From: "Nicholas Piggin" <npiggin@gmail.com>
To: "Segher Boessenkool" <segher@kernel.crashing.org>,
"Rohan McLure" <rmclure@linux.ibm.com>
Cc: linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH v2 1/4] powerpc/64: Add INTERRUPT_SANITIZE_REGISTERS Kconfig
Date: Tue, 08 Nov 2022 20:09:44 +1000 [thread overview]
Message-ID: <CO6TZ9SSOWP7.1PSIBLSSBCAY3@bobo> (raw)
In-Reply-To: <20221107163923.GO25951@gate.crashing.org>
On Tue Nov 8, 2022 at 2:39 AM AEST, Segher Boessenkool wrote:
> Hi!
>
> On Mon, Nov 07, 2022 at 02:31:59PM +1100, Rohan McLure wrote:
> > Add Kconfig option for enabling clearing of registers on arrival in an
> > interrupt handler. This reduces the speculation influence of registers
> > on kernel internals.
>
> Assuming you are talking about existing PowerPC CPUs from the last 30
> years:
>
> There is no data speculation. At all. Ever.
>
> There is branch prediction, but that is not influenced by register
> contents, either (for any current CPUs at least). (Except when you get
> a flush because of a mispredict, but if this zeroing changes anything,
> we will have used wild (but user controlled) values in the old
> non-zeroing situation, and that is a much bigger problem itself already,
> also for security! This can be an unlikely kernel bug, or a very
> unlikely compiler bug.)
This is not about data speculation, it is about speculative execution
in kernel mode that uses architected value that were set by user, and
that value being used to influence a speculative gadget that can expose
data to user via a side channel.
> All GPRs are renamed, always. If you zero all GPRs on interrupt entry
> (which is context synchronising, importantly), this will guarantee there
> can be no timing influence from the GPRs, because all of the physical
> registers depend on nothing that happened before. So that is good, at
> least it can give some peace of mind. Except that this makes 30 new
> registers in just a few cycles, which *itself* can cause stalls, if the
> renaming things are still busy.
It will have some pipeline effect like any instruction I suppose. At
least in latest processors, zeroing idiom should release registers
AFAIK.
> Context synchronising does not
> necessarily help there, the renaming machinery can do stuff *after* an
> insn completes.
Possibly context synchronization does not push everything prior to
completion, certainly it does not drain prior stores from store queues
even if they had previously completed, so there can be things going on
there. Software does not really have the ability to do anything about
that though, so that's more of a hardware problem if that exposes a
security issue IMO. Or at least a separate issue if there is some
architecture that could deal with it.
Thanks,
Nick
prev parent reply other threads:[~2022-11-08 10:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-07 3:31 [PATCH v2 1/4] powerpc/64: Add INTERRUPT_SANITIZE_REGISTERS Kconfig Rohan McLure
2022-11-07 3:32 ` [PATCH v2 2/4] powerpc/64s: Clear gprs on interrupt routine entry on Book3S Rohan McLure
2022-11-28 1:52 ` Nicholas Piggin
2022-11-07 3:32 ` [PATCH v2 3/4] powerpc/64e: Clear gprs on interrupt routine entry on Book3E Rohan McLure
2022-11-28 2:02 ` Nicholas Piggin
2022-11-07 3:32 ` [PATCH v2 4/4] powerpc/64s: Sanitise user registers on interrupt in pseries Rohan McLure
2022-11-28 2:12 ` Nicholas Piggin
2022-11-07 14:28 ` [PATCH v2 1/4] powerpc/64: Add INTERRUPT_SANITIZE_REGISTERS Kconfig Christophe Leroy
2022-11-28 1:42 ` Nicholas Piggin
2022-11-07 16:39 ` Segher Boessenkool
2022-11-08 10:09 ` Nicholas Piggin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CO6TZ9SSOWP7.1PSIBLSSBCAY3@bobo \
--to=npiggin@gmail.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=rmclure@linux.ibm.com \
--cc=segher@kernel.crashing.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).