From: jcm@jonmasters.org (Jon Masters)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2] arm64: Branch predictor hardening for Cavium ThunderX2
Date: Thu, 18 Jan 2018 13:27:15 -0500 [thread overview]
Message-ID: <cd75aa1e-10ec-2e40-3136-a34d4ec2258f@jonmasters.org> (raw)
In-Reply-To: <20180118175615.GF38392@jc-sabre>
On 01/18/2018 12:56 PM, Jayachandran C wrote:
> On Thu, Jan 18, 2018 at 01:53:55PM +0000, Will Deacon wrote:
>> Hi JC,
>>
>> On Tue, Jan 16, 2018 at 03:45:54PM -0800, Jayachandran C wrote:
>>> On Tue, Jan 16, 2018 at 04:52:53PM -0500, Jon Masters wrote:
>>>> On 01/09/2018 07:47 AM, Jayachandran C wrote:
>>>>
>>>>> Use PSCI based mitigation for speculative execution attacks targeting
>>>>> the branch predictor. The approach is similar to the one used for
>>>>> Cortex-A CPUs, but in case of ThunderX2 we add another SMC call to
>>>>> test if the firmware supports the capability.
>>>>>
>>>>> If the secure firmware has been updated with the mitigation code to
>>>>> invalidate the branch target buffer, we use the PSCI version call to
>>>>> invoke it.
>>>>
>>>> What's the status of this patch currently? Previously you had suggested
>>>> to hold while the SMC got standardized, but then you seemed happy with
>>>> pulling in. What's the latest?
>>>
>>> My understanding is that the SMC standardization is being worked on
>>> but will take more time, and the KPTI current patchset will go to
>>> mainline before that.
>>>
>>> Given that, I would expect arm64 maintainers to pick up this patch for
>>> ThunderX2, but I have not seen any comments so far.
>>>
>>> Will/Marc, please let me know if you are planning to pick this patch
>>> into the KPTI tree.
>>
>> Are you really sure you want us to apply this? If we do, then you can't run
>> KVM guests anymore because your IMPDEF SMC results in an UNDEF being
>> injected (crash below).
>>
>> I really think that you should just hook up the enable_psci_bp_hardening
>> callback like we've done for the Cortex CPUs. We can optimise this later
>> once the SMC standarisation work has been completed (which is nearly final
>> now and works in a backwards-compatible manner).
>
> I think Marc's patch here:
> https://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms.git/commit/?h=kvm-arm64/kpti&id=d35e77fae4b70331310c3bc1796bb43b93f9a85e
> handles returning for undefined smc calls in guest.
>
> I think in this case we have to choose between crashing or giving a false
> sense of security when a guest compiled with HARDEN_BRANCH_PREDICTOR is
> booted on an hypervisor that does not support hardening. Crashing maybe
> a reasonable option.
Crashing is a completely unreasonable option and is totally
unacceptable. We never do this in enterprise, period.
It's reasonable to give an output in dmesg that a system isn't hardened,
but it's not reasonable to crash. On x86, we added a new qemu machine
type for those guests that would have IBRS exposed, and ask users to
switch that on explicitly, but even if they boot the new kernels on
unpatched infrastructure, we'll detect the lack of the branch predictor
control interface and just log that.
The exact same thing should happen on ARM.
Jon.
