Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (1.0)
Subject: Re: [PATCH 42/43] x86/mm/kaiser: Allow KAISER to be enabled/disabled at runtime
From:   Andy Lutomirski <luto@amacapital.net>
In-Reply-To: <alpine.DEB.2.20.1711252100010.2316@nanos>
Date:   Sat, 25 Nov 2017 15:10:54 -0700
Cc:     Ingo Molnar <mingo@kernel.org>, linux-kernel@vger.kernel.org,
        Dave Hansen <dave.hansen@linux.intel.com>,
        "H . Peter Anvin" <hpa@zytor.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Borislav Petkov <bp@alien8.de>,
        Linus Torvalds <torvalds@linux-foundation.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A04ECEDE-7EDA-41AE-8ED5-DFD473827C2A@amacapital.net>
References: <20171124172411.19476-1-mingo@kernel.org> <20171124172411.19476-43-mingo@kernel.org> <alpine.DEB.2.20.1711252002550.2316@nanos> <47186975-1DCB-4767-8C4C-0816931E3595@amacapital.net> <alpine.DEB.2.20.1711252100010.2316@nanos>
To:     Thomas Gleixner <tglx@linutronix.de>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk


> On Nov 25, 2017, at 1:05 PM, Thomas Gleixner <tglx@linutronix.de> wrote:
>=20
> On Sat, 25 Nov 2017, Andy Lutomirski wrote:
>>>> On Nov 25, 2017, at 12:18 PM, Thomas Gleixner <tglx@linutronix.de> wrot=
e:
>>>> On Fri, 24 Nov 2017, Ingo Molnar wrote:
>>>>=20
>>>> From: Dave Hansen <dave.hansen@linux.intel.com>
>>>>=20
>>>> The KAISER CR3 switches are expensive for many reasons.  Not all system=
s
>>>> benefit from the protection provided by KAISER.  Some of them can not
>>>> pay the high performance cost.
>>>>=20
>>>> This patch adds a debugfs file.  To disable KAISER, you do:
>>>>=20
>>>>   echo 0 > /sys/kernel/debug/x86/kaiser-enabled
>>>>=20
>>>> and to re-enable it, you can:
>>>>=20
>>>>   echo 1 > /sys/kernel/debug/x86/kaiser-enabled
>>>>=20
>>>> This is a *minimal* implementation.  There are certainly plenty of
>>>> optimizations that can be done on top of this by using ALTERNATIVES
>>>> among other things.
>>>=20
>>> It's not only minimal. It's naive and broken. That thing explodes when
>>> toggled in the wrong moment. I did not even attempt to debug that, becau=
se
>>> I think the approach is wrong.
>>>=20
>>> If you really want to make it runtime switchable, then:
>>>=20
>>> - the shadow tables need to be updated unconditionally. I did not check
>>>  whether thats done right now, but explosions are simpler to achieve whe=
n
>>>  switching it back on. Though switching it off crashes as well.
>>>=20
>>> - you need to make sure that no task is in user space or on the way to i=
t.
>>>  The much I hate stop_machine(), that's probably the right tool.
>>>  Once everything is in stomp_machine() the switch can be flipped.
>>>=20
>>> - the poisoning/unpoisoning of the kernel tables does not need to be don=
e
>>>  from stop_machine(). That can be done from regular context with a TIF
>>>  flag, so you can make sure that every task is up to date before
>>>  returning to user space. Though that needs a lot of thought.
>>>=20
>>> For now I really want to see that removed entirely and replaced by a sim=
ple
>>> boot time switch. We can use the global variable for now and optimize it=

>>> later on.
>>>=20
>>=20
>> Nah, let's do it right: use either X86_FEATURE_WHATEVER or a
>> static_branch.  We have nice asm support for both.
>=20
> Agreed.
>=20
>> Keep in mind that, for a static_branch, actually setting the thing needs
>> to be deferred, but that's straightforward.
>=20
> That's not an issue during boot. That would be an issue for a run time
> switch.

What I mean is: if you modify a static_branch too early, it blows up terribl=
y.=

From 1585069855137416978@xxx Sat Nov 25 20:06:50 +0000 2017
X-GM-THRID: 1584938674415532731
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread