Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1525198rda; Mon, 23 Oct 2023 15:46:09 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEK4K64d+QRwyo6BSsk7VRMyb+orrZw0BvMTA/W785qg0VEy38v4J+T7fQXDdnconslqU2g X-Received: by 2002:a17:90a:4f:b0:27d:7666:d8e9 with SMTP id 15-20020a17090a004f00b0027d7666d8e9mr8920155pjb.38.1698101169264; Mon, 23 Oct 2023 15:46:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698101169; cv=none; d=google.com; s=arc-20160816; b=Rz1FH0lrhmSAUS/fdwQeouzUt4OJ0ro+wvERNmudKT2CWcGahi+C6NWUGgeZZIeOn6 +E8ksxmnHz5ksl1slSZE+eU64STmRXOSG+eTvkQNJ/6hGz1laLXucMFYszxk5ymKM2QI Bocc10wjJH24gAiG6Hb8P85CFfXYspdBtrf8Um0VpV3L+r6H3QenJ/zurSMGzWUVxlX+ 4UtIoWjuIy/5bJ/cp5+/+n1JF4kizQr29Qd8EZnEQHxa0sgZkYe3FJCJn0DKlkiXp+Vf sSKy5Z3dQ2tqX6pXLJbxqVCWfze3ZlRDrRtblliVuj5/3WCTCyZQ0VSsw5rZ0RM64vAp cEhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:autocrypt :from:references:cc:to:content-language:subject:user-agent :mime-version:date:message-id:dkim-signature; bh=V+CylUVsxaRaPqWTruJQhWz75RQB4K8mooHRTjRV4xY=; fh=AMwme3hMUN8WlwRrc5Zyvgzpjzny57hsI/Tm2qZb00s=; b=tT0CWXRXhi7En7Zjeygku3jLwO386nOfsXp5jLrLQqL0fcK52R6jYXK5LNLBXRRyi4 p3jTtu1RusWq/zZ4xTBwCumI+BB5U5zS9gaREK8/5sS3Al/wWGYHKiAK/cNTxKfVmLTx gj2dcJooRM545oeIitFpGnSl0lm/EXgC2cghV/7oLOPihGiKzaQsgbA3UVDGXC/WsMDA gDhFjO4+yDtf929dzxCIJG+6K7nl8riHnD7gUeeHOTf3ogg2DMAleUW1fgL3OLHzviGE SoYUalApgaEfK7eDUXUk4PXgB4XGTITGZhQ1nDDkJA0NZWWkPiQ99so3QNGTFHLhqArL Lyqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="V9yS7XG/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id em16-20020a17090b015000b00279016a2a2asi7167928pjb.135.2023.10.23.15.46.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 15:46:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="V9yS7XG/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id F01E880A440B; Mon, 23 Oct 2023 15:46:06 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229743AbjJWWps (ORCPT + 99 others); Mon, 23 Oct 2023 18:45:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231145AbjJWWpr (ORCPT ); Mon, 23 Oct 2023 18:45:47 -0400 Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E2823D78; Mon, 23 Oct 2023 15:45:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1698101143; x=1729637143; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=XAcxcKh7GjhFTeojTunoADT0/y/ykWkqrVnuC4UwiMQ=; b=V9yS7XG/TWhDAs2MQTfAYVXp7/Z8USHo/biIQfYhQWJN/NIVSR7/N9Sf GQINdU1StW/Hq6TIUTPN8BNKGQFZXw4+7YuVBHczd98JiHpoXP/duXhLy z4TquFRsS0m9gTryeObm5q8+S/MLwWQkTES/n9H/p+RntykzkhyIhyiFP DEnZg7J11CFVoQCjbPex19sD+xqccPMJ11MUpIvCK5Ezd/DDboHA5xpWO ZSLgvEBkCRbEeo7E/uVimZFWQOL1b5/FX95+zyUKD7NLu67kmUD3bjqaL E2ehPtqeg7zbcnRy2Ljd5dBaKVpBnpykUYBcoevXNFQ+4zP04gVTt3eN1 g==; X-IronPort-AV: E=McAfee;i="6600,9927,10872"; a="389789750" X-IronPort-AV: E=Sophos;i="6.03,246,1694761200"; d="scan'208";a="389789750" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Oct 2023 15:45:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10872"; a="734821581" X-IronPort-AV: