From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: "Xing, Cedric" <cedric.xing@intel.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
Jethro Beekman <jethro@fortanix.com>,
Dave Hansen <dave.hansen@intel.com>,
Sean Christopherson <sean.j.christopherson@intel.com>,
linux-sgx@vger.kernel.org, x86@kernel.org,
Haitao Huang <haitao.huang@linux.intel.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [PATCH] x86/vdso: Remove retpoline from SGX vDSO call
Date: Thu, 1 Oct 2020 00:36:25 +0300 [thread overview]
Message-ID: <20200930213625.GA66129@linux.intel.com> (raw)
In-Reply-To: <20200930212214.GD65339@linux.intel.com>
On Thu, Oct 01, 2020 at 12:22:20AM +0300, Jarkko Sakkinen wrote:
> On Wed, Sep 30, 2020 at 01:45:52PM -0700, Xing, Cedric wrote:
> > On 9/30/2020 12:25 PM, Jarkko Sakkinen wrote:
> > > On Wed, Sep 30, 2020 at 07:09:33PM +0100, Andrew Cooper wrote:
> > > > Honestly, my advice would be to leave it unprotected for now. Anyone
> > > > who managed to figure out the rest of the practical userspace issues
> > > > will probably have a much better idea of what can/should be done in this
> > > > case.
> > > >
> > > > If that doesn't sit well with people, then the next best would probably
> > > > be LFENCE; CALL *reg/mem; LFENCE to cover as many of the corner cases as
> > > > possible without being incompatible with CET. Its not as if this
> > > > callback is the slow aspect of entering/exiting SGX mode.
> > > >
> > > > ~Andrew
> > >
> > > I tend to agree. We cannot drive changes based on unknown unknowns.
> > >
> > > And I don't see why we could not add boot time patching of retpoline
> > > even after the code is in the mainline kernel, if something ever
> > > pushes to that direction.
> > >
> > > /Jarkko
> > >
> > I agree. It'll be compatible with CET. The overhead of LFENCE is negligible
> > comparing to entering/exiting SGX mode.
>
> Andrew's advice was to do "just call" as for now.
>
> If we add also lfence, what is the real-world threat scenario that we
> are protecting against that exposes a real visible risk that could harm
> the users of these patches?
>
> Please remember that:
>
> 1. We can assume that the usage model and implementation is for the
> callback is sane. It is something that is contained to the run-time
> and there is just one instance of the callback.
> 2. We can always harden this more later on.
>
> I do not want to add any extra bytes to the vDSO without any practical
> purpose and I also need to document this choice.
What if we just keep everything as it is? Why boot time patching
cannot be part of CET-SS patch set?
Why?
1. Full reptoline is the safest alternative and we have it done already.
2. Before CET-SS there is no *functional* need to do boot time patching.
The usual guideline is: do not add unused cruft to the kernel.
There is too much guesswork in other alternatives. If CET-SS actually
lands before SGX patches, then I'm happy to add in boot time patching.
AFAIK we actually could not add boot time patching without any
applications for it. That's incompatible with the common practices.
I'd leaving the code as it is and remark to the changelog that
CET-SS will require refining the reptoline to be optional.
/Jarkko
next prev parent reply other threads:[~2020-09-30 21:36 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-30 14:01 [PATCH] x86/vdso: Remove retpoline from SGX vDSO call Jarkko Sakkinen
2020-09-30 14:08 ` Dave Hansen
2020-09-30 14:20 ` Jarkko Sakkinen
2020-09-30 14:33 ` Dave Hansen
2020-09-30 15:28 ` Jarkko Sakkinen
2020-09-30 15:43 ` Sean Christopherson
2020-09-30 16:28 ` Dave Hansen
2020-09-30 17:01 ` Jethro Beekman
2020-09-30 18:09 ` Andrew Cooper
2020-09-30 19:25 ` Jarkko Sakkinen
2020-09-30 20:45 ` Xing, Cedric
2020-09-30 21:22 ` Jarkko Sakkinen
2020-09-30 21:36 ` Jarkko Sakkinen [this message]
2020-09-30 21:46 ` Dave Hansen
2020-09-30 23:41 ` Jarkko Sakkinen
2020-09-30 16:38 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200930213625.GA66129@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=andrew.cooper3@citrix.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=haitao.huang@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=sean.j.christopherson@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.