From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Williams Subject: Re: [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti Date: Sat, 27 Jan 2018 11:26:37 -0800 Message-ID: References: <151703971300.26578.1185595719337719486.stgit@dwillia2-desk3.amr.corp.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Return-path: In-Reply-To: <151703971300.26578.1185595719337719486.stgit@dwillia2-desk3.amr.corp.intel.com> Sender: linux-kernel-owner@vger.kernel.org To: Thomas Gleixner Cc: Mark Rutland , Cyril Novikov , Kernel Hardening , Peter Zijlstra , Catalin Marinas , Will Deacon , "H. Peter Anvin" , Jiri Slaby , Elena Reshetova , linux-arch , Andi Kleen , Jonathan Corbet , X86 ML , Russell King , Ingo Molnar , Andrew Honig , Alan Cox , Tom Lendacky , Kees Cook , Al Viro , Andy Lutomirski List-Id: linux-arch.vger.kernel.org [ adding lkml ] I had inadvertently dropped lkml when sending this to Thomas. Archive here: https://marc.info/?l=linux-wireless&m=151704026325010&w=2 https://marc.info/?l=linux-arch&m=151704027225013&w=2 https://marc.info/?l=linux-arch&m=151704027225014&w=2 https://marc.info/?l=linux-arch&m=151704027625015&w=2 https://marc.info/?l=linux-arch&m=151704028225016&w=2 https://marc.info/?l=linux-arch&m=151704028725019&w=2 https://marc.info/?l=linux-arch&m=151704086725186&w=2 https://marc.info/?l=linux-arch&m=151704030025025&w=2 https://marc.info/?l=linux-arch&m=151704030525028&w=2 https://marc.info/?l=linux-arch&m=151704031125029&w=2 https://marc.info/?l=linux-arch&m=151704032225034&w=2 https://marc.info/?l=linux-arch&m=151704032625035&w=2 https://marc.info/?l=linux-arch&m=151704032725037&w=2 On Fri, Jan 26, 2018 at 11:55 PM, Dan Williams wrote: > Hi Thomas, > > Here's another spin of the spectre-v1 mitigations for 4.16. > > Changes since v4.1: [1] > * Tweak the sanitization scheme yet again to make it even simpler. Now, > instead of 'array_ptr' to get a sanitized pointer to an array element, > just provide an array index sanitization helper 'array_idx' to be called > after successfully validating the index is in bounds. I.e. in the > exact same location one would otherwise put an lfence, place this > sanitizer: > > if (idx < sz) { > idx = array_idx(idx, sz); > val = array[idx]; > } > > This lets the implementation include more sanity checking that the > compiler can usually compile out. It otherwise appears to produce > better assembly. This also cleans up the concern about comparing the > value returned from array_ptr to create another speculation point. > (Russell, Linus, Cyril) > > * Drop the syscall_64_fastpath. This is the straightforward patch from > Linus that might also be in flight from Andy, but I went ahead and > included it since I did not see it on LKML yet. > > * Kill the MASK_NOSPEC macro and just open code it. (Andy) > > * Add system-call-number sanitization to the slow path syscall table > lookups. > > * Redo the array_ptr conversions with array_idx. > > * Update /sys/devices/system/cpu/vulnerabilities/spectre_v1 to indicate > the new protections. It now reports "Vulnerable: Minimal user pointer > sanitization". (Jiri) > > --- > > Dan Williams (11): > array_idx: sanitize speculative array de-references > x86: implement array_idx_mask > x86: introduce __uaccess_begin_nospec and ifence > x86, __get_user: use __uaccess_begin_nospec > x86, get_user: use pointer masking to limit speculation > x86: remove the syscall_64 fast-path > x86: sanitize sycall table de-references under speculation > vfs, fdtable: prevent bounds-check bypass via speculative execution > kvm, x86: update spectre-v1 mitigation > nl80211: sanitize array index in parse_txq_params > x86/spectre: report get_user mitigation for spectre_v1 > > Mark Rutland (1): > Documentation: document array_idx > > > Documentation/speculation.txt | 87 ++++++++++++++++++++++++++++ > arch/x86/entry/common.c | 3 + > arch/x86/entry/entry_64.S | 116 ------------------------------------- > arch/x86/entry/syscall_64.c | 7 +- > arch/x86/include/asm/barrier.h | 26 ++++++++ > arch/x86/include/asm/msr.h | 3 - > arch/x86/include/asm/uaccess.h | 15 ++++- > arch/x86/include/asm/uaccess_32.h | 6 +- > arch/x86/include/asm/uaccess_64.h | 12 ++-- > arch/x86/kernel/cpu/bugs.c | 2 - > arch/x86/kvm/vmx.c | 14 +++- > arch/x86/lib/getuser.S | 10 +++ > arch/x86/lib/usercopy_32.c | 8 +-- > include/linux/fdtable.h | 5 +- > include/linux/nospec.h | 64 ++++++++++++++++++++ > net/wireless/nl80211.c | 9 ++- > 16 files changed, 239 insertions(+), 148 deletions(-) > create mode 100644 Documentation/speculation.txt > create mode 100644 include/linux/nospec.h From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ot0-f193.google.com ([74.125.82.193]:37837 "EHLO mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752019AbeA0T0i (ORCPT ); Sat, 27 Jan 2018 14:26:38 -0500 Received: by mail-ot0-f193.google.com with SMTP id a24so3191942otd.4 for ; Sat, 27 Jan 2018 11:26:38 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <151703971300.26578.1185595719337719486.