Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5275722rdb;
        Wed, 13 Dec 2023 04:24:33 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEtOmf5tmFkb4CKkD0t43wySDENf28AU3JCubIsniXAordTzwqZS1hTjOeoLv1fqnY8JyXz
X-Received: by 2002:a17:902:bd88:b0:1d0:4706:60fc with SMTP id q8-20020a170902bd8800b001d0470660fcmr7310738pls.17.1702470273296;
        Wed, 13 Dec 2023 04:24:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702470273; cv=none;
        d=google.com; s=arc-20160816;
        b=y/QsQKrsn6wFQ3E1mxHcVnV8Z80/ujq5JJwGOO523kD5U6Sn7k4LbgbmBW591I2rkV
         ORdkSTQneBGoyynfyi4IIVQwWmpWDH/UYGfgIk1S8A4KHSoPJHOTpzXCR9rWutMKeMNy
         U7lXt9vkLcNmRYzZqrFC7tFBRsGF56t67LFx7zBQBUhir5dIRRhHqVr0b9ibr+aGY5iZ
         Hk4do1YOAr58iphJt4HH6q9+wHZdTAj1AJwRHeLzzka9Zdfss9EbAa11411y5q1IFmpB
         yHjLsrjHjuNAFPmpGvp+DnpkgTXcW+JDUWElwNEXos4WYfGJqvwBlUQx+3E5r6B0ZvpE
         hncA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=/Do9us9KI9YVf91TMl8txltk4WC8U3fmMGLk20+eGOw=;
        fh=zS/Lm7HDLT6h1alh0mD7x0kJ16rGoxs8vPUpgoFxLvE=;
        b=uJTVI/AV+qyVRFfLnO2uzAOV6cx9G/5RdkKBqDFpWkzU5100lhd6SI2DvaAwejHyqn
         dTq2dJpuxuwcj1foLEfbLY0eMF9gg2Oq2NT7t5K3h+uDj+lSeafPzgyxG7UX0dTCWFNX
         dGWTyW28IqHC5k2UhEijXFt6HXpmHKkwR0nvRmkoGgs94wecJPc1PlOtr+f41z6xzJ1g
         3TbBS5OoIuFzHBv0lAtT3PsyPkBgnYrCRbsj/+4Hg6qgNo6BSjrRO7SCfV5qXAOWl4/E
         6kxLnpEiLlbmMYPdBdxlPEq8ITP+Oai7iYwHP6OvcQmqxkYC1gxP7JrYqkr46yl0yixJ
         bRhw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ventanamicro.com header.s=google header.b=IlCk1Bv8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
        by mx.google.com with ESMTPS id u13-20020a170902e5cd00b001cfc01dc055si9728945plf.57.2023.12.13.04.24.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 13 Dec 2023 04:24:33 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ventanamicro.com header.s=google header.b=IlCk1Bv8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id D63B78040D68;
	Wed, 13 Dec 2023 04:24:30 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1377618AbjLMMYQ (ORCPT
        <rfc822;aditya.jainadityajain.jain@gmail.com> + 99 others);
        Wed, 13 Dec 2023 07:24:16 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48010 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1377400AbjLMMYP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Dec 2023 07:24:15 -0500
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E642FCF
        for <linux-kernel@vger.kernel.org>; Wed, 13 Dec 2023 04:24:21 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-40c32df9174so59986375e9.3
        for <linux-kernel@vger.kernel.org>; Wed, 13 Dec 2023 04:24:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ventanamicro.com; s=google; t=1702470260; x=1703075060; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=/Do9us9KI9YVf91TMl8txltk4WC8U3fmMGLk20+eGOw=;
        b=IlCk1Bv8B+MsKoDZk7TyTUFP1ksnlXbm7VYIUSuyZ+bOkGfz9UtosGWiY8UClofvxU
         5N2fXi1cBlAou57GWZIrSC9aU67ZGljTffUKWKYghqsFYTPzsdzpTzmqy9nPHI4C4Gf+
         LAsGayOphK3ALb3LS5uAbDRH05Gc0qo76FrDBHKCp3fMWAsJ03d9YqIAQv4Q7Ep7uPFP
         lpAlx4lzUVOxw+LK6wrJwJiQQkqhyLS5QlznEJo/jtlFxgowrMvfTzoIPGK870omKuHO
         CNC2Qgqm/WIAabhG1fK2bQR1SRAYjhI+9Ctb7mhZeHq7Z/C6eiDbt3shzIqvzYd6UIg4
         rPTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1702470260; x=1703075060;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/Do9us9KI9YVf91TMl8txltk4WC8U3fmMGLk20+eGOw=;
        b=CqXW035gEEl8cSIbjgzzMOMIx2Du+BRF1gjXeSmgdmEtuqoxv1hsLo8wrbolUPScPl
         d2xRkHx4g7ERCV+HOZf1aXCF2pdGmbCj+juHEuR4U6a3yHq0HMJDYZo5CATG4pYcF3KC
         fI2NF0eQ5DCSxq3CyhpFSqewkmPZMICNoj+XOjaSL5IXT8kl+I/V5QeR9/HaA89CdBE5
         DA24ttoKyGtxYoPDdaX0w1bFcP1/b3cXUOGhqcLerUg+p6zMQz5xUkpUgboQQprw/3Ty
         Op8UAdb8/CEOdfHGsLNIYa/xpza+zE2FDGvdkTstzf0jgzizGQPfqT/PB1+PSWB3iR0Y
         Pe1A==
X-Gm-Message-State: AOJu0YxJJpx5idiiaxpQW/P443sK/5O4a/UFQc4YboZzZUAiRB6ClcPY
        R/mT94jxck9UZP8R93mECr9o7Q==
X-Received: by 2002:a05:600c:1715:b0:40b:5e21:c5cd with SMTP id c21-20020a05600c171500b0040b5e21c5cdmr2457031wmn.155.1702470260169;
        Wed, 13 Dec 2023 04:24:20 -0800 (PST)
Received: from localhost (2001-1ae9-1c2-4c00-20f-c6b4-1e57-7965.ip6.tmcz.cz. [2001:1ae9:1c2:4c00:20f:c6b4:1e57:7965])
        by smtp.gmail.com with ESMTPSA id fl9-20020a05600c0b8900b0040b43da0bbasm20393302wmb.30.2023.12.13.04.24.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 13 Dec 2023 04:24:19 -0800 (PST)
Date:   Wed, 13 Dec 2023 13:24:18 +0100
From:   Andrew Jones <ajones@ventanamicro.com>
To:     Deepak Gupta <debug@rivosinc.com>
Cc:     Palmer Dabbelt <palmer@dabbelt.com>,
        Paul Walmsley <paul.walmsley@sifive.com>,
        aou@eecs.berkeley.edu, apatel@ventanamicro.com, guoren@kernel.org,
        mchitale@ventanamicro.com, waylingii@gmail.com,
        greentime.hu@sifive.com, samitolvanen@google.com,
        Bjorn Topel <bjorn@rivosinc.com>,
        Conor Dooley <conor.dooley@microchip.com>,
        jeeheng.sia@starfivetech.com, Heiko Stuebner <heiko@sntech.de>,
        Evan Green <evan@rivosinc.com>, jszhang@kernel.org,
        cleger@rivosinc.com, linux-riscv@lists.infradead.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 2/2] riscv: envcfg save and restore on trap entry/exit
Message-ID: <20231213-707b4e8b5a91ceedd557eb12@orel>
References: <20231212235003.2036221-1-debug@rivosinc.com>
 <mhng-ae72b5fd-358d-48e2-87cf-f571b67afe9e@palmer-ri-x1c9a>
 <ZXkCs9ypok5X/Wx2@debug.ba.rivosinc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZXkCs9ypok5X/Wx2@debug.ba.rivosinc.com>
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Wed, 13 Dec 2023 04:24:31 -0800 (PST)

