From: Brendan Jackman <jackmanb@google.com>
To: Josh Poimboeuf <jpoimboe@kernel.org>, Kees Cook <kees@kernel.org>
Cc: Brendan Jackman <jackmanb@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
Peter Zijlstra <peterz@infradead.org>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Balbir Singh <sblbir@amazon.com>, <linux-doc@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] Documentation: clarify PR_SPEC_L1D_FLUSH
Date: Thu, 16 Oct 2025 08:28:22 +0000 [thread overview]
Message-ID: <DDJLS7DZYDFW.XKPRC42PXW8I@google.com> (raw)
In-Reply-To: <z5zeptd2yij7e435u4xgdqsvnqf6hwjkwixajlh3u4nggp6gej@ej743d4adbb3>
On Wed Oct 15, 2025 at 11:42 PM UTC, Josh Poimboeuf wrote:
> On Wed, Oct 15, 2025 at 02:41:18PM -0700, Kees Cook wrote:
>> On Wed, Oct 15, 2025 at 05:02:05PM +0000, Brendan Jackman wrote:
>> > For PR_SPEC_STORE_BYPASS and PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE
>> > means "disable the speculation bug" i.e. "enable the mitigation".
>> >
>> > For PR_SPEC_L1D_FLUSH, PR_SPEC_DISABLE means "disable the mitigation".
>> > This is not obvious, so document it.
>>
>> The only thing I can find in Debian Code Search that actually uses
>> PR_SPEC_L1D_FLUSH is stress-ng, and it literally just toggles it before
>> restoring it:
>> https://sources.debian.org/src/stress-ng/0.19.05-1/stress-prctl.c?hl=893#L893
>>
>> I wonder if we should just fix the prctl to match the existing
>> behaviors?
>
> This feature has existed for almost 5 years, I don't think we can just
> reverse the functionality like that? There could be proprietary users
> out there (e.g., cloud companies).
Yeah I'm with Josh on this one. I would guess these 3 situations are
about equally likely:
1. Nobody uses this flag for security.
2. People use it, and they are not getting the security properties they
expect.
3. People do, but they know the meaning of the flag because either they
read the kernel code (in my experience at Google it's pretty typical
for security analysts to do this, they are smart and rigorous) or got
suspicious performance numbers (I've also seen this at Google, IIRC
this was how we found out about a bug in the Retbleed mitigations).
Or, it could be the users are working on the same principle as the
author/reviewers of the patch and they expected the current behaviour
in the first place.
I think we have to privilege the third case here. Changing the behaviour
is gonna be extremely inconvenient for anyone depending on the current
one (if they even find out about it) so I think we'd have to introduce
a new variant of the API or something. That doesn't seem worth it, I
think the chance of anyone actually adopting the new API is pretty low.
next prev parent reply other threads:[~2025-10-16 8:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-15 17:02 [PATCH 0/2] Documentation: fixups for L1D flushing Brendan Jackman
2025-10-15 17:02 ` [PATCH 1/2] Documentation: clarify PR_SPEC_L1D_FLUSH Brendan Jackman
2025-10-15 21:41 ` Kees Cook
2025-10-15 23:42 ` Josh Poimboeuf
2025-10-16 8:28 ` Brendan Jackman [this message]
2025-10-15 17:02 ` [PATCH 2/2] Documentation: fix reference to PR_SPEC_L1D_FLUSH Brendan Jackman
2025-10-16 14:54 ` [PATCH 0/2] Documentation: fixups for L1D flushing Brendan Jackman
2025-10-30 14:00 ` Brendan Jackman
2025-10-29 16:15 ` Jonathan Corbet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DDJLS7DZYDFW.XKPRC42PXW8I@google.com \
--to=jackmanb@google.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=jpoimboe@kernel.org \
--cc=kees@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=peterz@infradead.org \
--cc=sblbir@amazon.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).