Received: by 2002:a05:7412:1492:b0:e2:908c:2ebd with SMTP id s18csp360743rdh; Wed, 23 Aug 2023 02:00:27 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG7tBbpR0lkduXFdZQD8CcrVkl4YgNlMVhF/9DdD+OjfKOnH++bOG2/SlvkTUiQo23Ddtka X-Received: by 2002:a05:6a21:629:b0:137:2b6f:4307 with SMTP id ll41-20020a056a21062900b001372b6f4307mr11003187pzb.27.1692781227163; Wed, 23 Aug 2023 02:00:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692781227; cv=none; d=google.com; s=arc-20160816; b=prYgyQ9OcTUwRqs0LT7LelCSyPU42H/8ZHyn/5YH7MXDEjLdQA88NvfFDijIwuSH1V 8vuRJeSf6yqwq5wTe7lR/NtPpAm5LxFCFUvwkXTaXUfNm6b7Um3CLr8dTM/VAVZBztfl QBMaASeSTyMLGPcx9+L1ikCwamZ+Ss291sfjt5F6j83ATsJYIHVWipBgIWIDEXnMZrnJ 0DVLAl0NuaF1HCjjyaaE9nKpuTUwFcs/u6MTTd4Kss1RCm1JAs8Icxp5qvm7+ttDE1r6 flb1SkPm2ye5nAdhbn3j2zwXnam73a1WgDzpInoK6Bv44/S/g+TGWbq04WVLuEjZ9bjF YfaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=B80dm0OLQaiC3YrO8+lwjdwIJU09bNBIq7zkKiHrkMg=; fh=4oHWOEVoNUwHUszFDGHxdsh2IG82WrfgCS0VIPMEgwo=; b=Yj7H4MS/LvJf2fT36g/TyPqIsH4Mr8chgKHo2BAY7ca7gGBFOgVFV01v7mqRUOVKk2 ydF1fdpePqmPr6jVHdgOCJK+8ptgdRxkiHzYQd+BSXgBzcgb/+pBagcE76Xap0lgzglw DR30MANeZglHf0/owixQKe8C0fursQbI+tSzfUYlNolsAO9Qm2+5HlA5zmV1zSsAWC1y ABCQ9nw2gHubOWFlYSREesStnsv8MBwGNSEcSQc6Bk9UzI1FGUkXUOfgOXgJEwaaeTmH AXz3EWo3XgYpnSq8j98O8lPRE8amGSwJCtlBOyq4iNYBeFL0NqVXODajcV2WUZPesZIq TNYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cGpLFj9y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c16-20020a170902d49000b001bc836180dcsi3385816plg.520.2023.08.23.02.00.14; Wed, 23 Aug 2023 02:00:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cGpLFj9y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231351AbjHVWSe (ORCPT + 99 others); Tue, 22 Aug 2023 18:18:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231196AbjHVWSd (ORCPT ); Tue, 22 Aug 2023 18:18:33 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52A28CCB for ; Tue, 22 Aug 2023 15:18:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D534C62877 for ; Tue, 22 Aug 2023 22:18:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A277FC433C8; Tue, 22 Aug 2023 22:18:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1692742711; bh=68hXbjLaCQXJJIn/fZKNn5XJdGeUPJs/ti87OYETE0Y=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=cGpLFj9yB+VprPQ1IUQvNZJdHrRpy3jA9dB6CA+s3budJIkFoFpAAh9WbYeMEcjHd DyXvkai5Ko8eAar3pQzCD8t0fx8OcHnouWGhG+HpQ+P/eIfz12wOcMP1st2Y/VXNC6 tT8msZ8JEdHWHHDhYvIgVvxIcoaWBOcbbNBWU/oxQH0Lr35QHslL9UhM6TFfa0MrUL SaIi1bnVQKiFEn68LSS2+ZieT0b2HtXLOl8bepM8PRRZxFycyZfsk7E8mVk3tA57dl iqaExesmN4pYpHsXYZgWw86oEj36h7t5PtdnmfV1zp2TNSwAe/J6h9LDQ0WxmLjdF2 JaEXbwBKhvUTA== Date: Tue, 22 Aug 2023 15:18:28 -0700 From: Josh Poimboeuf To: Nikolay Borisov Cc: Andrew Cooper , LKML , x86@kernel.org, Borislav Petkov , Peter Zijlstra , Babu Moger , David.Kaplan@amd.com, gregkh@linuxfoundation.org, Thomas Gleixner Subject: Re: [PATCH RFC 4/4] x86/srso: Use CALL-based return thunks to reduce overhead Message-ID: <20230822221828.htnwidmr22gtjhcd@treble> References: <20230821112723.3995187-1-andrew.cooper3@citrix.com> <20230821112723.3995187-5-andrew.cooper3@citrix.com> <20230821151636.onk2e6tlhmjg5yz5@treble> <810fa94b-9417-0076-1232-d263ef882027@citrix.com> <20230822022229.xlctyccmgdxiy6ic@treble> <9565380a-4654-f267-c8ac-a4d6ab81156a@suse.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <9565380a-4654-f267-c8ac-a4d6ab81156a@suse.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 22, 2023 at 09:45:07AM +0300, Nikolay Borisov wrote: > > > On 22.08.23 г. 5:22 ч., Josh Poimboeuf wrote: > > On Tue, Aug 22, 2023 at 12:01:29AM +0100, Andrew Cooper wrote: > > > On 21/08/2023 4:16 pm, Josh Poimboeuf wrote: > > > > On Mon, Aug 21, 2023 at 12:27:23PM +0100, Andrew Cooper wrote: > > > > > The SRSO safety depends on having a CALL to an {ADD,LEA}/RET sequence which > > > > > has been made safe in the BTB. Specifically, there needs to be no pertubance > > > > > to the RAS between a correctly predicted CALL and the subsequent RET. > > > > > > > > > > Use the new infrastructure to CALL to a return thunk. Remove > > > > > srso_fam1?_safe_ret() symbols and point srso_fam1?_return_thunk(). > > > > > > > > > > This removes one taken branch from every function return, which will reduce > > > > > the overhead of the mitigation. It also removes one of three moving pieces > > > > > from the SRSO mess. > > > > So, the address of whatever instruction comes after the 'CALL > > > > srso_*_return_thunk' is added to the RSB/RAS, and that might be > > > > speculated to when the thunk returns. Is that a concern? > > > > > > That is very intentional, and key to the safety. > > > > > > Replacing a RET with a CALL/{ADD,LEA}/RET sequence is a form of > > > retpoline thunk.  The only difference with regular retpolines is that > > > the intended target is already on the stack, and not in a GPR. > > > > > > > > > If the CALL mispredicts, it doesn't matter.  When decode catches up > > > (allegedly either instantaneously on Fam19h, or a few cycles late on > > > Fam17h), the top of the RAS is corrected will point at the INT3 > > > following the CALL instruction. > > > > That's the thing though, at least with my kernel/compiler combo there's > > no INT3 after the JMP __x86_return_thunk, and there's no room to patch > > one in after the CALL, as the JMP and CALL are both 5 bytes. > > FWIW gcc's mfunction-return=thunk-return only ever generates a jmp, > thunk/thunk-inline OTOH generates a "full fledged" thunk with all the > necessary speculation catching tricks. > > For reference: > > https://godbolt.org/z/M1avYc63b The problem is the call-site, not the thunk. Ideally we'd have an option which adds an INT3 after the 'JMP __x86_return_thunk'. -- Josh