Re: [PATCH v3 6/6] x86/bugs: Add RSB mitigation document

[Ingo Molnar <mingo@kernel.org>]

* Josh Poimboeuf <jpoimboe@kernel.org> wrote:

> Create a document to summarize hard-earned knowledge about RSB-related
> mitigations, with references, and replace the overly verbose yet
> incomplete comments with a reference to the document.

Just a few nits:

> +RSB poisoning (Intel and AMD)
> +=============================
> +
> +SpectreRSB
> +~~~~~~~~~~
>
>+
>+RSB poisoning is a technique used by Spectre-RSB [#spectre-rsb]_ where
>+an attacker poisons an RSB entry to cause a victim's return instruction
>+to speculate to an attacker-controlled address.  This can happen when
>+there are unbalanced CALLs/RETs after a context switch or VMEXIT.

s/Spectre-RSB
 /SpectreRSB

Which is the name the title just a few lines above uses, and which 
appears to be broadly the in-tree consensus spelling as well.

> +
> +AMD Retbleed / SRSO / Branch Type Confusion
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Nit: the underline is one character too long. :-)

> +On AMD, poisoned RSB entries can also be created by the AMD Retbleed
> +variant [#retbleed-paper]_ and/or Speculative Return Stack Overflow
> +[#amd-srso]_ (Inception [#inception-paper]_).  These attacks are made
> +possible by Branch Type Confusion [#amd-btc]_.  The kernel protects
> +itself by replacing every RET in the kernel with a branch to a single
> +safe RET.

s/Retbleed
 /RETBleed

Seems to be the consensus spelling in-tree. (There's a few more cases 
in this document as well.)

> +	 * WARNING! There are many subtleties to consider when changing *any*
> +	 * code related to RSB-related mitigations.  Before doing so, carefully
> +	 * read the following document, and update if necessary:
>  	 *
> +	 *   Documentation/admin-guide/hw-vuln/rsb.rst
>  	 *
> +	 * In an overly simplified nutshell:
>  	 *
> +	 *   - User->user RSB attacks are conditionally mitigated during
> +	 *     context switch by cond_mitigation -> __write_ibpb().

s/during context switch
 /during context switches

>  	 *
> +	 *   - User->kernel and guest->host attacks are mitigated by eIBRS or
> +	 *     RSB filling.
>  	 *
> +	 *     Though, depending on config, note that other alternative
> +	 *     mitigations may end up getting used instead, e.g., IBPB on
> +	 *     entry/vmexit, call depth tracking, or return thunks.
>  	 */

s/__write_ibpb()
 /write_ibpb()

as per the discussion under patch #1.

Thanks,

	Ingo