Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp366987rdg;
        Tue, 10 Oct 2023 12:37:14 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IF/i7ZYsltswWUZmf35Zw9BNpD5Sf2rad/b+GhDIdRYTp3ERWQYdYwEc5PibyreFHXJhRI/
X-Received: by 2002:a05:6a20:da8c:b0:16c:b5ce:50f with SMTP id iy12-20020a056a20da8c00b0016cb5ce050fmr10680509pzb.32.1696966633891;
        Tue, 10 Oct 2023 12:37:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696966633; cv=none;
        d=google.com; s=arc-20160816;
        b=ZOpJ+Obe+ZWxZBBEoj4IIHNssjzgKn9gitZwMUUlwFqciEhHatrF5JmftRtddCm1H6
         R3s4wI9MxpWnC9Skd6thHPX9cC6/IS4zkz4k167cclSQd80mW1Ton2zk6z9FLI9JVHBi
         db0Rjkr2p74Vg266AyFXJZo2S31SZ7exrGGEcPN97Ku4JjBY53eJbud3ilN0SIFZpy0r
         va1XpLt8FepcpaF6XT9E/xl/HGLfdb7dfLngrjALZqBt1l38BvgkMbRl2PXN4OjgcEKl
         52FwI7Nb86+Pv/OnSWbE7/klxBSkSHu4eUytKmjraAe7d+kN7KzbVuaWVTFDi6d5mv4v
         zzWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=DsI/+SzO9zZxQl4wUj5ENrLv/DAKR/QanqGn6VUsjJU=;
        fh=YI9pVz+rfU1UtcNhRQtuaEJDni9ui5sW4Aa7os3gTFc=;
        b=CMA8/gMPwQRegHKMWffJ9Se1w3UZBL+YHd06l+SjX/fDOQ3skIEZBaVWHsibcZKBOb
         XjJfv4MJmX1QZuG4jiiStOpST3fzJMqp9EPBBoX5ZleJNSwPh7OghqfuzYi/QUy8JMDQ
         fjxRcJ+BXBaZfkjSLJT3tQBkfsJlGYyd9giQcnmJP5SLnoukvOeNxSWnm1GPDhlHTnWj
         BxI43aE7efq+9hLYJ8xJyDo5kX86PIglfg7crVmP5rpqN8fNYNiaoPWKHgtkuxfzjAAA
         uWfXJB19UN1YFuHs0oupm4/CH4WfWlgKtRvIjTfncYoQjj63gXQeH85AC7nuVhYz4KBR
         4zgQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="k7vWiM/Y";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from groat.vger.email (groat.vger.email. [23.128.96.35])
        by mx.google.com with ESMTPS id t11-20020a056a0021cb00b00696f1c14972si10546524pfj.208.2023.10.10.12.37.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 Oct 2023 12:37:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="k7vWiM/Y";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by groat.vger.email (Postfix) with ESMTP id 3B33C8044386;
	Tue, 10 Oct 2023 12:37:10 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1343976AbjJJTgu (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Tue, 10 Oct 2023 15:36:50 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40534 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1343922AbjJJTgq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Oct 2023 15:36:46 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72EDCAC
        for <linux-kernel@vger.kernel.org>; Tue, 10 Oct 2023 12:36:45 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF304C433C7;
        Tue, 10 Oct 2023 19:36:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1696966605;
        bh=uD7ClMOlrXNZucpoYnlZ28XUQ78JwLXF5AuAtp1WUwQ=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=k7vWiM/Yz0PhW0Ss7wKsaKqgBHZaO7QBO00j3RtRK6zfBXxWhUDD6o7xMvc60QjQ1
         RcMDye+IPKtZrBCDB+F6DoQjOmMh4oQccmwfrbsM9YQLpxX+Ktj0hG9cN4aq+F90h0
         tQrj4cTkWnfTinCP1gTSH1/T4R1iPkQ8b7sCdVkDrRwZNPuRK//hej2o8N6n8mdYhZ
         D2s+1lS+ZH5NwQGmqAkko3jMz/dypR6jMOqsmYuLlmiLoTWC8kz07kfSmPGqeWwBFR
         F94iXliE/hPeGq3/ZTh+KOhEGZIYTefAv8d+N3C3MrFU8XRPCnQdmoE9mhG6+ndzo6
         OAQXy4SU2G4qQ==
Date:   Tue, 10 Oct 2023 12:36:43 -0700
From:   Josh Poimboeuf <jpoimboe@kernel.org>
To:     David Kaplan <david.kaplan@amd.com>
Cc:     x86@kernel.org, luto@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/3] x86/retpoline: Ensure default return thunk isn't
 used at runtime
Message-ID: <20231010193643.su6iqjniuxqqke6d@treble>
References: <20231010171020.462211-1-david.kaplan@amd.com>
 <20231010171020.462211-4-david.kaplan@amd.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20231010171020.462211-4-david.kaplan@amd.com>
X-Spam-Status: No, score=2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 10 Oct 2023 12:37:10 -0700 (PDT)
X-Spam-Level: **

On Tue, Oct 10, 2023 at 12:10:20PM -0500, David Kaplan wrote:
> All CPU bugs that require a return thunk define a special return thunk
> to use (e.g., srso_return_thunk).  The default thunk,
> __x86_return_thunk, should never be used after apply_returns() completes.
> Otherwise this could lead to potential speculation holes.
> 
> Enforce this by replacing this thunk with a ud2 when alternatives are
> applied.  Alternative instructions are applied after apply_returns().
> 
> The default thunk is only used during kernel boot, it is not used during
> module init since that occurs after apply_returns().
> 
> Signed-off-by: David Kaplan <david.kaplan@amd.com>
> ---
>  arch/x86/lib/retpoline.S | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
> index 3da768a71cf9..10212cf4a9af 100644
> --- a/arch/x86/lib/retpoline.S
> +++ b/arch/x86/lib/retpoline.S
> @@ -358,15 +358,17 @@ SYM_FUNC_END(call_depth_return_thunk)
>   * This function name is magical and is used by -mfunction-return=thunk-extern
>   * for the compiler to generate JMPs to it.
>   *
> - * This code is only used during kernel boot or module init.  All
> + * This code is only used during kernel boot.  All
>   * 'JMP __x86_return_thunk' sites are changed to something else by
>   * apply_returns().
> + *
> + * This thunk is turned into a ud2 to ensure it is never used at runtime.
> + * Alternative instructions are applied after apply_returns().
>   */
>  SYM_CODE_START(__x86_return_thunk)
>  	UNWIND_HINT_FUNC
>  	ANNOTATE_NOENDBR
> -	ANNOTATE_UNRET_SAFE
> -	ret
> +	ALTERNATIVE __stringify(ANNOTATE_UNRET_SAFE;ret),"ud2", X86_FEATURE_RETHUNK

If it's truly never used after boot (even for non-rethunk cases) then
can we use X86_FEATURE_ALWAYS?

-- 
Josh