On Tue, Dec 12, 2023 at 05:02:43PM -0800, Deepak Gupta wrote:
> On Tue, Dec 12, 2023 at 04:53:48PM -0800, Palmer Dabbelt wrote:
> > On Tue, 12 Dec 2023 15:49:25 PST (-0800), debug@rivosinc.com wrote:
> > > envcfg CSR defines enabling bits for cache management instructions and soon
> > > will control enabling for control flow integrity and pointer masking features.
> > > 
> > > Control flow integrity and pointer masking features need to be enabled on per
> > > thread basis. Additionally, I believe cache management instructions need to be
> > > enabled on per thread basis. As an example a seccomped task on riscv may be
> > > restricted to not use cache management instructions
> > 
> > Do we have anything in the kernel that actually does that?  Generally we
> > need some use, I couldn't find any user-mode writable envcfg bits in any
> > extesions I looked at (admittidly just CFI and pointer masking), and
> > unless I'm missing something there's no per-thread state in the kernel.
> > 
> 
> Cache management operations?
> As of now kernel blindly enables that for all the user mode. It will be good if
> that is enabled on per-thread basis. Sure, all threads can have it enabled by
> default. But if strict seccomp is enabled, I would argue that cache management
> operations for that thread to be disabled as is done on other arches. As an
> example x86 disable rdtsc on strict seccomp. RISCV allows this CMO extension
> and I expect CMO to leverage this (currently it
> doesn't).
> 
> I was being opportunistic here so that I can reduce number of patches on CFI
> enabling patchset.
> 
> Will it be okay if I revise this patch to include with a usecase to restrict CMO
> (say for case of strict seccomp on risc-v)?

I opted to only expose cache block zero since giving userspace the
ability to invalidate cache blocks seems risky from a side-channel attack
perspective.

I'm no security expert, so feedback welcome, but I don't see a risk with
userspace being granted cbo.zero, even for strict seccomp processes.

Thanks,
drew