Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp6083100rwd; Mon, 19 Jun 2023 01:56:53 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ74Gr7vswsWBzS4jusV72U1XqZE9V0qbMyQWJK4aE9qa7btSzXbOy2IujlzFyVRAKmZTXCe X-Received: by 2002:a05:6a21:78a4:b0:10e:5c1f:6627 with SMTP id bf36-20020a056a2178a400b0010e5c1f6627mr13242865pzc.21.1687165013274; Mon, 19 Jun 2023 01:56:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687165013; cv=none; d=google.com; s=arc-20160816; b=U1TVsYRc8zBquA9eGCAHsCdiVNWptKvovPhLPD/7sTjQC111/Ng22qjil2GV1/5Bly 3r4ON6EeyYX1IvP3/Dprtn+aqy5AiWifo4UualV2OnzgsuB750kd0asqfounW8Ci7/ys 06oAfWgX+6445M0lPpZEQcM35BZ9SzgEMM36R6o4p3zhRgBBfobxTPeXXmGybK0LgNeo Ct57VTFYit06FNPXAntxQR7Qt4+nWDvkR0l0V94QzMpg3C/G3WwAX30ZiZYAifhqsalx edWdsgV9dnrgR8m83W6A/wzObpVXE6PFYQzoD24Th/5j9MkrRtpyKs+Rrh4zBpYFDsNc r0KA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=0PCSD36qNRec2QogWftQZPEKlnMfGKrOOih0U0Ntkpk=; b=l6wxU2gq/36Zn2bGMOuLs9/IscNGbxPfNLv0/QlO5WdolBg/vIoI4GEeMEXQ7w9UkP RUPo+Tlybv0/LdZRHtu1uhwXHgEXm1pC0qF63xYqml9r3sriO51gLv/uPYphFWkyoUyT fJYs/Jq5Q1Jl0RJZUqffZ1Xq8976h9L0G1hyBEguZwaM8mHKGGzXV8O0u7ZZ/3hCwOdO g30hVDnwmK4U+whQ9nVT0bc0lJ1foqxxnM4T1tCwS+3xcjNPrdBCvqYIOLZMA4qv4tSd ooRmFxyv3qWwCu6N0N5aqDoSPT0q2AJpfyPLWjoPpewuJ8ShynpL/JJNV5wH69D9p9Ls bLxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=qfZq7UAc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y9-20020aa79429000000b0064d2ddc63ebsi1763635pfo.306.2023.06.19.01.56.41; Mon, 19 Jun 2023 01:56:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=desiato.20200630 header.b=qfZq7UAc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231136AbjFSIvk (ORCPT + 99 others); Mon, 19 Jun 2023 04:51:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230428AbjFSIvV (ORCPT ); Mon, 19 Jun 2023 04:51:21 -0400 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2BE04114 for ; Mon, 19 Jun 2023 01:49:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=0PCSD36qNRec2QogWftQZPEKlnMfGKrOOih0U0Ntkpk=; b=qfZq7UAcLnCMBoVroEKV5tcRgW D3/g9Ea3leV8VIWMbcp0nyparOJzHPaOmfrc48i/1redfzLGkLZa7usaASHCTK0bmHPz4vd1sfeVs IM8rMN8LtqNuG0PCkxxjVeXL0w1zKT6m16ORI18/2ZxEcaCptC4hTEBVI/1l9b0rJob0o4ULTePHA eCY/POVtEq8TiBpSV67Pq6/2MwjkZh+vjjhW0qdhBNGP7ubw+5RTnJCaWR5xI/IZtBk5knpLP3V37 URAmZ5NLjEtHMjc1g9kk32XhLGYW8sfB7cyf8v3uvyLiXIB2YZilNpBtzYjZM5pk3JKf7Zv4yghQK seaxjiyA==; Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.96 #2 (Red Hat Linux)) id 1qBAXf-00EfRQ-2u; Mon, 19 Jun 2023 08:49:21 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 781133002A9; Mon, 19 Jun 2023 10:47:17 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 3BC632BD11730; Mon, 19 Jun 2023 10:47:17 +0200 (CEST) Date: Mon, 19 Jun 2023 10:47:17 +0200 From: Peter Zijlstra To: Waiman Long Cc: Robin Jarry , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H.Peter Anvin" , Josh Poimboeuf , Pawan Gupta , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Valentin Schneider , linux-kernel@vger.kernel.org, x86@kernel.org, Joe Mario Subject: Re: [PATCH 0/5] x86/speculation: Disable IBRS when idle Message-ID: <20230619084717.GJ4253@hirez.programming.kicks-ass.net> References: <20230616200003.745742-1-longman@redhat.com> <20230617122115.GA1830050@hirez.programming.kicks-ass.net> <55219f3b-992d-ccc3-ba29-7bf33465b5cc@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jun 18, 2023 at 11:25:29PM -0400, Waiman Long wrote: > > We were testing on the RHEL9.2 kernel which doesn't have your Then keep the tinkering in the RHEL tree, please. > We may need to extend your current solution to cover more cases. See below. > Perhaps adding a module parameter (e.g. idle_no_ibrs) to force the use > of intel_idle_ibrs(). BTW, is it really the case that we can't disable > IBRS when irq is enabled? No, that is an entirely artificial constraint due to not having intel_idle_ibrs_irq() and having no desire to deal with the ramifications of such a thing. That said; it also doesn't make any sense what so ever to add this. The reason for having this intel_idle_irq() is for C1 state to improve IRQ response latency. Adding WRMSRs will obviously regress that. Specifically, we very intentionally did not add CPUIDLE_FLAG_IBRS to the very shallow idle states to avoid regressions. These WRMSRs are *EXPENSIVE*. Additionally, if you were to go do this with IRQs enabled, then you have to worry about enabling IBRS again on the interrupt path from kernel. > The idle thread does not really interact with any user > applications. I don't think there is any risk of information leakage even if > we disable IBRS with interrupt enabled. Is my assumption incorrect? Yes: - doing the WRMSR on C1 makes no sense, the C1 state is only picked if the idle time expectation is *VERY* short, the WRMSR overhead in that case is probably more than the expected idle time. - doing the WRMSR with IRQs enabled means you now get to touch the interrupt/exception from kernel paths, nobody wants more of this crap. - the whole IBRS thing is a trainwreck, let it be. - finally, T0 runs userspace, T1 goes into C1 idle, disables IBRS, enables IRQs, takes an IRQ and now T0 can 'see' everything T1 does in kernel space, you loose. Also, did I say that IBRS sucks? Like really? It is horrific -- step away and let it be. The possibly better solution is to make sure nothing untrusted what so ever runs on the DPDK machine, then you can forget about all the mitigation nonsense.