next prev parent reply other threads:[~2018-01-18 18:27 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-05 13:12 [PATCH v2 00/11] arm64 kpti hardening and variant 2 workarounds Will Deacon
2018-01-05 13:12 ` [PATCH v2 01/11] arm64: use RET instruction for exiting the trampoline Will Deacon
2018-01-06 13:13 ` Ard Biesheuvel
2018-01-08 14:33 ` Will Deacon
2018-01-08 14:38 ` Ard Biesheuvel
2018-01-08 14:45 ` Will Deacon
2018-01-08 14:56 ` Ard Biesheuvel
2018-01-08 15:27 ` David Laight
2018-01-05 13:12 ` [PATCH v2 02/11] arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry Will Deacon
2018-01-05 13:12 ` [PATCH v2 03/11] arm64: Take into account ID_AA64PFR0_EL1.CSV3 Will Deacon
2018-01-08 7:24 ` [v2,03/11] " Jayachandran C
2018-01-08 9:20 ` Marc Zyngier
2018-01-08 17:40 ` Jayachandran C
2018-01-08 17:51 ` Will Deacon
2018-01-08 18:22 ` Alan Cox
2018-01-09 4:06 ` Jayachandran C
2018-01-09 10:00 ` Will Deacon
2018-01-19 1:00 ` Jon Masters
2018-01-08 17:52 ` Marc Zyngier
2018-01-08 17:06 ` Will Deacon
2018-01-08 17:50 ` Jayachandran C
2018-01-05 13:12 ` [PATCH v2 04/11] arm64: cpufeature: Pass capability structure to ->enable callback Will Deacon
2018-01-05 13:12 ` [PATCH v2 05/11] drivers/firmware: Expose psci_get_version through psci_ops structure Will Deacon
2018-01-05 13:12 ` [PATCH v2 06/11] arm64: Move post_ttbr_update_workaround to C code Will Deacon
2018-01-05 13:12 ` [PATCH v2 07/11] arm64: Add skeleton to harden the branch predictor against aliasing attacks Will Deacon
2018-01-08 0:15 ` Jon Masters
2018-01-08 12:16 ` James Morse
2018-01-08 14:26 ` Will Deacon
2018-01-17 4:10 ` Yisheng Xie
2018-01-17 10:07 ` Will Deacon
2018-01-18 8:37 ` Yisheng Xie
2018-01-19 3:37 ` Li Kun
2018-01-19 14:28 ` Will Deacon
2018-01-22 6:52 ` Li Kun
2018-01-05 13:12 ` [PATCH v2 08/11] arm64: KVM: Use per-CPU vector when BP hardening is enabled Will Deacon
2018-01-05 13:12 ` [PATCH v2 09/11] arm64: KVM: Make PSCI_VERSION a fast path Will Deacon
2018-01-05 13:12 ` [PATCH v2 10/11] arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75 Will Deacon
2018-01-05 13:12 ` [PATCH v2 11/11] arm64: Implement branch predictor hardening for affected Cortex-A CPUs Will Deacon
2018-01-05 14:46 ` James Morse
2018-01-05 14:57 ` Marc Zyngier
2018-01-08 6:31 ` [v2, " Jayachandran C
2018-01-08 6:53 ` [PATCH 1/2] arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs Jayachandran C
2018-01-08 6:53 ` [PATCH 2/2] arm64: Branch predictor hardening for Cavium ThunderX2 Jayachandran C
2018-01-08 16:46 ` Will Deacon
2018-01-08 17:19 ` Jayachandran C
2018-01-08 17:23 ` Will Deacon
2018-01-09 2:26 ` Jayachandran C
2018-01-09 9:53 ` Will Deacon
2018-01-09 12:47 ` [PATCH v2] " Jayachandran C
[not found] ` <e9a192da-f603-6523-6d2e-858eb9c7d1b2@jonmasters.org>
[not found] ` <20180116234554.GA38392@jc-sabre>
2018-01-17 18:34 ` Jon Masters
2018-01-18 13:53 ` Will Deacon
2018-01-18 17:56 ` Jayachandran C
2018-01-18 18:27 ` Jon Masters [this message]
2018-01-18 23:28 ` Jayachandran C
2018-01-19 1:17 ` Jon Masters
2018-01-19 12:22 ` [PATCH v3 1/2] " Jayachandran C
2018-01-19 12:22 ` [PATCH v3 2/2] arm64: Turn on KPTI only on CPUs that need it Jayachandran C
2018-01-22 11:41 ` Will Deacon
2018-01-22 11:51 ` Ard Biesheuvel
2018-01-22 11:55 ` Will Deacon
2018-01-22 18:59 ` Jon Masters
2018-01-19 19:08 ` [PATCH v3 1/2] arm64: Branch predictor hardening for Cavium ThunderX2 Jon Masters
2018-01-22 11:33 ` Will Deacon
2018-01-22 19:00 ` Jon Masters
2018-01-23 9:51 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd75aa1e-10ec-2e40-3136-a34d4ec2258f@jonmasters.org \
--to=jcm@jonmasters.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).