From: Tim Chen <tim.c.chen@linux.intel.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jikos@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
thomas.lendacky@amd.com, Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
dave.hansen@intel.com,
Casey Schaufler <casey.schaufler@intel.com>,
"Mallick, Asit K" <asit.k.mallick@intel.com>,
"Van De Ven, Arjan" <arjan@linux.intel.com>,
jcm@redhat.com, longman9394@gmail.com,
Greg KH <gregkh@linuxfoundation.org>,
david.c.stewart@intel.com,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
the arch/x86 maintainers <x86@kernel.org>,
stable@vger.kernel.org
Subject: Re: [Patch v6 14/16] x86/speculation: Use STIBP to restrict speculation on non-dumpable task
Date: Wed, 21 Nov 2018 09:41:31 -0800 [thread overview]
Message-ID: <aeeab5d3-c2cf-e6a5-9da3-d14d30e79011@linux.intel.com> (raw)
In-Reply-To: <CAHk-=wiRh4QVAHV086U02tDCJz9g8MYHegEHbxCZ6-Ap4ow5Lw@mail.gmail.com>
On 11/20/2018 05:27 PM, Linus Torvalds wrote:
> On Tue, Nov 20, 2018 at 4:33 PM Tim Chen <tim.c.chen@linux.intel.com> wrote:
>>
>> Implements arch_update_spec_restriction() for x86. Use STIBP to
>> restrict speculative execution when running a task set to non-dumpable,
>> or clear the restriction if the task is set to dumpable.
>
> I don't think this necessarily makes sense.
>
> The new "auto" behavior is that we aim to restrict untrusted code (and
> the loader of such code uses prctrl to set that flag), then this whole
> "set STIBP for non-dumpable" makes little sense.
When STIBP is on, it will prevent not only untrusted code from attacking,
but also trusted code from getting attacked. So non-dumpable task running
with STIBP will protect itself from attacks from code running on sibling CPU.
From software guidance:
"Setting ... STIBP ... on a logical processor prevents the predicted
targets of indirect branches on any logical processor of that core
from being controlled by software that executes (or executed
previously) on another logical processor of the same core."
The intention was to put TIF_SPEC_INDIR_BRANCH flag on
non-dumpable task, so it runs with STIBP and prevent
itself from getting attacked from code running in sibling CPU.
And when we context switch to non-dumpable task,
IBPB will be issued to prevent attack from anything running
on the same cpu based on TIF_SPEC_INDIR_BRANCH.
>
> A non-dumpable app by definition is *more* trusted, not less trusted.
>
> So this model of "let's disable prediction for system processes" not
> only doesn't make sense, but it also unnecessarily penalizes those
> potentially very important system processes.
It is a trade off of extra protection for non-dumpable app with
extra overhead. :(
Here it is the default behavior but that can be changed.
If we don't erect STIBP for non-dumpable tasks as default, we should still do IBPB
before switching to them. So the STIBP behavior and IBPB behavior will
then be untied for non-dumpable default.
>
> Also, "dumpable" in general is pretty oddly defined to be used for this.
>
> The same (privileged) process can be dumpable or not depending on how
> it was started (ie if it was started by a regular user and became
> trusted through suid, it's not dumpable, but if it was started from a
> root process it remains dumpable.
>
> So I'm just not convinced "dumpability" is meaningful for STIBP.
>
Tim
next prev parent reply other threads:[~2018-11-21 17:41 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-20 23:59 [Patch v6 00/16] Provide task property based options to enable Spectre v2 userspace-userspace protection Tim Chen
2018-11-20 23:59 ` [Patch v6 01/16] x86/speculation: Reorganize cpu_show_common() Tim Chen
2018-11-20 23:59 ` [Patch v6 02/16] x86/speculation: Add X86_FEATURE_USE_IBRS_ENHANCED Tim Chen
2018-11-20 23:59 ` [Patch v6 03/16] x86/speculation: Disable STIBP when enhanced IBRS is in use Tim Chen
2018-11-20 23:59 ` [Patch v6 04/16] x86/speculation: Rename SSBD update functions Tim Chen
2018-11-20 23:59 ` [Patch v6 05/16] x86/speculation: Reorganize speculation control MSRs update Tim Chen
2018-11-20 23:59 ` [Patch v6 06/16] smt: Create cpu_smt_enabled static key for SMT specific code Tim Chen
2018-11-20 23:59 ` [Patch v6 07/16] x86/smt: Convert cpu_smt_control check to cpu_smt_enabled static key Tim Chen
2018-11-21 0:00 ` [Patch v6 08/16] x86/speculation: Turn on or off STIBP according to a task's TIF_STIBP Tim Chen
2018-11-21 0:00 ` [Patch v6 09/16] x86/speculation: Add Spectre v2 app to app protection modes Tim Chen
2018-11-21 0:00 ` [Patch v6 10/16] x86/speculation: Create PRCTL interface to restrict indirect branch speculation Tim Chen
2018-11-21 0:00 ` [Patch v6 11/16] x86/speculation: Enable IBPB for tasks with TIF_SPEC_BRANCH_SPECULATION Tim Chen
2018-11-21 0:00 ` [Patch v6 12/16] x86/speculation: Add 'seccomp' Spectre v2 app to app protection mode Tim Chen
2018-11-21 0:44 ` Jiri Kosina
2018-11-21 0:54 ` Tim Chen
2018-11-21 0:00 ` [Patch v6 13/16] security: Update speculation restriction of a process when modifying its dumpability Tim Chen
2018-11-21 0:00 ` [Patch v6 14/16] x86/speculation: Use STIBP to restrict speculation on non-dumpable task Tim Chen
2018-11-21 1:27 ` Linus Torvalds
2018-11-21 6:14 ` Jiri Kosina
2018-11-21 17:41 ` Tim Chen [this message]
2018-11-21 19:32 ` Linus Torvalds
2018-11-21 20:07 ` Dave Hansen
2018-11-21 20:26 ` Linus Torvalds
2018-11-21 0:00 ` [Patch v6 15/16] sched/smt: Make sched_smt_present track topology Tim Chen
2018-11-21 0:00 ` [Patch v6 16/16] x86/smt: Allow disabling of SMT when last SMT is offlined Tim Chen
2018-11-21 0:44 ` [Patch v6 00/16] Provide task property based options to enable Spectre v2 userspace-userspace protection Tim Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeeab5d3-c2cf-e6a5-9da3-d14d30e79011@linux.intel.com \
--to=tim.c.chen@linux.intel.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=asit.k.mallick@intel.com \
--cc=casey.schaufler@intel.com \
--cc=dave.hansen@intel.com \
--cc=david.c.stewart@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jcm@redhat.com \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=longman9394@gmail.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox