From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x225waTYPRHmZzw3ZwS0FVFo15+CsJUA2Zi+P2t8Lm2scHWFiD5F1ssTQNVT4ewscFaLwIUoi ARC-Seal: i=1; a=rsa-sha256; t=1517441146; cv=none; d=google.com; s=arc-20160816; b=qZ1Eof+44PhIRUwprGioi8Ps6YZXFvZDfqDI/wfA0KAE/g0f5Y++G2NXDFLL+UCvso 7E8zfDDF+xBt9SJWQ8tGKoFY0B1qQFjy66g/GELg2pxvwakHy8gVEen4W3TNKacyRGTe C9C63VAXIzxYWCre1uWWSb0LdjMz+AyAk3q6v6cO2GMFC/2up+6Jm4DQyGYtCCDoniaB Hc0ttakypnWi9GEHVpuF7AKNOEJYOH2HbUuL1k+WdNeG3K7h1mUIqBbdHHUK2zFBNW37 BwxiMsCAID54cYV2C9fX0SJzfa8D6aMcVLGLZOxABpTVod6scaTn4i5mGmwWhmR9Loq8 sODw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject :arc-authentication-results; bh=KyViMQaiRBiUpjNPj7h6e9jQ1pPWCp+qVzdOs07Lo/c=; b=Ih7JqD/ZuRXBWxXE/dM7Ps5Y10O4Y0bsnc9ats/oo2ifC774b9Xy2SJYijhqqnKoQ8 09KHhLX9hdBp9II+ED6vGQxjFV+nVthGzWqCkNxptWoD6GaK79W6+KA2NgbWtoAxk8wc T68zi9B/6sihGEyLtN5EtlJDmbtTnKbG7WE83BcNBr/qUDePqS7NG8AqkjMtTIKJRHBI eVvPJeAk6OnKZy+4KSpuqNAZcWKaM1ZXBcN/kGET/7UTj6x7lUTK9Dn43jTYCtyJ5Uye 4lCoFPIb7DG/08/x4DyhCMsvKgrsQp1Lk4Q9gV5squVevTLoLKSFPdeQyRKyhp9p0WBg zxiQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of tim.c.chen@linux.intel.com designates 192.55.52.151 as permitted sender) smtp.mailfrom=tim.c.chen@linux.intel.com Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of tim.c.chen@linux.intel.com designates 192.55.52.151 as permitted sender) smtp.mailfrom=tim.c.chen@linux.intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,442,1511856000"; d="scan'208";a="14964811" Subject: Re: [PATCH] x86/speculation: Use Indirect Branch Prediction Barrier in context switch To: Josh Poimboeuf Cc: David Woodhouse , arjan@linux.intel.com, tglx@linutronix.de, karahmed@amazon.de, x86@kernel.org, linux-kernel@vger.kernel.org, bp@alien8.de, peterz@infradead.org, pbonzini@redhat.com, ak@linux.intel.com, torvalds@linux-foundation.org, gregkh@linux-foundation.org, mingo@kernel.org, luto@kernel.org, linux@dominikbrodowski.net References: <1517263487-3708-1-git-send-email-dwmw@amazon.co.uk> <20180130174850.bwypk4r5yn2344jb@treble> <20180131035907.sye4x7f3e77wnroh@treble> From: Tim Chen Message-ID: <2f5614a5-b7c4-52cf-a66f-6f62c2602bee@linux.intel.com> Date: Wed, 31 Jan 2018 15:25:44 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: <20180131035907.sye4x7f3e77wnroh@treble> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1590966106432961445?= X-GMAIL-MSGID: =?utf-8?q?1591152367233189582?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On 01/30/2018 07:59 PM, Josh Poimboeuf wrote: > On Tue, Jan 30, 2018 at 01:23:17PM -0800, Tim Chen wrote: >> On 01/30/2018 09:48 AM, Josh Poimboeuf wrote: >>> On Mon, Jan 29, 2018 at 10:04:47PM +0000, David Woodhouse wrote: >>>> From: Tim Chen >>>> >>>> Flush indirect branches when switching into a process that marked itself >>>> non dumpable. This protects high value processes like gpg better, >>>> without having too high performance overhead. >>> >>> I wonder what the point of this patch is. An audit of my laptop shows >>> only a single user of PR_SET_DUMPABLE: systemd-coredump. >> >> This is an opt in approach. For processes who need extra >> security, it set itself as non-dumpable. Then it can >> ensure that it doesn't see any poisoned BTB. > > I don't want other users reading my applications' memory. > > I don't want other containers reading my containers' memory. > > I don't want *any* user tasks reading root daemons' memory. > > Those are not unreasonable expectations. > > So now I have to go and modify all my containers and applications to set > PR_SET_DUMPABLE? That seems highly impractical and unlikely. > > Plus, I happen to *like* core dumps. > > The other option is to rebuild the entire userland with retpolines, but > again, that would make this patch completely pointless. > >>> [ And yes, I have gpg-agent running. Also, a grep of the gnupg source >>> doesn't show any evidence of it being used there. So the gpg thing >>> seems to be a myth. ] >> >> I'm less familiar with gpg-agent. Dave was the one who >> put in comments about gpg-agent in this patch so perhaps >> he can comment. >> >>> >>> But also, I much preferred the original version of the patch which only >>> skipped IBPB when 'prev' could ptrace 'next'. >> >> For the A->kernel thread->B scenario, you will need context of A >> to decide if you need IBPB when switching to B. You need to >> worry about whether the context of A has been released ... etc if >> you want to use ptrace. > > Is that why the ptrace approach was abandoned? Surely that's a solvable > problem? We have some smart people on lkml. And anyway I didn't see it > discussed anywhere. In the worst case we could just always do IBPB when > switching between kernel and user tasks. > I think dumpable is not the end all policy. It is a reasonable starting point to provide us a means to secure the most sensitive processes without IBPBing the world. It is on the performance end of the security/performance trade off. For people who opt for more security, it is reasonable to consider alternate policies to distinguish friend and foe so we know if we are coming from a potentially hostile environment. Ptrace is one means to do so, and probably there are other ways depending on usages. I hope we can have a discussion on what we should use to determine if two processes are friend or foe. Say do all the processes from the same containers are considered friends with each other? I think once we have this decided, actually putting in IBPB will simple. Tim