E=Sophos;i="6.03,246,1694761200"; d="scan'208";a="734821581" Received: from dahansge-mobl.amr.corp.intel.com (HELO [10.212.208.196]) ([10.212.208.196]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Oct 2023 15:45:41 -0700 Message-ID: <18da71ef-8586-400f-ae71-6d471f2fedcb@intel.com> Date: Mon, 23 Oct 2023 15:45:41 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 2/6] x86/entry_64: Add VERW just before userspace transition Content-Language: en-US To: Pawan Gupta , Josh Poimboeuf Cc: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , Peter Zijlstra , Andy Lutomirski , Jonathan Corbet , Sean Christopherson , Paolo Bonzini , tony.luck@intel.com, ak@linux.intel.com, tim.c.chen@linux.intel.com, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, kvm@vger.kernel.org, Alyssa Milburn , Daniel Sneddon , antonio.gomez.iglesias@linux.intel.com References: <20231020-delay-verw-v1-0-cff54096326d@linux.intel.com> <20231020-delay-verw-v1-2-cff54096326d@linux.intel.com> <20231023183521.zdlrfxvsdxftpxly@treble> <20231023210410.6oj7ekelf5puoud6@desk> <20231023214752.2d75h2m64yw6qzcw@treble> <20231023223059.4p7l474o5w3sdjuc@desk> From: Dave Hansen Autocrypt: addr=dave.hansen@intel.com; keydata= xsFNBE6HMP0BEADIMA3XYkQfF3dwHlj58Yjsc4E5y5G67cfbt8dvaUq2fx1lR0K9h1bOI6fC oAiUXvGAOxPDsB/P6UEOISPpLl5IuYsSwAeZGkdQ5g6m1xq7AlDJQZddhr/1DC/nMVa/2BoY 2UnKuZuSBu7lgOE193+7Uks3416N2hTkyKUSNkduyoZ9F5twiBhxPJwPtn/wnch6n5RsoXsb ygOEDxLEsSk/7eyFycjE+btUtAWZtx+HseyaGfqkZK0Z9bT1lsaHecmB203xShwCPT49Blxz VOab8668QpaEOdLGhtvrVYVK7x4skyT3nGWcgDCl5/Vp3TWA4K+IofwvXzX2ON/Mj7aQwf5W iC+3nWC7q0uxKwwsddJ0Nu+dpA/UORQWa1NiAftEoSpk5+nUUi0WE+5DRm0H+TXKBWMGNCFn c6+EKg5zQaa8KqymHcOrSXNPmzJuXvDQ8uj2J8XuzCZfK4uy1+YdIr0yyEMI7mdh4KX50LO1 pmowEqDh7dLShTOif/7UtQYrzYq9cPnjU2ZW4qd5Qz2joSGTG9eCXLz5PRe5SqHxv6ljk8mb ApNuY7bOXO/A7T2j5RwXIlcmssqIjBcxsRRoIbpCwWWGjkYjzYCjgsNFL6rt4OL11OUF37wL QcTl7fbCGv53KfKPdYD5hcbguLKi/aCccJK18ZwNjFhqr4MliQARAQABzUVEYXZpZCBDaHJp c3RvcGhlciBIYW5zZW4gKEludGVsIFdvcmsgQWRkcmVzcykgPGRhdmUuaGFuc2VuQGludGVs LmNvbT7CwXgEEwECACIFAlQ+9J0CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGg1 lTBwyZKwLZUP/0dnbhDc229u2u6WtK1s1cSd9WsflGXGagkR6liJ4um3XCfYWDHvIdkHYC1t MNcVHFBwmQkawxsYvgO8kXT3SaFZe4ISfB4K4CL2qp4JO+nJdlFUbZI7cz/Td9z8nHjMcWYF IQuTsWOLs/LBMTs+ANumibtw6UkiGVD3dfHJAOPNApjVr+M0P/lVmTeP8w0uVcd2syiaU5jB aht9CYATn+ytFGWZnBEEQFnqcibIaOrmoBLu2b3fKJEd8Jp7NHDSIdrvrMjYynmc6sZKUqH2 I1qOevaa8jUg7wlLJAWGfIqnu85kkqrVOkbNbk4TPub7VOqA6qG5GCNEIv6ZY7HLYd/vAkVY E8Plzq/NwLAuOWxvGrOl7OPuwVeR4hBDfcrNb990MFPpjGgACzAZyjdmYoMu8j3/MAEW4P0z F5+EYJAOZ+z212y1pchNNauehORXgjrNKsZwxwKpPY9qb84E3O9KYpwfATsqOoQ6tTgr+1BR CCwP712H+E9U5HJ0iibN/CDZFVPL1bRerHziuwuQuvE0qWg0+0SChFe9oq0KAwEkVs6ZDMB2 P16MieEEQ6StQRlvy2YBv80L1TMl3T90Bo1UUn6ARXEpcbFE0/aORH/jEXcRteb+vuik5UGY 5TsyLYdPur3TXm7XDBdmmyQVJjnJKYK9AQxj95KlXLVO38lczsFNBFRjzmoBEACyAxbvUEhd GDGNg0JhDdezyTdN8C9BFsdxyTLnSH31NRiyp1QtuxvcqGZjb2trDVuCbIzRrgMZLVgo3upr