Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5275722rdb; Wed, 13 Dec 2023 04:24:33 -0800 (PST) X-Google-Smtp-Source: AGHT+IEtOmf5tmFkb4CKkD0t43wySDENf28AU3JCubIsniXAordTzwqZS1hTjOeoLv1fqnY8JyXz X-Received: by 2002:a17:902:bd88:b0:1d0:4706:60fc with SMTP id q8-20020a170902bd8800b001d0470660fcmr7310738pls.17.1702470273296; Wed, 13 Dec 2023 04:24:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702470273; cv=none; d=google.com; s=arc-20160816; b=y/QsQKrsn6wFQ3E1mxHcVnV8Z80/ujq5JJwGOO523kD5U6Sn7k4LbgbmBW591I2rkV ORdkSTQneBGoyynfyi4IIVQwWmpWDH/UYGfgIk1S8A4KHSoPJHOTpzXCR9rWutMKeMNy U7lXt9vkLcNmRYzZqrFC7tFBRsGF56t67LFx7zBQBUhir5dIRRhHqVr0b9ibr+aGY5iZ Hk4do1YOAr58iphJt4HH6q9+wHZdTAj1AJwRHeLzzka9Zdfss9EbAa11411y5q1IFmpB yHjLsrjHjuNAFPmpGvp+DnpkgTXcW+JDUWElwNEXos4WYfGJqvwBlUQx+3E5r6B0ZvpE hncA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=/Do9us9KI9YVf91TMl8txltk4WC8U3fmMGLk20+eGOw=; fh=zS/Lm7HDLT6h1alh0mD7x0kJ16rGoxs8vPUpgoFxLvE=; b=uJTVI/AV+qyVRFfLnO2uzAOV6cx9G/5RdkKBqDFpWkzU5100lhd6SI2DvaAwejHyqn dTq2dJpuxuwcj1foLEfbLY0eMF9gg2Oq2NT7t5K3h+uDj+lSeafPzgyxG7UX0dTCWFNX dGWTyW28IqHC5k2UhEijXFt6HXpmHKkwR0nvRmkoGgs94wecJPc1PlOtr+f41z6xzJ1g 3TbBS5OoIuFzHBv0lAtT3PsyPkBgnYrCRbsj/+4Hg6qgNo6BSjrRO7SCfV5qXAOWl4/E 6kxLnpEiLlbmMYPdBdxlPEq8ITP+Oai7iYwHP6OvcQmqxkYC1gxP7JrYqkr46yl0yixJ bRhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ventanamicro.com header.s=google header.b=IlCk1Bv8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id u13-20020a170902e5cd00b001cfc01dc055si9728945plf.57.2023.12.13.04.24.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 04:24:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; dkim=pass header.i=@ventanamicro.com header.s=google header.b=IlCk1Bv8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id D63B78040D68; Wed, 13 Dec 2023 04:24:30 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377618AbjLMMYQ (ORCPT + 99 others); Wed, 13 Dec 2023 07:24:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48010 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377400AbjLMMYP (ORCPT ); Wed, 13 Dec 2023 07:24:15 -0500 Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E642FCF for ; Wed, 13 Dec 2023 04:24:21 -0800 (PST) Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-40c32df9174so59986375e9.3 for ; Wed, 13 Dec 2023 04:24:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ventanamicro.com; s=google; t=1702470260; x=1703075060; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=/Do9us9KI9YVf91TMl8txltk4WC8U3fmMGLk20+eGOw=; b=IlCk1Bv8B+MsKoDZk7TyTUFP1ksnlXbm7VYIUSuyZ+bOkGfz9UtosGWiY8UClofvxU 5N2fXi1cBlAou57GWZIrSC9aU67ZGljTffUKWKYghqsFYTPzsdzpTzmqy9nPHI4C4Gf+ LAsGayOphK3ALb3LS5uAbDRH05Gc0qo76FrDBHKCp3fMWAsJ03d9YqIAQv4Q7Ep7uPFP lpAlx4lzUVOxw+LK6wrJwJiQQkqhyLS5QlznEJo/jtlFxgowrMvfTzoIPGK870omKuHO CNC2Qgqm/WIAabhG1fK2bQR1SRAYjhI+9Ctb7mhZeHq7Z/C6eiDbt3shzIqvzYd6UIg4 rPTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702470260; x=1703075060; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/Do9us9KI9YVf91TMl8txltk4WC8U3fmMGLk20+eGOw=; b=CqXW035gEEl8cSIbjgzzMOMIx2Du+BRF1gjXeSmgdmEtuqoxv1hsLo8wrbolUPScPl d2xRkHx4g7ERCV+HOZf1aXCF2pdGmbCj+juHEuR4U6a3yHq0HMJDYZo5CATG4pYcF3KC fI2NF0eQ5DCSxq3CyhpFSqewkmPZMICNoj+XOjaSL5IXT8kl+I/V5QeR9/HaA89CdBE5 DA24ttoKyGtxYoPDdaX0w1bFcP1/b3cXUOGhqcLerUg+p6zMQz5xUkpUgboQQprw/3Ty Op8UAdb8/CEOdfHGsLNIYa/xpza+zE2FDGvdkTstzf0jgzizGQPfqT/PB1+PSWB3iR0Y