From: Andi Kleen <ak@linux.intel.com>
To: speck@linutronix.de
Subject: [MODERATED] Re: [patch 07/11] [PATCH v2 07/10] Linux Patch #7
Date: Mon, 23 Apr 2018 15:18:54 -0700 [thread overview]
Message-ID: <20180423221854.GS6694@tassilo.jf.intel.com> (raw)
In-Reply-To: <alpine.LFD.2.21.999.1804231415001.18164@i7.lan>
On Mon, Apr 23, 2018 at 02:23:17PM -0700, speck for Linus Torvalds wrote:
>
>
> On Mon, 23 Apr 2018, speck for Konrad Rzeszutek Wilk wrote:
> > >
> > > Absolutely. That would be entirely crazy. Is there a known situation where
> > > that would actually make sense?
> >
> > For Skylake where they report via X86_FEATURE_ARCH_CAPABILITIES
> > RBSA Bit(2) (see 5.3 where they introduce it):
> >
> > https://software.intel.com/sites/default/files/managed/1d/46/Retpoline-A-Branch-Target-Injection-Mitigation.pdf
> >
> > Where they state that retpoline is not good enough for a list of "may"
> > conditions.
>
> Yeah, I'm not in the least interested in theory.
>
> Are there actual real attacks where it makes sense?
We don't know of any. It's all theory. And we know if it's possible
it's really really hard.
FWIW I spent quite some time writing fairly full coverage patches
for automatic deep call chain mitigation using function patching
(see [1] and [2]), but so far nobody has managed to do a exploit.
So I agree with you there is right now no good reason to pursue
anything beyond retpoline for v2 at this point.
If someone really manages a practical exploit we have options though.
> Anyway, I was wondering if there was any reason why we'd care for the
> store buffer bypass problem? The whole "run with store buffers in user
> space, disable them in kernel space" model seems insane.
MDD (or now called RDS) is a bit different than IBRS. IBRS requires
barrier semantics on every entry, so you absolutely have to take
the risk.
But RDS is actually a mode so if it's needed it would be possible
to use hysteresis: keep a counter and if there are too many
kernel entries in a jiffie just keep it on until the next timer interrupt,
reducing the overhead.
That would reduce the cost quite a bit over IBRS.
But right now we're in the same situation as with deep call chain.
It's all theory, but there are no practical exploits.
Based on that I don't think it makes sense to pursue this option
at this point. But if it's needed it will be not as bad as IBRS
with the right optimizations.
Right now the only realistic risk with MD is for JITs, so we
really need a way to disable it with a per process switch.
Disabling it globally is normally not a good idea because it can have
quite high performance overhead in some workloads.
We proposed to tie it to seccomp because many JITs already use
seccomp, so it would work transparently. There's one problem that if
some JIT doesn't use it already it may not want the restrictions
(in particularly the need to disable suid). But that could
be fixed with a simple tweak: don't require the suid restriction
if the seccomp program is only a single statement that allows
the sysscall. IMHO something like this needs to be added
to the MDD/RBS patches that are floating around.
-Andi
[1] https://git.kernel.org/pub/scm/linux/kernel/git/ak/linux-misc.git/log/?h=spec/ftrace-stuff-13
[2] https://github.com/andikleen/gcc/tree/instrument-return-gcc7-1
next prev parent reply other threads:[~2018-04-23 22:19 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-20 2:25 [MODERATED] [patch 07/11] [PATCH v2 07/10] Linux Patch #7 konrad.wilk
2018-04-20 17:42 ` [MODERATED] " Borislav Petkov
2018-04-21 3:27 ` Konrad Rzeszutek Wilk
2018-04-21 9:03 ` Borislav Petkov
2018-04-21 12:21 ` Konrad Rzeszutek Wilk
2018-04-21 19:25 ` Borislav Petkov
2018-04-21 21:41 ` Linus Torvalds
2018-04-21 22:09 ` Borislav Petkov
2018-04-21 22:13 ` Jon Masters
2018-04-21 22:35 ` Borislav Petkov
2018-04-21 22:54 ` Jon Masters
2018-04-22 1:26 ` Linus Torvalds
2018-04-22 3:18 ` Jon Masters
2018-04-22 9:35 ` Borislav Petkov
2018-04-22 9:53 ` Jon Masters
2018-04-22 10:34 ` Borislav Petkov
2018-04-22 15:16 ` Jon Masters
2018-04-23 14:30 ` Thomas Gleixner
2018-04-23 14:34 ` [MODERATED] " Jon Masters
2018-04-23 17:06 ` Jon Masters
2018-04-23 17:51 ` Konrad Rzeszutek Wilk
2018-04-23 18:01 ` Jon Masters
2018-04-23 18:02 ` Jon Masters
2018-04-23 18:05 ` Linus Torvalds
2018-04-23 18:09 ` Jon Masters
2018-04-23 22:23 ` Thomas Gleixner
2018-04-23 22:30 ` [MODERATED] " Jiri Kosina
2018-04-23 23:03 ` Andi Kleen
2018-04-24 5:32 ` Jiri Kosina
2018-04-23 22:31 ` Andi Kleen
2018-04-24 0:44 ` Jon Masters
2018-04-23 23:36 ` Tim Chen
2018-04-23 21:13 ` Konrad Rzeszutek Wilk
2018-04-23 21:23 ` Linus Torvalds
2018-04-23 21:33 ` Jiri Kosina
2018-04-23 22:18 ` Andi Kleen [this message]
2018-04-24 0:34 ` Jon Masters
2018-04-21 22:09 ` Jon Masters
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180423221854.GS6694@tassilo.jf.intel.com \
--to=ak@linux.intel.com \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.