Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp7607927rwi;
        Mon, 24 Oct 2022 17:34:10 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM6Kxn3UItlOAnjoUH+O5o90BpoOR24JgWr5fePirb7UI/bv01MQ3u6Bp0XG0YPiiCSr0w7K
X-Received: by 2002:a17:907:1b22:b0:741:8809:b4e6 with SMTP id mp34-20020a1709071b2200b007418809b4e6mr30255074ejc.84.1666658049920;
        Mon, 24 Oct 2022 17:34:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666658049; cv=none;
        d=google.com; s=arc-20160816;
        b=gxuQlhZpME0OjwI04MC92PP5GIzFsaRy3TYFirVZRTWYem8m9+TXiHa5gjKmyK3KM+
         81mpncBoCmvDG8Umgiy41bAunxt1ND96y449vQnT/bLDVmgGuSbmg1wkr28JM3aHyaBK
         YVh2cHTGSDOi1Nmxs0XhDPb6lD6OX2RRl+icHUJw1sakhD4ljZNt7ehHE6iyzjbCDS1I
         KN0MnXPfx8G0Y8d93i0awpavc/TJZD64tpdgGu6FG8sc/KnvA+fNjE1sBQL7mkhSmTrC
         e8EXo2LJgnXx/Tg0FmBuLtH9rv7VWbiLwPdNas0Bj2Isey+5Jtqw9rw43w00h6S6/8QX
         B3pA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=zoKGiUvkYB4zOzXNO7fRF02dU96WAXoiMKIBfy+bRME=;
        b=f7lbxSMwv539qIxzsWHExnQxjbO7SNicjhhjPhw5LslaOhB1Cejb1YmCy2oI4SC0p6
         L+sM+mTNdLRF1tNHIsV3+AoHBNQGCKOH0tVruYOunSL79TgBDWZEa5wak/7DNNIftfpu
         eObRCPmJD7UKMD5l8HGQ/1wBpmVXYYfQhHjShl+r1ThkFnGKJyeVt+M6bGUJlW8yjtc2
         yn4bwaXq/qkIZqeWlNmQpqzZmVWO5jUQlQJV7ysEUfkg5JFpTSP3BFCqIb+w8mXviX2k
         LMfo8v6Qx3eId08LfcJPZbo8dab8gxVSo40pJYqFLSrrSpPK2pLRr6ls0wZ592QI9Q5f
         iIcQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=IphW3CK6;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a25-20020a170906469900b00782069599b8si973267ejr.379.2022.10.24.17.33.50;
        Mon, 24 Oct 2022 17:34:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=IphW3CK6;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231156AbiJYAdd (ORCPT <rfc822;mudongliangabcd@gmail.com>
        + 65 others); Mon, 24 Oct 2022 20:33:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57736 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230381AbiJYAdJ (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 24 Oct 2022 20:33:09 -0400
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3060820347;
        Mon, 24 Oct 2022 15:57:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1666652281; x=1698188281;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=/QFYcqzzhog465CEp7hJCINJC63rwNPJ/l0XxVVSM6g=;
  b=IphW3CK6tjTAbqJpyvEU5yD+tVjeukfE0aGA9BR5AnSK/KieuDcM1yT8
   5ebACnvzZEQ4A4odoBErIgAmiIuTzSLVj6oF28kClfGeOrIX39sYggBeZ
   tIP/09DEy6WgTrX29qzOIEi1GXRNgnP2x9u0ypx24JpCdddvoyhEfz9SJ
   MQ/Nc30R4B4Vz/x6Jfw8o1DtKcZvFGmLhrO7GmJNXdIVs8ugOpUy2ZZ+j
   pHTSvedNCrVFEYZ3yLIi2hXt/0dmT4SxE3L5dLyHxerecemflRhzJDEk5
   yjyDN6y4zwx7NzCftQUKAmVhb6f2IJfmpSfw9HgPmj9Y8ca7OrLfHtxOR
   w==;
X-IronPort-AV: E=McAfee;i="6500,9779,10510"; a="308633271"
X-IronPort-AV: E=Sophos;i="5.95,210,1661842800"; 
   d="scan'208";a="308633271"
Received: from orsmga006.jf.intel.com ([10.7.209.51])
  by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 15:57:56 -0700
X-IronPort-AV: E=McAfee;i="6500,9779,10510"; a="609363400"
X-IronPort-AV: E=Sophos;i="5.95,210,1661842800"; 
   d="scan'208";a="609363400"
Received: from pkearns-mobl1.amr.corp.intel.com (HELO guptapa-desk.intel.com) ([10.252.131.64])
  by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 15:57:55 -0700
From:   Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
To:     scott.d.constable@intel.com, daniel.sneddon@linux.intel.com,
        Jakub Kicinski <kuba@kernel.org>, dave.hansen@intel.com,
        Johannes Berg <johannes@sipsolutions.net>,
        Paolo Abeni <pabeni@redhat.com>,
        antonio.gomez.iglesias@linux.intel.com,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>
Cc:     linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
        x86@kernel.org, gregkh@linuxfoundation.org, netdev@vger.kernel.org
Subject: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel
Date:   Mon, 24 Oct 2022 15:57:45 -0700
Message-Id: <cover.1666651511.git.pawan.kumar.gupta@linux.intel.com>
X-Mailer: git-send-email 2.37.3
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.5 required=5.0 tests=AC_FROM_MANY_DOTS,BAYES_00,
        DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Hi,

There is a theoretical possibility of using
minstrel_ht_get_expected_throughput() as a disclosure gadget for Branch
History Injection (BHI)/Intra-mode Branch Target Injection (IMBTI) [1].
Requesting feedback on the couple of patches that mitigates this.

First patch adds a generic speculation barrier. Second patch uses the
speculation barrier to mitigate BHI/IMBTI.

The other goal of this series is to start a discussion on whether such
hard to exploit, but theoretical possible attacks deems to be mitigated.

In general Branch Target Injection class of attacks involves an adversary
controlling an indirect branch target to misspeculate to a disclosure gadget.
For a successful attack an adversary also needs to control the register
contents used by the disclosure gadget.

Assuming preconditions are met, a disclosure gadget would transiently do
below:

  1. Loads an attacker chosen data from memory.
  2. Based on the data, modifies cache state that is observable by an attacker.

Although both these operations are architecturally invisible, the cache state
changes could be used to infer the data.

Disclosure gadget is mitigated by adding a speculation barrier.

Thanks,
Pawan

[1] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

Pawan Gupta (2):
  nospec: Add a generic barrier_nospec()
  minstrel_ht: Mitigate BTI gadget minstrel_ht_get_expected_throughput()

 include/linux/nospec.h             | 4 ++++
 net/mac80211/rc80211_minstrel_ht.c | 9 +++++++++
 2 files changed, 13 insertions(+)

-- 
2.37.3