Received: by 2002:a05:7412:1492:b0:e2:908c:2ebd with SMTP id s18csp434639rdh; Mon, 21 Aug 2023 23:16:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF+6ua1t8/9Sk578bY7J9FMDCgpWJ3D1NqkGxEsJ+B04ppcCFPzVoUJw/KZpkegrzz5m0cH X-Received: by 2002:a17:902:d50c:b0:1bb:d586:d29a with SMTP id b12-20020a170902d50c00b001bbd586d29amr13643497plg.34.1692684992491; Mon, 21 Aug 2023 23:16:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692684992; cv=none; d=google.com; s=arc-20160816; b=lk4M0o5WJwSBPe4A9c8LoFleXgZ8dCBCY5h6uaUiJeNOLjy8SA7MU7vIpF8uaxGFfZ aIatz05tgM9ixMzk2HGJ17WqffCkJg2gjl1Bw1oSkTqUVIza7xnSKoEc4AF+QkRtE81O ov0dvd0137xWY1/0yRFRysVfpnvUSOpvop2V4Idi1lurfrYk8/DXXcszz8y0uUFv7o99 yoQo9pZmlWmdPbCQsB7V/10yMPIa6PYE41npBNZih5FmHWjz6q82HmcZmfiKIJk2fqDZ Laf1g/e9NJMu/G5uIhWRZclDfIOuxF6aJPd22PodKMtSXSnxDTepQEkISqKd+Ul9/dg0 CAxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=wOI1JQ5QSPSpxQxjELm5sjj6nxa06nXxeVZonAVdRiY=; fh=Im1+QDs9vUxkmj6ikDGiYf49sLJ71JxKowiAnR/2zyk=; b=XbpN7Jmw6CVnP1YJI7OSruwyJPucTmYZaJswd6J6NhVNHfnT74bxONwof/2qGMdlkn rkZUNI6IUsRYEy7lTQMi2nK4wtcORxhkvw+d6QXd/TzTV6BHvRlYYH04RZB6Ibi4cXHI WSGcm1QVTRhdt4kJxcCqpF2shtSyG3erwo6sGaowbPBnicrWXMXvO7Suks0QX+eU73/d zRJv7ITyXuSdjny7GLXhwHaJaf9eT4fQX21En/ncZgIcXn9jbruSiKjtNR4h1H9mnO9a Cqu6Itk5dJApoBzs/eAGjpYNj5QbmV7OoptEhdMWYSu+1BRfWMx9gIH9Scp3w0hbcjaG F6NQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hoWYIIbE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u13-20020a170902e80d00b001b9f75c8bfasi1107024plg.424.2023.08.21.23.16.08; Mon, 21 Aug 2023 23:16:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hoWYIIbE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231311AbjHVCWh (ORCPT + 99 others); Mon, 21 Aug 2023 22:22:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230526AbjHVCWf (ORCPT ); Mon, 21 Aug 2023 22:22:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43F6BDB for ; Mon, 21 Aug 2023 19:22:33 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CBC54646F3 for ; Tue, 22 Aug 2023 02:22:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BF53CC433C7; Tue, 22 Aug 2023 02:22:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1692670952; bh=XPEg5hUhI7aGUhMtVHHgnDv/L9i0G9LNRyzRNkNkFdQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hoWYIIbE+vK0DxVQ4dcG9LGDVUpnwr9HGaXmBDi/yhO9VB71fFJrYQeGbymbpZ4JA /Kn75DtzlOoIF//ehC5WIxJ2O2AQqv/m4T2MPBLxZX2hgLo595E7JwvNcHDnYreIIE C3EahmqtWp2fzqmAfYEfsFU+qrx9ndALzI/4mwTnd+82aOierotcTrPJx5mOhSH5nP 9GwKEfPE5eMJX7UNM0X07sR7Cjz2J2Nn/cP1n3MjfqPZvJLfeRZ9V3T5p4mqMDu3zl 8IyyOpj3lRduE3GoEFZqHR9p8e0U9+r+OuSqMeimNvNQuN0ht+seuT6JxqAaYJXJz6 0qgqkh2WA58iA== Date: Mon, 21 Aug 2023 19:22:29 -0700 From: Josh Poimboeuf To: Andrew Cooper Cc: LKML , x86@kernel.org, Borislav Petkov , Peter Zijlstra , Babu Moger , David.Kaplan@amd.com, Nikolay Borisov , gregkh@linuxfoundation.org, Thomas Gleixner Subject: Re: [PATCH RFC 4/4] x86/srso: Use CALL-based return thunks to reduce overhead Message-ID: <20230822022229.xlctyccmgdxiy6ic@treble> References: <20230821112723.3995187-1-andrew.cooper3@citrix.com> <20230821112723.3995187-5-andrew.cooper3@citrix.com> <20230821151636.onk2e6tlhmjg5yz5@treble> <810fa94b-9417-0076-1232-d263ef882027@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <810fa94b-9417-0076-1232-d263ef882027@citrix.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 22, 2023 at 12:01:29AM +0100, Andrew Cooper wrote: > On 21/08/2023 4:16 pm, Josh Poimboeuf wrote: > > On Mon, Aug 21, 2023 at 12:27:23PM +0100, Andrew Cooper wrote: > >> The SRSO safety depends on having a CALL to an {ADD,LEA}/RET sequence which > >> has been made safe in the BTB. Specifically, there needs to be no pertubance > >> to the RAS between a correctly predicted CALL and the subsequent RET. > >> > >> Use the new infrastructure to CALL to a return thunk. Remove > >> srso_fam1?_safe_ret() symbols and point srso_fam1?_return_thunk(). > >> > >> This removes one taken branch from every function return, which will reduce > >> the overhead of the mitigation. It also removes one of three moving pieces > >> from the SRSO mess. > > So, the address of whatever instruction comes after the 'CALL > > srso_*_return_thunk' is added to the RSB/RAS, and that might be > > speculated to when the thunk returns. Is that a concern? > > That is very intentional, and key to the safety. > > Replacing a RET with a CALL/{ADD,LEA}/RET sequence is a form of > retpoline thunk.  The only difference with regular retpolines is that > the intended target is already on the stack, and not in a GPR. > > > If the CALL mispredicts, it doesn't matter.  When decode catches up > (allegedly either instantaneously on Fam19h, or a few cycles late on > Fam17h), the top of the RAS is corrected will point at the INT3 > following the CALL instruction. That's the thing though, at least with my kernel/compiler combo there's no INT3 after the JMP __x86_return_thunk, and there's no room to patch one in after the CALL, as the JMP and CALL are both 5 bytes. -- Josh