Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp366987rdg; Tue, 10 Oct 2023 12:37:14 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF/i7ZYsltswWUZmf35Zw9BNpD5Sf2rad/b+GhDIdRYTp3ERWQYdYwEc5PibyreFHXJhRI/ X-Received: by 2002:a05:6a20:da8c:b0:16c:b5ce:50f with SMTP id iy12-20020a056a20da8c00b0016cb5ce050fmr10680509pzb.32.1696966633891; Tue, 10 Oct 2023 12:37:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696966633; cv=none; d=google.com; s=arc-20160816; b=ZOpJ+Obe+ZWxZBBEoj4IIHNssjzgKn9gitZwMUUlwFqciEhHatrF5JmftRtddCm1H6 R3s4wI9MxpWnC9Skd6thHPX9cC6/IS4zkz4k167cclSQd80mW1Ton2zk6z9FLI9JVHBi db0Rjkr2p74Vg266AyFXJZo2S31SZ7exrGGEcPN97Ku4JjBY53eJbud3ilN0SIFZpy0r va1XpLt8FepcpaF6XT9E/xl/HGLfdb7dfLngrjALZqBt1l38BvgkMbRl2PXN4OjgcEKl 52FwI7Nb86+Pv/OnSWbE7/klxBSkSHu4eUytKmjraAe7d+kN7KzbVuaWVTFDi6d5mv4v zzWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=DsI/+SzO9zZxQl4wUj5ENrLv/DAKR/QanqGn6VUsjJU=; fh=YI9pVz+rfU1UtcNhRQtuaEJDni9ui5sW4Aa7os3gTFc=; b=CMA8/gMPwQRegHKMWffJ9Se1w3UZBL+YHd06l+SjX/fDOQ3skIEZBaVWHsibcZKBOb XjJfv4MJmX1QZuG4jiiStOpST3fzJMqp9EPBBoX5ZleJNSwPh7OghqfuzYi/QUy8JMDQ fjxRcJ+BXBaZfkjSLJT3tQBkfsJlGYyd9giQcnmJP5SLnoukvOeNxSWnm1GPDhlHTnWj BxI43aE7efq+9hLYJ8xJyDo5kX86PIglfg7crVmP5rpqN8fNYNiaoPWKHgtkuxfzjAAA uWfXJB19UN1YFuHs0oupm4/CH4WfWlgKtRvIjTfncYoQjj63gXQeH85AC7nuVhYz4KBR 4zgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="k7vWiM/Y"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id t11-20020a056a0021cb00b00696f1c14972si10546524pfj.208.2023.10.10.12.37.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 12:37:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="k7vWiM/Y"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 3B33C8044386; Tue, 10 Oct 2023 12:37:10 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343976AbjJJTgu (ORCPT + 99 others); Tue, 10 Oct 2023 15:36:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40534 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343922AbjJJTgq (ORCPT ); Tue, 10 Oct 2023 15:36:46 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72EDCAC for ; Tue, 10 Oct 2023 12:36:45 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF304C433C7; Tue, 10 Oct 2023 19:36:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1696966605; bh=uD7ClMOlrXNZucpoYnlZ28XUQ78JwLXF5AuAtp1WUwQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=k7vWiM/Yz0PhW0Ss7wKsaKqgBHZaO7QBO00j3RtRK6zfBXxWhUDD6o7xMvc60QjQ1 RcMDye+IPKtZrBCDB+F6DoQjOmMh4oQccmwfrbsM9YQLpxX+Ktj0hG9cN4aq+F90h0 tQrj4cTkWnfTinCP1gTSH1/T4R1iPkQ8b7sCdVkDrRwZNPuRK//hej2o8N6n8mdYhZ D2s+1lS+ZH5NwQGmqAkko3jMz/dypR6jMOqsmYuLlmiLoTWC8kz07kfSmPGqeWwBFR F94iXliE/hPeGq3/ZTh+KOhEGZIYTefAv8d+N3C3MrFU8XRPCnQdmoE9mhG6+ndzo6 OAQXy4SU2G4qQ== Date: Tue, 10 Oct 2023 12:36:43 -0700 From: Josh Poimboeuf To: David Kaplan Cc: x86@kernel.org, luto@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 3/3] x86/retpoline: Ensure default return thunk isn't used at runtime Message-ID: <20231010193643.su6iqjniuxqqke6d@treble> References: <20231010171020.462211-1-david.kaplan@amd.com> <20231010171020.462211-4-david.kaplan@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20231010171020.462211-4-david.kaplan@amd.com> X-Spam-Status: No, score=2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 10 Oct 2023 12:37:10 -0700 (PDT) X-Spam-Level: ** On Tue, Oct 10, 2023 at 12:10:20PM -0500, David Kaplan wrote: > All CPU bugs that require a return thunk define a special return thunk > to use (e.g., srso_return_thunk). The default thunk, > __x86_return_thunk, should never be used after apply_returns() completes. > Otherwise this could lead to potential speculation holes. > > Enforce this by replacing this thunk with a ud2 when alternatives are > applied. Alternative instructions are applied after apply_returns(). > > The default thunk is only used during kernel boot, it is not used during > module init since that occurs after apply_returns(). > > Signed-off-by: David Kaplan > --- > arch/x86/lib/retpoline.S | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S > index 3da768a71cf9..10212cf4a9af 100644 > --- a/arch/x86/lib/retpoline.S > +++ b/arch/x86/lib/retpoline.S > @@ -358,15 +358,17 @@ SYM_FUNC_END(call_depth_return_thunk) > * This function name is magical and is used by -mfunction-return=thunk-extern > * for the compiler to generate JMPs to it. > * > - * This code is only used during kernel boot or module init. All > + * This code is only used during kernel boot. All > * 'JMP __x86_return_thunk' sites are changed to something else by > * apply_returns(). > + * > + * This thunk is turned into a ud2 to ensure it is never used at runtime. > + * Alternative instructions are applied after apply_returns(). > */ > SYM_CODE_START(__x86_return_thunk) > UNWIND_HINT_FUNC > ANNOTATE_NOENDBR > - ANNOTATE_UNRET_SAFE > - ret > + ALTERNATIVE __stringify(ANNOTATE_UNRET_SAFE;ret),"ud2", X86_FEATURE_RETHUNK If it's truly never used after boot (even for non-rethunk cases) then can we use X86_FEATURE_ALWAYS? -- Josh