From: David Woodhouse <dwmw2@infradead.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>,
Eduardo Habkost <ehabkost@redhat.com>,
KarimAllah Ahmed <karahmed@amazon.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andi Kleen <ak@linux.intel.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Andy Lutomirski <luto@kernel.org>,
Ashok Raj <ashok.raj@intel.com>,
Asit Mallick <asit.k.mallick@intel.com>,
Borislav Petkov <bp@suse.de>,
Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>,
Joerg Roedel <joro@8bytes.org>,
Jun Nakajima <jun.nakajima@intel.com>,
Laura Abbott <labbott@redhat.com>,
Masami
Subject: Re: [RFC,05/10] x86/speculation: Add basic IBRS support infrastructure
Date: Tue, 30 Jan 2018 11:35:51 +0000 [thread overview]
Message-ID: <1517312151.18619.109.camel@infradead.org> (raw)
In-Reply-To: <CA+55aFxBh3LvsQq9wy313NQCn3iu+yuAmsi0zNVxWmGDUUds-A@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2813 bytes --]
On Mon, 2018-01-29 at 16:23 -0800, Linus Torvalds wrote:
>
> Note on the unhappiness with some of the patches involved: what I do
> *not* want to see is the "on every kernel entry" kind of garbage.
>
> So my unhappiness with the intel microcode patches is two-fold:
>
> (a) the interface is nasty and wrong, and I absolutely detest how Intel did it.
>
> (b) the write to random MSR's on every kernel entry/exit is wrong
>
> but that doesn't mean that I will necessarily end up NAK'ing every
> single IBRS/IBPB patch.
>
> My concern with (a) is that unlike meltdown, the intel work-around
> isn't forward-looking, and doesn't have a "we fixed it" bit. Instead,
> it has a "we have a nasty workaround that may or may not be horribly
> expensive" bit, and isn't all that well-defined.
The lack of a "we fixed it" bit is certainly problematic.
But as an interim hack for the upcoming hardware, IBRS_ALL isn't so
badly defined. Sure, the reassurances about performance all got ripped
out before the document saw the light of day — quelle surprise? — but
my understanding is that it *will* be fast. It is expected to be fast
enough that we can ALTERNATIVE away the retpolines, set it once and
leave it set.
The reason it isn't just a "we fixed it" bit is because we'll still
need the IBPB on context/vCPU switches.
I suspect they managed to tag BTB entries with VMX mode and ring, but
*not* the full VMID/PCID tagging (and associated automatic flushing)
that they'd need to truly say "we fixed it".
I seriously hope they're working on a complete fix for the subsequent
generation, and just neglected to mention it in their public
documentation that far in advance.
> My dislike of (b) comes from "we have retpoline and various wondrous
> RSB filling crud already, we're smarter than that". So it's not that I
> refuse any IBRS/IBPB use, I refuse the stupid and _mindless_ kind of
> use.
Well... for Skylake we probably need something like Ingo's cunning plan
to abuse function tracing to count call depth. I won't be utterly
shocked if, by the time we have all that pulled together, it ends up
being fairly much as fugly as the IBRS version — for less complete
protection. But we'll see. :)
It may also be that some of the last remaining holes can be declared
just too unlikely for us to jump through fugly hoops for. In fact that
*has* to be our answer for the SMI issue if we're not using IBRS on
Skylake, so now it's just a question of degree — how many of the
*other* theoretical holes are we happy to do the same thing for?
That's a genuine question, not a rhetorical device arguing for IBRS. I
just haven't seen a clear analysis, other than some hand-waving, of how
feasible some of those attack vectors really are. I'd like to.
