From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (193.142.43.55:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 26 Nov 2019 18:25:21 -0000 Received: from mga04.intel.com ([192.55.52.120]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iZfWa-00029L-F3 for speck@linutronix.de; Tue, 26 Nov 2019 19:25:20 +0100 Date: Tue, 26 Nov 2019 10:23:12 -0800 From: Andi Kleen Subject: [MODERATED] Re: LVI Message-ID: <20191126182312.GH84886@tassilo.jf.intel.com> References: <20191119174008.7dbymix2eo4mrv57@treble> <20191126005417.GG84886@tassilo.jf.intel.com> <20191126103722.GC1418669@kroah.com> MIME-Version: 1.0 In-Reply-To: <20191126103722.GC1418669@kroah.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: On Tue, Nov 26, 2019 at 11:37:22AM +0100, speck for Greg KH wrote: > > We already spent a lot of time looking for those in the past and fixing the few > > found. Tony did an additional full tree audit, and the only additional case > > found was in Infiniband. The patch for this is already upstream for some time > > ("61f259821dd3306e49: IB/core: Add mitigation for Spectre V1") > > What's to keep these types of things coming back into our tree? Do we > have anything that can scan for them yet? AFAIK both coverity and smatch have some checks, but I'm not sure how good they are (well and how high the false positive rate is). So far we're mostly relying on code review. But yes this is an area that could probably be improved. Might be good to have a discussion on that on the public mailing list for Spectre v1. > > > So in summary, on modern CPUs (BDW+) STAC/CLAC mitigates LVIs, and on older CPUs the > > Spectre V1 mitigation. > > So, all is good and the researchers can release their paper now and get > on with their lives? Or is there something that we still need to do > here? I believe so from the kernel perspective. > > Do you have the PoC to share with us so that we can verify all of this? I don't. > > > The only real active (and messy) mitigation for LVI needed is when you're creating > > SGX enclaves, but I assume noone here is interested in that. > > We don't care, no, but do our users? I think some of them used to, > before it was found to not be useful at all :) Some users will care, we have SGX users using the out of tree drivers. But this will be handled through separate avenues. The users generally use the Intel SGX SDK to build their enclaves, and there will be a new release of that. The SGX kernel drivers don't need any changes. -Andi