for it.
> 

I would love to find out the actual reasoning behind this. I'll try to
poke some of the architects internally.

> In any case, please just make LASS dependent on SMAP.  It's the right
> thing to do on several levels.

Anyway, the end result still remains the same. We should still make LASS
dependent on SMAP since:

1) The spec says that LASS enforcement only happens when SMAP is enabled.
"A supervisor-mode data access causes a LASS violation only if
supervisor-mode access protection is enabled (because CR4.SMAP = 1)"

2) In the extremely improbably case that LASS is available but SMAP is
not available on the hardware, the STAC and CLAC instructions will fault
due to the missing SMAP CPUID bit.

-Sohil