From: Willy Tarreau <w@1wt.eu>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Jon Masters <jcm@redhat.com>,
"Woodhouse, David" <dwmw@amazon.co.uk>,
Paolo Bonzini <pbonzini@redhat.com>,
Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andi Kleen <andi@firstfloor.org>,
Greg Kroah-Hartman <gregkh@linux-foundation.org>,
Tim Chen <tim.c.chen@linux.intel.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Dave Hansen <dave.hansen@intel.com>, Jeff Law <law@redhat.com>,
Nick Clifton <nickc@redhat.com>
Subject: Re: Avoid speculative indirect calls in kernel
Date: Fri, 5 Jan 2018 07:49:46 +0100 [thread overview]
Message-ID: <20180105064946.GA4007@1wt.eu> (raw)
In-Reply-To: <alpine.DEB.2.20.1801050153290.2127@nanos>
On Fri, Jan 05, 2018 at 01:54:13AM +0100, Thomas Gleixner wrote:
> On Thu, 4 Jan 2018, Jon Masters wrote:
> > P.S. I've an internal document where I've been tracking "nice to haves"
> > for later, and one of them is whether it makes sense to tag binaries as
> > "trusted" (e.g. extended attribute, label, whatever). It was something I
> > wanted to bring up at some point as potentially worth considering.
>
> Scratch that. There is no such thing as a trusted binary.
I disagree with you on this Thomas. "trusted" means "we agree to share the
risk this binary takes because it's critical to our service". When you
build a load balancing appliance on which 100% of the service is assured
by a single executable and the rest is just config management, you'd better
trust that process. If the binary or process cannot be trusted, the product
is dead anyway. It doesn't mean the binary is safe. It just means that for
the product there's nothing worse than its compromission or failure. And
when it suffers from the performance impact of workarounds supposed to
protect the whole device against this process' possible abuses, you
easily see how the situation becomes ridiculous.
We need to still think about performance a lot. There's already an ongoing
trend of kernel bypass mechanisms in the wild for performance reasons, and
the new increase of syscall costs will necessarily amplify this willingness
to avoid the kernel. I personally don't want to see the kernel being reduced
to booting and executing SSH to manage the machines.
Willy
next prev parent reply other threads:[~2018-01-05 6:56 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-03 23:09 Avoid speculative indirect calls in kernel Andi Kleen
2018-01-03 23:09 ` [PATCH 01/11] x86/retpoline: Define retpoline indirect thunk and macros Andi Kleen
2018-01-03 23:09 ` [PATCH 02/11] x86/retpoline/crypto: Convert crypto assembler indirect jumps Andi Kleen
2018-01-03 23:09 ` [PATCH 03/11] x86/retpoline/entry: Convert entry " Andi Kleen
2018-01-03 23:09 ` [PATCH 04/11] x86/retpoline/ftrace: Convert ftrace " Andi Kleen
2018-01-03 23:09 ` [PATCH 05/11] x86/retpoline/hyperv: Convert " Andi Kleen
2018-01-03 23:09 ` [PATCH 06/11] x86/retpoline/crypto: Convert xen " Andi Kleen
2018-01-03 23:09 ` [PATCH 07/11] x86/retpoline/checksum32: Convert " Andi Kleen
2018-01-03 23:09 ` [PATCH 08/11] x86/retpoline/irq32: " Andi Kleen
2018-01-03 23:09 ` [PATCH 09/11] x86/retpoline: Finally enable retpoline for C code Andi Kleen
2018-01-04 8:28 ` Greg KH
2018-01-04 8:30 ` Dave Hansen
2018-01-03 23:09 ` [PATCH 10/11] retpoline/taint: Taint kernel for missing retpoline in compiler Andi Kleen
2018-01-04 0:29 ` Thomas Gleixner
2018-01-04 0:35 ` Randy Dunlap
2018-01-03 23:09 ` [PATCH 11/11] retpoline/objtool: Disable some objtool warnings Andi Kleen
2018-01-03 23:51 ` Avoid speculative indirect calls in kernel Linus Torvalds