MIOx1CXEgmn23Zhh0EpdVHM8IKx9Z7V0r+rrpRWFE8/wQZngKYVi49PGoZj50ZEifEJ5qn/H Nsp2+Y+bTUjDdgWMATg9DiFMyv8fvoqgNsNyrrZTnSgoLzdxr89FGHZCoSoAK8gfgFHuO54B lI8QOfPDG9WDPJ66HCodjTlBEr/Cwq6GruxS5i2Y33YVqxvFvDa1tUtl+iJ2SWKS9kCai2DR 3BwVONJEYSDQaven/EHMlY1q8Vln3lGPsS11vSUK3QcNJjmrgYxH5KsVsf6PNRj9mp8Z1kIG qjRx08+nnyStWC0gZH6NrYyS9rpqH3j+hA2WcI7De51L4Rv9pFwzp161mvtc6eC/GxaiUGuH BNAVP0PY0fqvIC68p3rLIAW3f97uv4ce2RSQ7LbsPsimOeCo/5vgS6YQsj83E+AipPr09Caj 0hloj+hFoqiticNpmsxdWKoOsV0PftcQvBCCYuhKbZV9s5hjt9qn8CE86A5g5KqDf83Fxqm/ vXKgHNFHE5zgXGZnrmaf6resQzbvJHO0Fb0CcIohzrpPaL3YepcLDoCCgElGMGQjdCcSQ+Ci FCRl0Bvyj1YZUql+ZkptgGjikQARAQABwsFfBBgBAgAJBQJUY85qAhsMAAoJEGg1lTBwyZKw l4IQAIKHs/9po4spZDFyfDjunimEhVHqlUt7ggR1Hsl/tkvTSze8pI1P6dGp2XW6AnH1iayn yRcoyT0ZJ+Zmm4xAH1zqKjWplzqdb/dO28qk0bPso8+1oPO8oDhLm1+tY+cOvufXkBTm+whm +AyNTjaCRt6aSMnA/QHVGSJ8grrTJCoACVNhnXg/R0g90g8iV8Q+IBZyDkG0tBThaDdw1B2l asInUTeb9EiVfL/Zjdg5VWiF9LL7iS+9hTeVdR09vThQ/DhVbCNxVk+DtyBHsjOKifrVsYep WpRGBIAu3bK8eXtyvrw1igWTNs2wazJ71+0z2jMzbclKAyRHKU9JdN6Hkkgr2nPb561yjcB8 sIq1pFXKyO+nKy6SZYxOvHxCcjk2fkw6UmPU6/j/nQlj2lfOAgNVKuDLothIxzi8pndB8Jju KktE5HJqUUMXePkAYIxEQ0mMc8Po7tuXdejgPMwgP7x65xtfEqI0RuzbUioFltsp1jUaRwQZ MTsCeQDdjpgHsj+P2ZDeEKCbma4m6Ez/YWs4+zDm1X8uZDkZcfQlD9NldbKDJEXLIjYWo1PH hYepSffIWPyvBMBTW2W5FRjJ4vLRrJSUoEfJuPQ3vW9Y73foyo/qFoURHO48AinGPZ7PC7TF vUaNOTjKedrqHkaOcqB185ahG2had0xnFsDPlx5y In-Reply-To: <20231023223059.4p7l474o5w3sdjuc@desk> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Mon, 23 Oct 2023 15:46:07 -0700 (PDT) On 10/23/23 15:30, Pawan Gupta wrote: >>>>> /* >>>>> * iretq reads the "iret" frame and exits the NMI stack in a >>>>> * single instruction. We are returning to kernel mode, so this >>>> This isn't needed here. This is the NMI return-to-kernel path. >>> Yes, the VERW here can be omitted. But probably need to check if an NMI >>> occuring between VERW and ring transition will still execute VERW after >>> the NMI. >> That window does exist, though I'm not sure it's worth worrying about. > I am in favor of omitting the VERW here, unless someone objects with a > rationale. IMO, precisely timing the NMIs in such a narrow window is > impractical. I'd bet that given the right PMU event you could make this pretty reliable. But normal users can't do that by default. That leaves the NMI watchdog which (I bet) you can still time, but which is pretty low frequency. Are there any other NMI sources that a normal user can cause problems with? Let's at least leave a marker in here that folks can grep for: /* Skip CLEAR_CPU_BUFFERS since it will rarely help */ and some nice logic in the changelog that they can dig out if need be. But, basically it sounds like the logic is: 1. It's rare to get an NMI after VERW but before returning to userspace 2. There is no known way to make that NMI less rare or target it 3. It would take a large number of these precisely-timed NMIs to mount an actual attack. There's presumably not enough bandwidth. Anything else?