From: "Shah, Amit" <Amit.Shah@amd.com>
To: "jpoimboe@kernel.org" <jpoimboe@kernel.org>,
"amit@kernel.org" <amit@kernel.org>,
"andrew.cooper3@citrix.com" <andrew.cooper3@citrix.com>
Cc: "corbet@lwn.net" <corbet@lwn.net>,
"pawan.kumar.gupta@linux.intel.com"
<pawan.kumar.gupta@linux.intel.com>,
"kai.huang@intel.com" <kai.huang@intel.com>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"daniel.sneddon@linux.intel.com" <daniel.sneddon@linux.intel.com>,
"Lendacky, Thomas" <Thomas.Lendacky@amd.com>,
"boris.ostrovsky@oracle.com" <boris.ostrovsky@oracle.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"seanjc@google.com" <seanjc@google.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"Moger, Babu" <Babu.Moger@amd.com>,
"Das1, Sandipan" <Sandipan.Das@amd.com>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"dwmw@amazon.co.uk" <dwmw@amazon.co.uk>,
"hpa@zytor.com" <hpa@zytor.com>,
"peterz@infradead.org" <peterz@infradead.org>,
"bp@alien8.de" <bp@alien8.de>,
"Kaplan, David" <David.Kaplan@amd.com>,
"x86@kernel.org" <x86@kernel.org>
Subject: Re: [RFC PATCH v2 1/3] x86: cpu/bugs: update SpectreRSB comments for AMD
Date: Tue, 12 Nov 2024 15:16:44 +0000 [thread overview]
Message-ID: <073c4e1e2c677f88fd51e64e9b461ce4399b1883.camel@amd.com> (raw)
In-Reply-To: <20241112014644.3p2a6te3sbh5x55c@jpoimboe>
On Mon, 2024-11-11 at 17:46 -0800, Josh Poimboeuf wrote:
> On Tue, Nov 12, 2024 at 12:29:28AM +0000, Andrew Cooper wrote:
> > This is my take. On AMD CPUs, there are two unrelated issues to
> > take
> > into account:
> >
> > 1) SRSO
> >
> > Affects anything which doesn't enumerate SRSO_NO, which is all
> > parts to
> > date including Zen5.
> >
> > SRSO ends up overflowing the RAS with arbitrary BTB targets, such
> > that a
> > subsequent genuine RET follows a prediction which never came from a
> > real
> > CALL instruction.
> >
> > Mitigations for SRSO are either safe-ret, or IBPB-on-entry. Parts
> > without IBPB_RET using IBPB-on-entry need to manually flush the
> > RAS.
> >
> > Importantly, SMEP does not protection you against SRSO across the
> > user->kernel boundary, because the bad RAS entries are arbitrary.
> > New
> > in Zen5 is the SRSO_U/S_NO bit which says this case can't occur any
> > more. So on Zen5, you can in principle get away without a RAS
> > flush on
> > entry.
>
> Updated to mention SRSO:
>
> /*
> * In general there are two types of RSB attacks:
> *
> * 1) RSB underflow ("Intel Retbleed")
> *
> * Some Intel parts have "bottomless RSB". When the RSB
> is empty,
> * speculated return targets may come from the branch
> predictor,
> * which could have a user-poisoned BTB or BHB entry.
> *
> * When IBRS or eIBRS is enabled, the "user -> kernel"
> attack is
> * mitigated by the IBRS branch prediction isolation
> properties, so
> * the RSB buffer filling wouldn't be necessary to
> protect against
> * this type of attack.
> *
> * The "user -> user" attack is mitigated by RSB filling
> on context
> * switch.
> *
> * The "guest -> host" attack is mitigated by IBRS or
> eIBRS.
> *
> * 2) Poisoned RSB entry
> *
> * If the 'next' in-kernel return stack is shorter than
> 'prev',
> * 'next' could be tricked into speculating with a user-
> poisoned RSB
> * entry. Poisoned RSB entries can also be created by
> Branch Type
> * Confusion ("AMD retbleed") or SRSO.
> *
> * The "user -> kernel" attack is mitigated by SMEP and
> eIBRS. AMD
> * without SRSO_NO also needs the SRSO mitigation.
> *
> * The "user -> user" attack, also known as SpectreBHB,
> requires RSB
> * clearing.
> *
> * The "guest -> host" attack is mitigated by either
> eIBRS (not
> * IBRS!) or RSB clearing on vmexit. Note that eIBRS
> * implementations with X86_BUG_EIBRS_PBRSB still need
> "lite" RSB
> * clearing which retires a single CALL before the first
> RET.
> */
Thanks, Josh and Andrew. This reads well to me. In the context of
ERAPS, I'll end up adding a couple more sentences there as well.
Amit
next prev parent reply other threads:[~2024-11-12 15:16 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-11 16:39 [RFC PATCH v2 0/3] Add support for the ERAPS feature Amit Shah
2024-11-11 16:39 ` [RFC PATCH v2 1/3] x86: cpu/bugs: update SpectreRSB comments for AMD Amit Shah
2024-11-11 17:01 ` Dave Hansen
2024-11-11 19:33 ` Josh Poimboeuf
2024-11-11 19:58 ` Kaplan, David
2024-11-11 20:39 ` Josh Poimboeuf
2024-11-11 20:40 ` Josh Poimboeuf
2024-11-12 0:30 ` Josh Poimboeuf
2024-11-12 0:29 ` Andrew Cooper
2024-11-12 1:46 ` Josh Poimboeuf
2024-11-12 11:58 ` Borislav Petkov
2024-11-13 21:24 ` Josh Poimboeuf
2024-11-13 21:37 ` Borislav Petkov
2024-11-14 0:43 ` Josh Poimboeuf
2024-11-14 7:47 ` Borislav Petkov
2024-11-14 9:47 ` Ingo Molnar
2024-11-14 9:54 ` Borislav Petkov
2024-11-12 15:16 ` Shah, Amit [this message]
2024-11-12 21:43 ` Pawan Gupta
2024-11-13 20:21 ` Josh Poimboeuf
2024-11-14 1:55 ` Pawan Gupta
2024-11-14 2:31 ` Josh Poimboeuf
2024-11-14 8:01 ` Pawan Gupta
2024-11-15 5:48 ` Josh Poimboeuf
2024-11-15 14:44 ` Kaplan, David
2024-11-15 17:05 ` Josh Poimboeuf
2024-11-15 17:50 ` Pawan Gupta
2024-11-15 18:10 ` Josh Poimboeuf
2024-11-18 10:15 ` Shah, Amit
2024-11-11 16:39 ` [RFC PATCH v2 2/3] x86: cpu/bugs: add support for AMD ERAPS feature Amit Shah
2024-11-11 18:57 ` Dave Hansen
2024-11-13 10:33 ` Shah, Amit
2024-11-11 16:39 ` [RFC PATCH v2 3/3] x86: kvm: svm: add support for ERAPS and FLUSH_RAP_ON_VMRUN Amit Shah
2024-11-11 19:02 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=073c4e1e2c677f88fd51e64e9b461ce4399b1883.camel@amd.com \
--to=amit.shah@amd.com \
--cc=Babu.Moger@amd.com \
--cc=David.Kaplan@amd.com \
--cc=Sandipan.Das@amd.com \
--cc=Thomas.Lendacky@amd.com \
--cc=amit@kernel.org \
--cc=andrew.cooper3@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=daniel.sneddon@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dwmw@amazon.co.uk \
--cc=hpa@zytor.com \
--cc=jpoimboe@kernel.org \
--cc=kai.huang@intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox