Received: by 2002:ab2:7407:0:b0:1f4:b336:87c4 with SMTP id e7csp254192lqn; Thu, 11 Apr 2024 23:29:09 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXo6I1DZ9D6Mw6ElXU4/5PfDoqMVZ+0nwxG9btj1Pwo8ICOM4D+679WnY3Aq71fxtpFgRZt59PmZRZCPxSOb1dAZaqJKPer4He3WLqPIQ== X-Google-Smtp-Source: AGHT+IE6/gFC8I6Ln43KBKQMrlMC1XBPsTnzN9TchU8xgIoF5dtntwDpGUwEKvjoeuJHFhEaKFbQ X-Received: by 2002:a05:6e02:1c09:b0:36a:3101:42b7 with SMTP id l9-20020a056e021c0900b0036a310142b7mr2054174ilh.29.1712903348906; Thu, 11 Apr 2024 23:29:08 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712903348; cv=pass; d=google.com; s=arc-20160816; b=Y7MawZG0U1MI8kUBktUlg+EaCVbgnx2YrJ0fUYnJPOIFK8DehZ7kdjl2ZSBNNZWyTh IW3hxjRb01s33S4PGWmoxJ9cAy0pajA7ESW+6MiUuX+v37hmIPrz4RzBaSt2RQXF66qg i12Xm+pDNIcSzj9jWS7WitgYV3jG0ffvL6J2CY38r+o8fLWhYJpw5qapmZ06uGTJ8jk7 Zxad5uX6i97IkalFVK8O1gTvVXw2i0K+m2rc/zhED3AX2rTa/LqWzO0/fMu3jEv2KkHA F9i3Lh0idmYXCodbp45iFx2BCaNRLAl22WQO91mAapinhVF1ApG3xcCR1u2x44Vmxlu9 gqpw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=y87XMMvOssCfpbvTmGbdsW7VSDmZMqAnlPCmhn5Iits=; fh=2GubHmAM/tKXrQtdWXB7FQUcY4W5CGoLKEXqzDuG/ms=; b=a/WCD925oMm8V0/LPANA8nY8NnuKHnoJ9I1gWJ5zG7M7knChmvGXitJiG2bY4B0WCk Esd3H9oGaa68rm8Qyj5G3OvPJzOOQMAbeIVEyXpAAl6FfabGiT/6Yy7crX3P7Rnavd0B 81S8TIH7WG1mBINeR8+46xQ+JtN2BnA5yNF9b/CG2kK15t0+y6HdrZ1B52ur+wa8AOX9 CEML5UgwKMH6y8VKxjP30yFaRNG/QmwShd5EWO0J5K1Awaq5HtPPQGNfJjCXrIfdNqQz Rx2E9dXsSRlfEe3w3zwxGN81nTNqkS3V1j9nM69jovyPv6pXQ7nrHYENvhQQQ8CEULvz 0BdA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="P5l0fjs/"; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-142039-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-142039-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id q196-20020a632acd000000b005e8d662dffasi2701064pgq.707.2024.04.11.23.29.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Apr 2024 23:29:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-142039-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="P5l0fjs/"; arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass fromdomain=linux.intel.com); spf=pass (google.com: domain of linux-kernel+bounces-142039-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-142039-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 8721C2832F8 for ; Fri, 12 Apr 2024 06:29:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A29F53DB9B; Fri, 12 Apr 2024 06:28:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="P5l0fjs/" Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C1052D630 for ; Fri, 12 Apr 2024 06:28:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.8 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712903336; cv=none; b=ofDYiut7WYvz/jV4EKiU3+ml2ZgCbX1GUfANjZfCyA2s/OuYyeRVcq0qLb72jReV1nFlIBELg/l+Yn0bSGoqBnEIKPXHa8iBhgDQkuKwnm0uWnGMKQuaVStlOXziDcHbbsAoth4gXSLSczj+UQYav2WMd/al8nKhD+QL8NsMakY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712903336; c=relaxed/simple; bh=psRLHHOSYXhN3hEwvr/xDK5h1bL2msxdtzYZi2j98T8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=QFnHszZuV3ojqa2g/Qpyj5gMYubteVMLAJiaXMNxx7wb62u3QtxdkQkeM5Q/FmT0rWADw44Sr0UKtDYcLMIl958SFiWE9ngGWS6CFK2F0kLBAE4kTT9EkFG555niSVlv1BdSENm7Lh97y55mWtZHzMagPEe/hi0f8EZpRYSvXoI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=none smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=P5l0fjs/; arc=none smtp.client-ip=192.198.163.8 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=linux.intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1712903335; x=1744439335; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=psRLHHOSYXhN3hEwvr/xDK5h1bL2msxdtzYZi2j98T8=; b=P5l0fjs/CDfFVxaVQnEae/dbo4iB/coV6Z8Bf3QCyBycxMwloKMOxD3u UVzudQb0x+DiCpuWstQEV76utjgWDhtQyM5RVQXX//2HfauYuqYk7jXVO xLNgMaSxHsf72Df97K0FSsuuoHhRFl0bSpf8fpfflrgK2pNREJmRxtGEw y5TDY1YxDIHJyZ0vHCxsf5f5fA92NbL7Ve+1BvnoBu6lqw/a1XbQrXmxT 8QehVkVZAqmnwHw79VcaBX8PyDF/0+jMmZUUJtj+xfTbCyPpzwyFtn8KD QhSI8UQyeXqL8gaejm4Bbm2qiP2M6iA20wUxsWhiB30aRLX5zE1cJTiZO Q==; X-CSE-ConnectionGUID: VaBUDJk3Q8GkeHENIqxJjQ== X-CSE-MsgGUID: Fq49I44aT1mmgjz3sptSCg== X-IronPort-AV: E=McAfee;i="6600,9927,11041"; a="25859595" X-IronPort-AV: E=Sophos;i="6.07,195,1708416000"; d="scan'208";a="25859595" Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by fmvoesa102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Apr 2024 23:28:54 -0700 X-CSE-ConnectionGUID: rOAzqBgMT72VtLqa082SBQ== X-CSE-MsgGUID: