Received: by 2002:a05:6358:51dd:b0:131:369:b2a3 with SMTP id 29csp1225141rwl; Thu, 10 Aug 2023 08:09:17 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF6ywVtufbGiWO7Ev/6AFDZAM293YQw4qYl79k2XBtaAJ74NOFSFTy1N69fJ8rGE/Jhg10f X-Received: by 2002:a05:6a20:9684:b0:13e:fec5:ac12 with SMTP id hp4-20020a056a20968400b0013efec5ac12mr2406268pzc.34.1691680156970; Thu, 10 Aug 2023 08:09:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691680156; cv=none; d=google.com; s=arc-20160816; b=vP+mq43VYMgTdnu1byZJIVd3voxWd4dhhDuAhr9uptBg91pgAtv3y3OMFjQFcjeKxF 2W5Yp52hEYRM3ZeTzk8QOyah4SGu0AVd7Lyrz7BAMQFiLcShjM1vut7kbL3TX2n8EIQ6 pMa+LY3keD8mbPKAIGdXifImpxk1ytXBKRyxzXiM/dcBFIukH9GKkefxULGqdh5apKhi xTWZ9GpqTELQkAexkuWDlrYiVpcFsEdDY6T4QJElG2XUcsApb5Uh+MTyFIzwKa569TZl nFabmVoXH+QGCyjAgf4dXtH4PN2AeJ2IjG1E9OspJ6AtJPoNr2/hg5zaIMnkmCbMBBOt URSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=i4FMwsUvfDztI8LkwgS4Ts6Gdm2vgRD/SJxoeyURwJQ=; fh=t3DOYEJ3nJWGIl07q2Bzapv2A0vt7RNSPKSl8ZpNg30=; b=tog7/A1UoQCVqiI5cbJhqnOjjlJlJHI+wwPotca7ugpWDKZhkyeCYDARTkrO9s0lOH bIC33T4s4ObzD1sO63Jk6KNYTnt0slTFqoV8SujkTwaIXSCGUTtb2mnNBBlvlzBpLk0x x2YHQ6xDV/rk/vc6XL7r/1ZYxkzxogr7MJZuE7mOPlaF+OPpeg7L9NNipWK7LT919bFS cwD1VCHKlnTn8iOUkKp+1fWQvjbFTFc2afeXWRpZ0wN69stayDTrltHW6MYPu62SCDPd nAn+yUabUHZ2I+h7aYvLNQWAH+Xz6fkah51NujUaP7mCtZk5BJc3mdVFll+ODzZRsuST Ylsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=gvSdnVL9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ay11-20020a056a00300b00b006871e685bc7si1674616pfb.2.2023.08.10.08.08.44; Thu, 10 Aug 2023 08:09:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=gvSdnVL9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235184AbjHJNWi (ORCPT + 99 others); Thu, 10 Aug 2023 09:22:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233715AbjHJNWh (ORCPT ); Thu, 10 Aug 2023 09:22:37 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED3281703 for ; Thu, 10 Aug 2023 06:22:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=i4FMwsUvfDztI8LkwgS4Ts6Gdm2vgRD/SJxoeyURwJQ=; b=gvSdnVL9S/KRitPL6WAqsMUqla POmvwMHORn4Z9Faj4DLE80sMIAv2pthZ9T31Ve6OiDgmpxrTH2+9dVj5bXl+oAO9OMWpx6/HBcJTg 1PgzjTApnrniF07pAWLfS4MQXZtghdKk2GoiDsOVd//IqF22NDjvM3ZH+Dlu+K12W/SYmLnlLgqkT q8cqwWKB+rgdx9LiCPIbFKLZI730HLA4gDQcEFE4f2xYOwZ/RdWRUy9lxxbaFRtMdzgyON6xV/f0L WDjqKyqcRcDTr3b9j3heGNAmScx1JPU+3373Wjm/aSMFSANCV/aTKjjyeQGZo+pOrVwJt997EQ8p/ oyWqWeHQ==; Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1qU5cM-00Cizu-74; Thu, 10 Aug 2023 13:22:22 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id CE03430003A; Thu, 10 Aug 2023 15:22:21 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id B057F2023CC2D; Thu, 10 Aug 2023 15:22:21 +0200 (CEST) Date: Thu, 10 Aug 2023 15:22:21 +0200 From: Peter Zijlstra To: Borislav Petkov Cc: x86@kernel.org, linux-kernel@vger.kernel.org, David.Kaplan@amd.com, Andrew.Cooper3@citrix.com, jpoimboe@kernel.org, gregkh@linuxfoundation.org Subject: Re: [RFC][PATCH 02/17] x86/cpu: Clean up SRSO return thunk mess Message-ID: <20230810132221.GB212435@hirez.programming.kicks-ass.net> References: <20230809071218.000335006@infradead.org> <20230809072200.543939260@infradead.org> <20230810115148.GEZNTPVLBmPL6uz4Af@fat_crate.local> <20230810123756.GY212435@hirez.programming.kicks-ass.net> <20230810125631.GJZNTef8zQWjoA9KYB@fat_crate.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230810125631.GJZNTef8zQWjoA9KYB@fat_crate.local> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 10, 2023 at 02:56:31PM +0200, Borislav Petkov wrote: > > Then both srso options use RSB/RAP stuffing to force a mispredict there. > > They cause the RETs to mispredict - no stuffing. That's the add $8, > %rsp in the zen3/4 case which causes the RET to mispredict. There's no > doing a bunch of CALLs to stuff something. This is what is called RSB stuffing, we've been doing it for ages on the Intel side, and code in nospec-branch.h has a number of variants of this. CALL srso_safe_ret // push addr of UD2 into RSB -- aka 'stuff' UD2 srso_safe_ret: ADD $8, %RSP // skip over the return to UD2 RET // pop RSB, speculate into UD2, miss like a beast Now compare to __FILL_ONE_RETURN, which has the comment 'Stuff a single RSB slot.' That expands to: call 772f int3 772: add $8, %rsp lfence Which is the same sequence and causes the next RET to speculate into that int3. So RSB stuffing is sticking addresses to traps in the RSB so that subsequent predictions go into said traps instead of potentially user controlled targets.