From: Andrea Arcangeli <aarcange@redhat.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: Peter Zijlstra <peterz@infradead.org>,
Dave Hansen <dave.hansen@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
LKML <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linuxfoundation.org>,
x86@kernel.org, Borislav Petkov <bp@alien8.de>,
Tim Chen <tim.c.chen@linux.intel.com>,
Andi Kleen <ak@linux.intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Andy Lutomirski <luto@kernel.org>,
Arjan Van De Ven <arjan.van.de.ven@intel.com>
Subject: Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code
Date: Wed, 10 Jan 2018 13:17:55 +0100 [thread overview]
Message-ID: <20180110121755.GD9706@redhat.com> (raw)
In-Reply-To: <1515586174.22302.126.camel@infradead.org>
On Wed, Jan 10, 2018 at 12:09:34PM +0000, David Woodhouse wrote:
> That is not consistent with the documentation I've seen, which Intel
> have so far utterly failed to publish AFAICT.
>
> "a near indirect jump/call/return may be affected by code in a less privileged
> prediction mode that executed AFTER IBRS mode was last written with a value of 1"
You must have misunderstood the context there, or the above text is
wrong to begin with.
> The kernel is only protected from branch targets set in userspace
> *BEFORE* the IBRS mode was last set to 1. If you set it to 1, then
> leave it like that while you run userspace and then kernel code again,
> you are not protected.
I'm sure you've got it wrong, that would be crazy if it would be the
case.
Even from an implementation standpoint IBRS just means stop
speculating through branch prediction, there's no way they can add
this separation between ring 0 and ring 3 when it didn't exist to
begin with.
RSB had it with SMEP and in fact there's no need to do stuff_RSB with
SMEP enabled in cr4 and we alternative it out in kernel entry on host
and guest, but we still have to do that in vmexit.
IBP/BTB had nothing like, which is why user ring 3 can attack host
ring 0.
It will have it and also separating guest from host but in the future.
Plus IBRS can be set at will by guest mode, if guest kernel is
malicious it will let guest userland run with IBRS on. You can't trust
the guest kernel to begin with. So it would make IBRS totally useless
for KVM to set in vmexit if you were right about that.
In any case, we've a ibrs_enabled 0 ibpb_enabled 2 that would achieve
full security if you were right, but I think you got it all wrong
about IBRS and rings.
Second: IBRS means Indirect Branch Restricted Speculation, the
speculation through branch prediction is restricted while it's
set. It's inconceivable that they add ring knowledge to a part that is
couldn't be helped by SMEP in the first place that had at least some
ring separation when enabled.
next prev parent reply other threads:[~2018-01-10 12:18 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-10 1:06 [patch RFC 0/5] x86/spectre_v2: Initial integration of IBRS into the spectre_v2 mechanics Thomas Gleixner
2018-01-10 1:06 ` [patch RFC 1/5] x86/CPU: Sync CPU feature flags late Thomas Gleixner
2018-01-10 1:37 ` Dave Hansen
2018-01-10 1:39 ` Van De Ven, Arjan
2018-01-10 1:47 ` Thomas Gleixner
2018-01-10 2:57 ` Andy Lutomirski
2018-01-10 11:02 ` Thomas Gleixner
2018-01-10 1:44 ` Thomas Gleixner
2018-01-10 6:20 ` Ingo Molnar
2018-01-10 11:33 ` Borislav Petkov
2018-01-10 12:38 ` Thomas Gleixner
2018-01-10 1:06 ` [patch RFC 2/5] x86/spectre: Simplify spectre code a bit Thomas Gleixner
2018-01-10 6:22 ` Ingo Molnar
2018-01-10 1:06 ` [patch RFC 3/5] x86/spectre: Prepare for IBRS selection Thomas Gleixner
2018-01-10 1:51 ` Dave Hansen
2018-01-10 1:06 ` [patch RFC 4/5] x86/cpufeatures: Detect Speculation control feature Thomas Gleixner
2018-01-10 6:32 ` Ingo Molnar
2018-01-10 11:06 ` Thomas Gleixner
2018-01-10 1:06 ` [patch RFC 5/5] x86/speculation: Add basic speculation control code Thomas Gleixner
2018-01-10 2:02 ` Dave Hansen
2018-01-10 4:11 ` Justin Forbes
2018-01-10 9:22 ` Peter Zijlstra
2018-01-10 9:27 ` David Woodhouse
2018-01-10 10:03 ` Peter Zijlstra
2018-01-10 11:22 ` David Woodhouse
2018-01-10 11:41 ` Thomas Gleixner
2018-01-10 11:45 ` Peter Zijlstra
2018-01-10 11:54 ` Andrea Arcangeli
2018-01-10 11:58 ` David Woodhouse
2018-01-10 12:01 ` Andrea Arcangeli
2018-01-10 12:07 ` Andrea Arcangeli
2018-01-10 12:12 ` David Woodhouse
2018-01-10 12:20 ` Andrea Arcangeli
2018-01-10 12:27 ` Andrea Arcangeli
2018-01-10 13:42 ` Van De Ven, Arjan
2018-01-10 12:09 ` David Woodhouse
2018-01-10 12:17 ` Andrea Arcangeli [this message]
2018-01-10 12:29 ` David Woodhouse
2018-01-10 12:41 ` Andrea Arcangeli
2018-01-10 12:47 ` Jiri Kosina
2018-01-10 12:51 ` David Woodhouse
2018-01-10 13:02 ` Andrea Arcangeli
2018-01-10 13:05 ` Andrea Arcangeli
2018-01-10 13:10 ` Andrea Arcangeli
2018-01-10 13:12 ` Andrea Arcangeli
2018-01-10 12:57 ` Andrea Arcangeli
2018-01-10 13:07 ` David Woodhouse
2018-01-10 13:45 ` Van De Ven, Arjan
2018-01-10 13:52 ` Andrea Arcangeli
2018-01-10 13:53 ` Van De Ven, Arjan
2018-01-10 21:35 ` Tim Chen
2018-01-10 22:13 ` Andrea Arcangeli
2018-01-10 13:46 ` Thomas Gleixner
2018-01-10 13:51 ` Van De Ven, Arjan
2018-01-10 13:53 ` Thomas Gleixner
2018-01-10 13:58 ` David Woodhouse
2018-01-10 14:10 ` Andrea Arcangeli
2018-01-10 14:14 ` Van De Ven, Arjan
2018-01-10 14:59 ` Dave Hansen
2018-01-10 15:13 ` Andrea Arcangeli
2018-01-10 15:24 ` David Woodhouse
2018-01-10 15:47 ` Andrea Arcangeli
2018-01-10 15:56 ` David Woodhouse
2018-01-10 13:10 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180110121755.GD9706@redhat.com \
--to=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan.van.de.ven@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dwmw2@infradead.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linuxfoundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox