From: Jon Masters <jcm@redhat.com>
To: speck@linutronix.de
Subject: [MODERATED] Re: L1D-Fault KVM mitigation
Date: Tue, 24 Apr 2018 11:10:30 -0400 [thread overview]
Message-ID: <9649d701-6bc2-b127-2b22-924804ff569a@redhat.com> (raw)
In-Reply-To: <1524568571.8691.45.camel@infradead.org>
[-- Attachment #1: Type: text/plain, Size: 2425 bytes --]
On 04/24/2018 07:16 AM, speck for David Woodhouse wrote:
> On Tue, 2018-04-24 at 13:04 +0200, speck for Peter Zijlstra wrote:
>> Not sure I'm following. The above assumes a sibling is running a
>> VCPU of another VM, right? But it could equally well run any regular
>> old task (including idle).
>> So only pausing siblings in VMX mode wouldn't help anything. The
>> !VMX tasks could still be loading stuff into L1.
> Er, yeah... I may have briefly forgotten that some people sometimes
> run actual userspace, not just VM guests.
:)
More than once over the past few months, I've pointed out that Annapurna
was the right way to go. Personally, I think the only possible way to
make any of this safe is by moving "all" userspace off host like AMZ.
> It's ring 3 *and* VMX non-root which would need to be paused on HT
> siblings. And it would need to be triggered on any transition back
> into the kernel from userspace too, not just vmexit. Which makes it a
> little bit harder.
The additional ucode hack (pausing the sibling thread) has been
discussed at some length already. It's a good idea, except for the host
side as you note, and there we have all manner of interrupts to handle.
In the case of a traditional OS on the host, that's a lot of code
happily pulling secrets into the L1 and lots of paths to track if we
wanted to do like one of the others (dunno if I can say who, but someone
is tracking all secrets loaded into the L1 and scrubbing them after, but
they also refactored enough other stuff to make that just about work).
On our end, we've discussed automatic handling at boot along the lines
that have been pondered this morning here. The problem is that you don't
want to penalize until people run KVM, and you don't want to them hot
unplug or do crazy things that might affect tunings (I already got shot
down, rightly, for suggesting that one). So, instead, it's going to have
to be messaging, and maybe tainting as insecure of some kind.
I've requested that RHEL's installer be modified to effectively add a
checkbox that defaults to enabled but very prominently offers to disable
HT if you're using virtualization. We'll then need some guidance
coordinated across the industry that for total security (even in the
face of some of the gang scheduling proposals) you need to !HT.
Jon.
--
Computer Architect | Sent from my Fedora powered laptop
next prev parent reply other threads:[~2018-04-24 15:10 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-24 9:06 [MODERATED] L1D-Fault KVM mitigation Joerg Roedel
2018-04-24 9:35 ` [MODERATED] " Peter Zijlstra
2018-04-24 9:48 ` David Woodhouse
2018-04-24 11:04 ` Peter Zijlstra
2018-04-24 11:16 ` David Woodhouse
2018-04-24 15:10 ` Jon Masters [this message]
2018-05-23 9:45 ` David Woodhouse
2018-05-24 9:45 ` Peter Zijlstra
2018-05-24 14:14 ` Jon Masters
2018-05-24 15:04 ` Thomas Gleixner
2018-05-24 15:33 ` Thomas Gleixner
2018-05-24 15:38 ` [MODERATED] " Jiri Kosina
2018-05-24 17:22 ` Dave Hansen
2018-05-24 17:30 ` Linus Torvalds
2018-05-24 23:18 ` [MODERATED] Encrypted Message Tim Chen
2018-05-24 23:28 ` [MODERATED] Re: L1D-Fault KVM mitigation Linus Torvalds
2018-05-25 8:31 ` Thomas Gleixner
2018-05-28 14:43 ` [MODERATED] " Paolo Bonzini
2018-05-25 18:22 ` [MODERATED] Encrypted Message Tim Chen
2018-05-26 19:14 ` L1D-Fault KVM mitigation Thomas Gleixner
2018-05-26 20:43 ` [MODERATED] " Andi Kleen
2018-05-26 20:48 ` Linus Torvalds
2018-05-27 18:25 ` Andi Kleen
2018-05-27 18:49 ` Linus Torvalds
2018-05-27 18:57 ` Thomas Gleixner
2018-05-27 19:13 ` [MODERATED] " Andrew Cooper
2018-05-27 19:26 ` Linus Torvalds
2018-05-27 19:41 ` Thomas Gleixner
2018-05-27 22:26 ` [MODERATED] " Andrew Cooper
2018-05-28 6:47 ` Thomas Gleixner
2018-05-28 12:26 ` [MODERATED] " Andrew Cooper
2018-05-28 14:40 ` Paolo Bonzini
2018-05-28 15:56 ` Thomas Gleixner
2018-05-28 17:15 ` [MODERATED] " Paolo Bonzini
2018-05-27 15:42 ` Thomas Gleixner
2018-05-27 16:26 ` [MODERATED] " Linus Torvalds
2018-05-27 18:31 ` Andi Kleen
2018-05-29 19:29 ` [MODERATED] Encrypted Message Tim Chen
2018-05-29 21:14 ` L1D-Fault KVM mitigation Thomas Gleixner
2018-05-30 16:38 ` [MODERATED] Encrypted Message Tim Chen
2018-05-24 15:44 ` [MODERATED] Re: L1D-Fault KVM mitigation Andi Kleen
2018-05-24 15:38 ` Linus Torvalds
2018-05-24 15:59 ` David Woodhouse
2018-05-24 16:35 ` Linus Torvalds
2018-05-24 16:51 ` David Woodhouse
2018-05-24 16:57 ` Linus Torvalds
2018-05-25 11:29 ` David Woodhouse
2018-04-24 10:30 ` [MODERATED] Re: ***UNCHECKED*** " Joerg Roedel
2018-04-24 11:09 ` Thomas Gleixner
2018-04-24 16:06 ` [MODERATED] " Andi Kleen
2018-04-24 12:53 ` Paolo Bonzini
2018-05-03 16:20 ` Konrad Rzeszutek Wilk
2018-05-07 17:11 ` Paolo Bonzini
2018-05-16 8:51 ` Jiri Kosina
2018-05-16 8:53 ` Paolo Bonzini
2018-05-21 10:06 ` David Woodhouse
2018-05-21 13:40 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9649d701-6bc2-b127-2b22-924804ff569a@redhat.com \
--to=jcm@redhat.com \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.