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]
next prev parent reply other threads:[~2018-01-30 11:36 UTC|newest]
Thread overview: 135+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-20 19:22 [RFC 00/10] Speculation Control feature support KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 01/10] x86/speculation: Add basic support for IBPB KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 02/10] x86/kvm: Add IBPB support KarimAllah Ahmed
2018-01-20 20:18 ` Woodhouse, David
2018-01-22 18:56 ` Jim Mattson
2018-01-22 19:31 ` Jim Mattson
2018-01-20 19:22 ` [RFC 03/10] x86/speculation: Use Indirect Branch Prediction Barrier in context switch KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 04/10] x86/mm: Only flush indirect branches when switching into non dumpable process KarimAllah Ahmed
2018-01-20 21:06 ` Woodhouse, David
2018-01-22 18:29 ` Tim Chen
2018-01-21 11:22 ` Peter Zijlstra
2018-01-21 12:04 ` David Woodhouse
2018-01-21 14:07 ` H.J. Lu
2018-01-22 10:19 ` Peter Zijlstra
2018-01-22 10:23 ` David Woodhouse
2018-01-21 16:21 ` Ingo Molnar
2018-01-21 16:25 ` Arjan van de Ven
2018-01-21 22:20 ` Woodhouse, David
2018-01-29 6:35 ` Jon Masters
2018-01-29 14:07 ` Peter Zijlstra
2018-01-20 19:22 ` [RFC 05/10] x86/speculation: Add basic IBRS support infrastructure KarimAllah Ahmed
2018-01-21 14:31 ` Thomas Gleixner
2018-01-21 14:56 ` Borislav Petkov
2018-01-22 9:51 ` Peter Zijlstra
2018-01-22 12:06 ` Borislav Petkov
2018-01-22 13:30 ` Greg Kroah-Hartman
2018-01-22 13:36 ` Woodhouse, David
2018-01-21 15:25 ` David Woodhouse
2018-01-23 20:58 ` David Woodhouse
2018-01-24 8:47 ` Peter Zijlstra
2018-01-24 9:02 ` David Woodhouse
2018-01-24 9:10 ` Greg Kroah-Hartman
2018-01-24 15:09 ` Arjan van de Ven
2018-01-24 15:18 ` David Woodhouse
2018-01-24 9:34 ` Peter Zijlstra
2018-01-24 10:49 ` Henrique de Moraes Holschuh
2018-01-24 12:30 ` David Woodhouse
2018-01-24 12:14 ` David Woodhouse
2018-01-24 12:29 ` Peter Zijlstra
2018-01-24 12:58 ` David Woodhouse
2018-01-29 20:14 ` [RFC,05/10] " Eduardo Habkost
2018-01-29 20:17 ` David Woodhouse
2018-01-29 20:42 ` Eduardo Habkost
2018-01-29 20:44 ` Arjan van de Ven
2018-01-29 21:02 ` David Woodhouse
2018-01-29 21:37 ` Jim Mattson
2018-01-29 21:50 ` Eduardo Habkost
2018-01-29 22:12 ` Jim Mattson
2018-01-30 1:22 ` Eduardo Habkost
2018-01-29 22:25 ` Andi Kleen
2018-01-30 1:37 ` Eduardo Habkost
2018-01-29 21:37 ` Andi Kleen
2018-01-29 21:44 ` Eduardo Habkost
2018-01-29 22:10 ` Konrad Rzeszutek Wilk
2018-01-30 1:12 ` Eduardo Habkost
2018-01-30 0:23 ` Linus Torvalds
2018-01-30 1:03 ` Jim Mattson
2018-01-30 3:13 ` Andi Kleen
2018-01-31 15:03 ` Paolo Bonzini
2018-01-31 15:07 ` Dr. David Alan Gilbert
2018-01-30 1:32 ` Arjan van de Ven
2018-01-30 3:32 ` Linus Torvalds
2018-01-30 12:04 ` Eduardo Habkost
2018-01-30 13:54 ` Arjan van de Ven
2018-01-30 8:22 ` David Woodhouse
2018-01-30 11:35 ` David Woodhouse [this message]
2018-01-30 11:56 ` Dr. David Alan Gilbert
2018-01-30 12:11 ` Christian Borntraeger
2018-01-30 14:46 ` Christophe de Dinechin
2018-01-30 14:52 ` Christian Borntraeger
2018-01-30 14:56 ` Christophe de Dinechin
2018-01-30 15:33 ` Christian Borntraeger
2018-01-30 20:46 ` Alan Cox
2018-01-31 10:05 ` Christophe de Dinechin
