From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ak@linux.intel.com>
Received: from mga07.intel.com ([134.134.136.100])
	by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <ak@linux.intel.com>)
	id 1fAkUQ-0001z1-Ms
	for speck@linutronix.de; Tue, 24 Apr 2018 01:03:19 +0200
Date: Mon, 23 Apr 2018 16:03:13 -0700
From: Andi Kleen <ak@linux.intel.com>
Subject: [MODERATED] Re: [patch 07/11] [PATCH v2 07/10] Linux Patch #7
Message-ID: <20180423230313.GV6694@tassilo.jf.intel.com>
References: <2c7fa188-cd84-1a10-56cb-358d3f859559@redhat.com>
 <20180422103456.GC32218@pd.tnic>
 <alpine.DEB.2.21.1804231626290.2077@nanos.tec.linutronix.de>
 <3d7880e7-6b67-b35a-a090-2854f7db54ff@redhat.com>
 <2184fc1b-dcbc-a40c-64da-4965c7c48faa@redhat.com>
 <20180423175151.GA21779@dhcp-10-159-147-220.vpn.oracle.com>
 <alpine.LFD.2.21.999.1804231057030.12763@i7.lan>
 <217e6c7c-29f9-d754-33ec-fcc541792aab@redhat.com>
 <alpine.DEB.2.21.1804240009560.5261@nanos.tec.linutronix.de>
 <nycvar.YFH.7.76.1804240027330.28129@cbobk.fhfr.pm>
MIME-Version: 1.0
In-Reply-To: <nycvar.YFH.7.76.1804240027330.28129@cbobk.fhfr.pm>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

On Tue, Apr 24, 2018 at 12:30:50AM +0200, speck for Jiri Kosina wrote:
> On Tue, 24 Apr 2018, speck for Thomas Gleixner wrote:
> 
> >  2) The prctl is a handwavy idea. The semantics are blury at best. Is it
> >     opt-in or opt-out? Which processes should set it? What's the chance
> >     that the applications get actually patched? This is the ideal target
> >     for bitrot.
> 
> Exactly.
> 
> My concern with this is:
> 
> - if it's opt-in, noone will systematically keep adding support for this 
>   to all applications that might need it for next XX years

Vulnerable applications that are not maintained will be vulnerable to other issues
anyways. e.g. Spectre v1 always needs application specific fixes,
and v1 is far easier to exploit anyways the speculative store bypass.

So yes if something is not maintained it will not be fixed.

The key point is to have the right options for applications that are properly
maintained.

For distributions you would be on the hook for backporting the right patches.

> 
> - if it's opt-out, there are techniques that malicious attacker can use
>   to first trick the vulnerable app to call the prctl() (which still 
>   doesn't cross the security domain of the particular application) and
>   then attack kernel (or other app) through MD (which does cross that
>   boundary)

That's silly. If you can execute arbitary code like prctl already then 
you don't need anything of Spectre. You already have far easier
options to take over the program.

-Andi