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151703971300.26578.1185595719337719486.stgit@dwillia2-desk3.amr.corp.intel.com> From: Dan Williams Date: Sat, 27 Jan 2018 11:26:37 -0800 Message-ID: Subject: Re: [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti Content-Type: text/plain; charset="UTF-8" Sender: linux-arch-owner@vger.kernel.org List-ID: To: Thomas Gleixner Cc: Mark Rutland , Cyril Novikov , Kernel Hardening , Peter Zijlstra , Catalin Marinas , Will Deacon , "H. Peter Anvin" , Jiri Slaby , Elena Reshetova , linux-arch , Andi Kleen , Jonathan Corbet , X86 ML , Russell King , Ingo Molnar , Andrew Honig , Alan Cox , Tom Lendacky , Kees Cook , Al Viro , Andy Lutomirski , Jim Mattson , Christian Lamparter , Greg KH , Linux Wireless List , Paolo Bonzini , Johannes Berg , Linus Torvalds , "David S. Miller" , Linux Kernel Mailing List Message-ID: <20180127192637.kmjlqPr7VGiHBj3Cn4ZxiqThskoYkViaI5ytf4Br_T0@z> [ adding lkml ] I had inadvertently dropped lkml when sending this to Thomas. Archive here: https://marc.info/?l=linux-wireless&m=151704026325010&w=2 https://marc.info/?l=linux-arch&m=151704027225013&w=2 https://marc.info/?l=linux-arch&m=151704027225014&w=2 https://marc.info/?l=linux-arch&m=151704027625015&w=2 https://marc.info/?l=linux-arch&m=151704028225016&w=2 https://marc.info/?l=linux-arch&m=151704028725019&w=2 https://marc.info/?l=linux-arch&m=151704086725186&w=2 https://marc.info/?l=linux-arch&m=151704030025025&w=2 https://marc.info/?l=linux-arch&m=151704030525028&w=2 https://marc.info/?l=linux-arch&m=151704031125029&w=2 https://marc.info/?l=linux-arch&m=151704032225034&w=2 https://marc.info/?l=linux-arch&m=151704032625035&w=2 https://marc.info/?l=linux-arch&m=151704032725037&w=2 On Fri, Jan 26, 2018 at 11:55 PM, Dan Williams wrote: > Hi Thomas, > > Here's another spin of the spectre-v1 mitigations for 4.16. > > Changes since v4.1: [1] > * Tweak the sanitization scheme yet again to make it even simpler. Now, > instead of 'array_ptr' to get a sanitized pointer to an array element, > just provide an array index sanitization helper 'array_idx' to be called > after successfully validating the index is in bounds. I.e. in the > exact same location one would otherwise put an lfence, place this > sanitizer: > > if (idx < sz) { > idx = array_idx(idx, sz); > val = array[idx]; > } > > This lets the implementation include more sanity checking that the > compiler can usually compile out. It otherwise appears to produce > better assembly. This also cleans up the concern about comparing the > value returned from array_ptr to create another speculation point. > (Russell, Linus, Cyril) > > * Drop the syscall_64_fastpath. This is the straightforward patch from > Linus that might also be in flight from Andy, but I went ahead and > included it since I did not see it on LKML yet. > > * Kill the MASK_NOSPEC macro and just open code it. (Andy) > > * Add system-call-number sanitization to the slow path syscall table > lookups. > > * Redo the array_ptr conversions with array_idx. > > * Update /sys/devices/system/cpu/vulnerabilities/spectre_v1 to indicate > the new protections. It now reports "Vulnerable: Minimal user pointer > sanitization". (Jiri) > > --- > > Dan Williams (11): > array_idx: sanitize speculative array de-references > x86: implement array_idx_mask > x86: introduce __uaccess_begin_nospec and ifence > x86, __get_user: use __uaccess_begin_nospec > x86, get_user: use pointer masking to limit speculation > x86: remove the syscall_64 fast-path > x86: sanitize sycall table de-references under speculation > vfs, fdtable: prevent bounds-check bypass via speculative execution > kvm, x86: update spectre-v1 mitigation > nl80211: sanitize array index in parse_txq_params > x86/spectre: report get_user mitigation for spectre_v1 > > Mark Rutland (1): > Documentation: document array_idx > > > Documentation/speculation.txt | 87 ++++++++++++++++++++++++++++ > arch/x86/entry/common.c | 3 + > arch/x86/entry/entry_64.S | 116 ------------------------------------- > arch/x86/entry/syscall_64.c | 7 +- > arch/x86/include/asm/barrier.h | 26 ++++++++ > arch/x86/include/asm/msr.h | 3 - > arch/x86/include/asm/uaccess.h | 15 ++++- > arch/x86/include/asm/uaccess_32.h | 6 +- > arch/x86/include/asm/uaccess_64.h | 12 ++-- > arch/x86/kernel/cpu/bugs.c | 2 - > arch/x86/kvm/vmx.c | 14 +++- > arch/x86/lib/getuser.S | 10 +++ > arch/x86/lib/usercopy_32.c | 8 +-- > include/linux/fdtable.h | 5 +- > include/linux/nospec.h | 64 ++++++++++++++++++++ > net/wireless/nl80211.c | 9 ++- > 16 files changed, 239 insertions(+), 148 deletions(-) > create mode 100644 Documentation/speculation.txt > create mode 100644 include/linux/nospec.h