2018-01-04 0:00 ` Alan Cox
2018-01-04 0:09 ` Andi Kleen
2018-01-04 0:12 ` Thomas Gleixner
2018-01-04 0:15 ` Andi Kleen
2018-01-04 0:19 ` Jiri Kosina
2018-01-05 2:01 ` james harvey
2018-01-05 10:40 ` Woodhouse, David
2018-01-05 12:29 ` james harvey
2018-01-05 12:06 ` Alan Cox
2018-01-04 0:29 ` Alan Cox
2018-01-04 0:31 ` Thomas Gleixner
2018-01-04 0:38 ` Alan Cox
2018-01-04 0:40 ` Andi Kleen
2018-01-04 8:15 ` Woodhouse, David
2018-01-04 15:53 ` Andi Kleen
2018-01-04 15:55 ` Woodhouse, David
2018-01-04 0:20 ` Linus Torvalds
2018-01-04 0:26 ` Thomas Gleixner
2018-01-04 0:18 ` David Lang
2018-01-04 1:00 ` Paul Turner
2018-01-04 1:41 ` Paolo Bonzini
2018-01-04 1:59 ` Alan Cox
2018-01-04 2:11 ` Paolo Bonzini
2018-01-04 8:20 ` Woodhouse, David
2018-01-04 11:42 ` Pavel Machek
2018-01-04 11:47 ` Woodhouse, David
2018-01-04 14:20 ` Paolo Bonzini
2018-01-04 14:51 ` Andrew Cooper
2018-01-04 15:29 ` Woodhouse, David
2018-01-04 15:32 ` Paolo Bonzini
2018-01-04 15:37 ` Andrew Cooper
2018-01-04 16:15 ` David Woodhouse
2018-01-04 20:00 ` Tom Lendacky
2018-01-04 20:05 ` David Woodhouse
2018-01-04 23:47 ` Tom Lendacky
2018-01-05 0:06 ` Andrew Cooper
2018-01-05 0:26 ` Tom Lendacky
2018-01-04 16:52 ` Andrea Arcangeli
2018-01-04 15:32 ` Paolo Bonzini
2018-01-04 16:25 ` Andrea Arcangeli
2018-01-04 17:04 ` Alan Cox
2018-01-04 17:40 ` Andrea Arcangeli
2018-01-04 17:13 ` Dave Hansen
2018-01-04 17:15 ` Paolo Bonzini
2018-01-04 18:05 ` Andrea Arcangeli
2018-01-04 14:55 ` Woodhouse, David
2018-01-04 18:24 ` Pavel Machek
2018-01-04 19:57 ` Jon Masters
2018-01-05 0:41 ` Jon Masters
2018-01-05 0:54 ` Thomas Gleixner
2018-01-05 4:11 ` Jon Masters
2018-01-05 9:59 ` Thomas Gleixner
2018-01-08 10:28 ` Andrea Arcangeli
2018-01-08 20:42 ` [tip:x86/pti] x86/tboot: Unbreak tboot with PTI enabled tip-bot for Dave Hansen
2018-01-08 20:53 ` Avoid speculative indirect calls in kernel Thomas Gleixner
2018-01-08 21:32 ` Andrea Arcangeli
2018-01-10 0:45 ` Thomas Gleixner
2018-01-10 1:11 ` Dave Hansen
2018-01-10 16:02 ` Thomas Gleixner
2018-01-05 6:49 ` Willy Tarreau [this message]
2018-01-05 6:57 ` Dave Hansen
2018-01-05 7:13 ` Willy Tarreau
2018-01-07 14:14 ` Borislav Petkov
2018-01-07 17:21 ` David Lang
2018-01-07 18:49 ` Borislav Petkov
2018-01-07 17:44 ` Willy Tarreau
2018-01-07 18:55 ` Borislav Petkov
2018-01-07 22:10 ` Willy Tarreau
2018-01-08 9:18 ` Thomas Gleixner
2018-01-08 9:29 ` Willy Tarreau
2018-01-08 16:22 ` Borislav Petkov
2018-01-08 16:53 ` Willy Tarreau
2018-01-05 12:12 ` Alan Cox
2018-01-09 1:44 ` Samir Bellabes
[not found] ` <CAL9bgJ8XNJgCtxR6+M+Vm9eDBVZ4Dyi_-Lt-Q1ei9N=TE2c6cg@mail.gmail.com>
2018-01-07 5:04 ` Fwd: " Kiernan Hager
2018-01-07 6:39 ` Willy Tarreau
2018-01-07 14:01 ` Alan Cox
2018-01-07 17:47 ` Willy Tarreau
2018-01-07 18:01 ` Ivan Ivanov
2018-01-07 18:16 ` Woodhouse, David
2018-01-04 11:26 ` Pavel Machek
2018-01-04 11:54 ` Alan Cox
2018-01-04 18:33 ` Linus Torvalds
2018-01-04 20:08 ` Jon Masters
-- strict thread matches above, loose matches on Subject: below --
2018-01-04 2:00 Andi Kleen
2018-01-04 11:49 ` Pavel Machek
2018-01-04 12:09 ` Alan Cox
2018-01-04 13:32 ` Pavel Machek
2018-01-12 8:20 Dr. Greg Wettstein
2018-02-23 21:10 Ywe Cærlyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180105064946.GA4007@1wt.eu \
--to=w@1wt.eu \
--cc=andi@firstfloor.org \
--cc=dave.hansen@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linux-foundation.org \
--cc=jcm@redhat.com \
--cc=law@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nickc@redhat.com \
--cc=pbonzini@redhat.com \
--cc=tglx@linutronix.de \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.