Pe1A== X-Gm-Message-State: AOJu0YxJJpx5idiiaxpQW/P443sK/5O4a/UFQc4YboZzZUAiRB6ClcPY R/mT94jxck9UZP8R93mECr9o7Q== X-Received: by 2002:a05:600c:1715:b0:40b:5e21:c5cd with SMTP id c21-20020a05600c171500b0040b5e21c5cdmr2457031wmn.155.1702470260169; Wed, 13 Dec 2023 04:24:20 -0800 (PST) Received: from localhost (2001-1ae9-1c2-4c00-20f-c6b4-1e57-7965.ip6.tmcz.cz. [2001:1ae9:1c2:4c00:20f:c6b4:1e57:7965]) by smtp.gmail.com with ESMTPSA id fl9-20020a05600c0b8900b0040b43da0bbasm20393302wmb.30.2023.12.13.04.24.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 04:24:19 -0800 (PST) Date: Wed, 13 Dec 2023 13:24:18 +0100 From: Andrew Jones To: Deepak Gupta Cc: Palmer Dabbelt , Paul Walmsley , aou@eecs.berkeley.edu, apatel@ventanamicro.com, guoren@kernel.org, mchitale@ventanamicro.com, waylingii@gmail.com, greentime.hu@sifive.com, samitolvanen@google.com, Bjorn Topel , Conor Dooley , jeeheng.sia@starfivetech.com, Heiko Stuebner , Evan Green , jszhang@kernel.org, cleger@rivosinc.com, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v1 2/2] riscv: envcfg save and restore on trap entry/exit Message-ID: <20231213-707b4e8b5a91ceedd557eb12@orel> References: <20231212235003.2036221-1-debug@rivosinc.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Wed, 13 Dec 2023 04:24:31 -0800 (PST) On Tue, Dec 12, 2023 at 05:02:43PM -0800, Deepak Gupta wrote: > On Tue, Dec 12, 2023 at 04:53:48PM -0800, Palmer Dabbelt wrote: > > On Tue, 12 Dec 2023 15:49:25 PST (-0800), debug@rivosinc.com wrote: > > > envcfg CSR defines enabling bits for cache management instructions and soon > > > will control enabling for control flow integrity and pointer masking features. > > > > > > Control flow integrity and pointer masking features need to be enabled on per > > > thread basis. Additionally, I believe cache management instructions need to be > > > enabled on per thread basis. As an example a seccomped task on riscv may be > > > restricted to not use cache management instructions > > > > Do we have anything in the kernel that actually does that? Generally we > > need some use, I couldn't find any user-mode writable envcfg bits in any > > extesions I looked at (admittidly just CFI and pointer masking), and > > unless I'm missing something there's no per-thread state in the kernel. > > > > Cache management operations? > As of now kernel blindly enables that for all the user mode. It will be good if > that is enabled on per-thread basis. Sure, all threads can have it enabled by > default. But if strict seccomp is enabled, I would argue that cache management > operations for that thread to be disabled as is done on other arches. As an > example x86 disable rdtsc on strict seccomp. RISCV allows this CMO extension > and I expect CMO to leverage this (currently it > doesn't). > > I was being opportunistic here so that I can reduce number of patches on CFI > enabling patchset. > > Will it be okay if I revise this patch to include with a usecase to restrict CMO > (say for case of strict seccomp on risc-v)? I opted to only expose cache block zero since giving userspace the ability to invalidate cache blocks seems risky from a side-channel attack perspective. I'm no security expert, so feedback welcome, but I don't see a risk with userspace being granted cbo.zero, even for strict seccomp processes. Thanks, drew