2018-01-31 10:15 ` Thomas Gleixner
2018-01-31 11:04 ` Dr. David Alan Gilbert
2018-01-31 11:52 ` Borislav Petkov
2018-01-31 12:30 ` Dr. David Alan Gilbert
2018-01-31 13:18 ` Borislav Petkov
2018-01-31 14:04 ` Dr. David Alan Gilbert
2018-01-31 14:44 ` Eduardo Habkost
2018-01-31 16:28 ` Borislav Petkov
2018-01-31 11:07 ` Christophe de Dinechin
2018-01-31 15:00 ` Eduardo Habkost
2018-01-31 15:11 ` Arjan van de Ven
2018-01-31 10:03 ` [RFC 05/10] " Christophe de Dinechin
2018-01-20 19:22 ` [RFC 06/10] x86/speculation: Add inlines to control Indirect Branch Speculation KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 07/10] x86: Simplify spectre_v2 command line parsing KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 08/10] x86/idle: Control Indirect Branch Speculation in idle KarimAllah Ahmed
2018-01-20 19:23 ` [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation KarimAllah Ahmed
2018-01-21 19:14 ` Andy Lutomirski
2018-01-23 16:12 ` Tom Lendacky
2018-01-23 16:20 ` Woodhouse, David
2018-01-23 22:37 ` Tom Lendacky
2018-01-23 22:49 ` Andi Kleen
2018-01-23 23:14 ` Woodhouse, David
2018-01-23 23:22 ` Andi Kleen
2018-01-24 0:47 ` Tim Chen
2018-01-24 1:00 ` Andy Lutomirski
2018-01-24 1:22 ` David Woodhouse
2018-01-24 1:59 ` Van De Ven, Arjan
2018-01-24 3:25 ` Andy Lutomirski
[not found] ` <CA+55aFxUEPHc7JRQG3zmxEsfmfJOiJa1QqFBKCBNb5Tt5vfiSg@mail.gmail.com>
2018-01-21 20:28 ` David Woodhouse
2018-01-21 21:35 ` Linus Torvalds
2018-01-21 22:00 ` David Woodhouse
2018-01-21 22:27 ` Linus Torvalds
2018-01-22 16:27 ` David Woodhouse
2018-01-23 7:29 ` Ingo Molnar
2018-01-23 7:53 ` Ingo Molnar
2018-01-23 9:27 ` Ingo Molnar
2018-01-23 9:37 ` David Woodhouse
2018-01-23 15:01 ` Dave Hansen
2018-01-23 9:30 ` David Woodhouse
2018-01-23 10:15 ` Ingo Molnar
2018-01-23 10:27 ` David Woodhouse
2018-01-23 10:44 ` Ingo Molnar
2018-01-23 10:23 ` Ingo Molnar
2018-02-04 18:43 ` Thomas Gleixner
2018-02-04 20:22 ` David Woodhouse
2018-02-06 9:14 ` David Woodhouse
2018-01-23 20:16 ` Pavel Machek
2018-01-20 19:23 ` [RFC 10/10] x86/enter: Use IBRS on syscall and interrupts KarimAllah Ahmed
2018-01-21 13:50 ` Konrad Rzeszutek Wilk
2018-01-21 14:40 ` KarimAllah Ahmed
2018-01-21 17:22 ` Dave Hansen
2018-01-21 14:02 ` [RFC 00/10] Speculation Control feature support Konrad Rzeszutek Wilk
2018-01-22 21:27 ` David Woodhouse
-- strict thread matches above, loose matches on Subject: below --
2018-01-29 22:29 [RFC,05/10] x86/speculation: Add basic IBRS support infrastructure David Dunn
2018-01-29 22:41 ` Andi Kleen
2018-01-29 22:49 ` Jim Mattson
2018-01-30 1:10 ` Eduardo Habkost
2018-01-30 1:20 ` David Dunn
2018-01-30 1:30 ` Eduardo Habkost
2018-01-29 23:51 ` Fred Jacobs
2018-01-30 1:08 ` Eduardo Habkost
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517312151.18619.109.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=Janakarajan.Natarajan@amd.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=ashok.raj@intel.com \
--cc=asit.k.mallick@intel.com \
--cc=bp@suse.de \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@intel.com \
--cc=ehabkost@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=joro@8bytes.org \
--cc=jun.nakajima@intel.com \
--cc=karahmed@amazon.de \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).