raJhjUxCTombdbl3kUq2pA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,195,1708416000"; d="scan'208";a="25681098" Received: from ccaruthe-mobl.amr.corp.intel.com (HELO desk) ([10.251.14.202]) by fmviesa003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Apr 2024 23:28:53 -0700 Date: Thu, 11 Apr 2024 23:28:44 -0700 From: Pawan Gupta To: Josh Poimboeuf Cc: x86@kernel.org, linux-kernel@vger.kernel.org, Linus Torvalds , Daniel Sneddon , Thomas Gleixner , Alexandre Chartre , Konrad Rzeszutek Wilk , Peter Zijlstra , Greg Kroah-Hartman , Sean Christopherson , Andrew Cooper , Dave Hansen , Nikolay Borisov , KP Singh , Waiman Long , Borislav Petkov Subject: Re: [PATCH 5/7] x86/bugs: Only harden syscalls when needed Message-ID: <20240412062844.p5j33tmqjggladgl@desk> References: <97befd7c1e008797734dee05181c49056ff6de57.1712813475.git.jpoimboe@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <97befd7c1e008797734dee05181c49056ff6de57.1712813475.git.jpoimboe@kernel.org> On Wed, Apr 10, 2024 at 10:40:49PM -0700, Josh Poimboeuf wrote: > Syscall hardening (i.e., converting the syscall indirect branch to a > series of direct branches) may cause performance regressions in certain > scenarios. Only use the syscall hardening when indirect branches are > considered unsafe. > > Fixes: 1e3ad78334a6 ("x86/syscall: Don't force use of indirect calls for system calls") > Signed-off-by: Josh Poimboeuf > --- > arch/x86/entry/common.c | 30 +++++++++++++++++++++++++--- > arch/x86/entry/syscall_32.c | 11 +--------- > arch/x86/entry/syscall_64.c | 8 +------- > arch/x86/entry/syscall_x32.c | 7 ++++++- > arch/x86/include/asm/cpufeatures.h | 1 + > arch/x86/include/asm/syscall.h | 8 +++++++- > arch/x86/kernel/cpu/bugs.c | 32 +++++++++++++++++++++++++++++- > 7 files changed, 74 insertions(+), 23 deletions(-) > > diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c > index 6de50b80702e..80d432d2fe44 100644 > --- a/arch/x86/entry/common.c > +++ b/arch/x86/entry/common.c > @@ -39,6 +39,28 @@ > > #ifdef CONFIG_X86_64 > > +/* > + * Do either a direct or an indirect call, depending on whether indirect calls > + * are considered safe. > + */ > +#define __do_syscall(table, func_direct, nr, regs) \ > +({ \ > + unsigned long __rax, __rdi, __rsi; \ > + \ > + asm_inline volatile( \ > + ALTERNATIVE("call " __stringify(func_direct) "\n\t", \ > + ANNOTATE_RETPOLINE_SAFE \ > + "call *%[func_ptr]\n\t", \ > + X86_FEATURE_INDIRECT_SAFE) \ > + : "=D" (__rdi), "=S" (__rsi), "=a" (__rax), \ > + ASM_CALL_CONSTRAINT \ > + : "0" (regs), "1" (nr), [func_ptr] "r" (table[nr]) \ > + : "rdx", "rcx", "r8", "r9", "r10", "r11", \ > + "cc", "memory"); \ > + \ > + __rax; \ > +}) This is a nice implementation, but I think we can avoid the complexity by using cpu_feature_enabled(). As cpu_feature_enabled() is also runtime patched, atleast the likely() path should be comparable to this. Please let me know if you have any concerns with this approach. --- diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 6de50b80702e..7c5332b83246 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -49,7 +49,11 @@ static __always_inline bool do_syscall_x64(struct pt_regs *regs, int nr) if (likely(unr < NR_syscalls)) { unr = array_index_nospec(unr, NR_syscalls); - regs->ax = x64_sys_call(regs, unr); + if (likely(cpu_feature_enabled(X86_FEATURE_INDIRECT_SAFE))) + regs->ax = sys_call_table[unr](regs); + else + regs->ax = x64_sys_call(regs, unr); + return true; } return false; @@ -66,7 +70,11 @@ static __always_inline bool do_syscall_x32(struct pt_regs *regs, int nr) if (IS_ENABLED(CONFIG_X86_X32_ABI) && likely(xnr < X32_NR_syscalls)) { xnr = array_index_nospec(xnr, X32_NR_syscalls); - regs->ax = x32_sys_call(regs, xnr); + if (likely(cpu_feature_enabled(X86_FEATURE_INDIRECT_SAFE))) + regs->ax = x32_sys_call_table[xnr](regs); + else + regs->ax = x32_sys_call(regs, xnr); + return true; } return false; @@ -162,7 +170,10 @@ static __always_inline void do_syscall_32_irqs_on(struct pt_regs *regs, int nr) if (likely(unr < IA32_NR_syscalls)) { unr = array_index_nospec(unr, IA32_NR_syscalls); - regs->ax = ia32_sys_call(regs, unr); + if (likely(cpu_feature_enabled(X86_FEATURE_INDIRECT_SAFE))) + regs->ax = ia32_sys_call_table[unr](regs); + else + regs->ax = ia32_sys_call(regs, unr); } else if (nr != -1) { regs->ax = __ia32_sys_ni_syscall(regs); }