From: Tim Chen <tim.c.chen@linux.intel.com>
To: Jiri Kosina <jikos@kernel.org>, Thomas Gleixner <tglx@linutronix.de>
Cc: Tim Chen <tim.c.chen@linux.intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Casey Schaufler <casey.schaufler@intel.com>,
Asit Mallick <asit.k.mallick@intel.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Jon Masters <jcm@redhat.com>,
linux-kernel@vger.kernel.org, x86@kernel.org
Subject: [Patch v3 00/13] Provide process property based options to enable Spectre v2 userspace-userspace protection
Date: Wed, 17 Oct 2018 10:59:28 -0700 [thread overview]
Message-ID: <cover.1539798901.git.tim.c.chen@linux.intel.com> (raw)
Thanks to the valuable feedback from Thomas, Ingo and other
reviewers to the second version of this patchset.
The patches are now broken down into smaller functional changes
and should make them clearer and easier to review and merge.
One major change is that STIBP is not needed when enhanced
IBRS is being used. The new code reflect this logic.
Patch 1 and 2 are clean up patches.
Patch 3 and 4 disable STIBP for enhacned IBRS.
Patch 5 to 9 reorganizes the code without affecting
functionality for easier modification later.
Patch 10 introduces the STIBP flag on a process to dynamically
enable STIBP for that process.
Patch 11 introduces the lite option to protect only
processes against Spectre v2 user space attack
for processes with STIBP flag.
Patch 12 mark the non-dumpable processes to be protected.
Patch 13 introduces prctl interface to restrict indirect
branch speculation via prctl.
Tim
Changes:
v3:
1. Add logic to skip STIBP when Enhanced IBRS is used.
2. Break up v2 patches into smaller logical patches.
3. Fix bug in arch_set_dumpable that did not update SPEC_CTRL
MSR right away when according to task's STIBP flag clearing which
caused SITBP to be left on.
4. Various code clean up.
v2:
1. Extend per process STIBP to AMD cpus
2. Add prctl option to control per process indirect branch speculation
3. Bug fixes and cleanups
Jiri's patchset to harden Spectre v2 user space mitigation makes IBPB
and STIBP in use for Spectre v2 mitigation on all processes. IBPB will
be issued for switching to an application that's not ptraceable by the
previous application and STIBP will be always turned on.
However, leaving STIBP on all the time is expensive for certain
applications that have frequent indirect branches. One such application
is perlbench in the SpecInt Rate 2006 test suite which shows a
21% reduction in throughput. Other application like bzip2 in
the same test suite with minimal indirct branches have
only a 0.7% reduction in throughput. IBPB will also impose
overhead during context switches.
Application to application exploit is in general difficult due to address
space layout randomization in applications and the need to know an
application's address space layout ahead of time. Users may not wish to
incur performance overhead from IBPB and STIBP for general non security
sensitive processes and use these mitigations only for security sensitive
processes.
This patchset provides a process property based lite protection mode that
applies IBPB and STIBP mitigation only to security sensitive non-dumpable
processes and processes that users want to protect by having indirect
branch speculation disabled via PRCTL. So the overhead from IBPB and
STIBP are avoided for low security processes that don't require extra
protection.
Tim Chen (13):
x86/speculation: Clean up spectre_v2_parse_cmdline
x86/speculation: Remove unnecessary ret variable in cpu_show_common
x86/speculation: Add static key for Enhanced IBRS
x86/speculation: Disable STIBP when enhanced IBRS is in use
x86/smt: Create cpu_smt_enabled static key for SMT specific code
mm: Pass task instead of task->mm as argument to set_dumpable
x86/process Add arch_set_dumpable
x86/speculation: Rename SSBD update functions
x86/speculation: Reorganize SPEC_CTRL MSR update
x86/speculation: Add per thread STIBP flag
x86/speculation: Add Spectre v2 lite app to app protection mode
x86/speculation: Protect non-dumpable processes against Spectre v2
attack
x86/speculation: Create PRCTL interface to restrict indirect branch
speculation
Documentation/admin-guide/kernel-parameters.txt | 21 ++
Documentation/userspace-api/spec_ctrl.rst | 10 +
arch/x86/include/asm/msr-index.h | 6 +-
arch/x86/include/asm/nospec-branch.h | 10 +
arch/x86/include/asm/spec-ctrl.h | 18 +-
arch/x86/include/asm/thread_info.h | 5 +-
arch/x86/kernel/cpu/bugs.c | 294 +++++++++++++++++++++---
arch/x86/kernel/process.c | 53 +++--
arch/x86/kvm/vmx.c | 2 +-
arch/x86/mm/tlb.c | 19 +-
fs/exec.c | 20 +-
include/linux/cpu.h | 1 +
include/linux/sched.h | 11 +
include/linux/sched/coredump.h | 2 +-
include/uapi/linux/prctl.h | 1 +
kernel/cpu.c | 12 +-
kernel/cred.c | 2 +-
kernel/sys.c | 2 +-
tools/include/uapi/linux/prctl.h | 1 +
19 files changed, 427 insertions(+), 63 deletions(-)
--
2.9.4
next reply other threads:[~2018-10-17 18:32 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-17 17:59 Tim Chen [this message]
2018-10-17 17:59 ` [Patch v3 01/13] x86/speculation: Clean up spectre_v2_parse_cmdline Tim Chen
2018-10-18 12:43 ` Thomas Gleixner
2018-10-17 17:59 ` [Patch v3 02/13] x86/speculation: Remove unnecessary ret variable in cpu_show_common Tim Chen
2018-10-18 12:46 ` Thomas Gleixner
2018-10-17 17:59 ` [Patch v3 03/13] x86/speculation: Add static key for Enhanced IBRS Tim Chen
2018-10-18 12:50 ` Thomas Gleixner
2018-10-26 16:58 ` Waiman Long
2018-10-26 18:15 ` Tim Chen
2018-10-28 9:32 ` Thomas Gleixner
2018-10-17 17:59 ` [Patch v3 04/13] x86/speculation: Disable STIBP when enhanced IBRS is in use Tim Chen
2018-10-18 12:58 ` Thomas Gleixner
2018-10-26 17:00 ` Waiman Long
2018-10-26 18:18 ` Tim Chen
2018-10-26 18:29 ` Tim Chen
2018-10-17 17:59 ` [Patch v3 05/13] x86/smt: Create cpu_smt_enabled static key for SMT specific code Tim Chen
2018-10-18 13:03 ` Thomas Gleixner
2018-10-19 7:51 ` Peter Zijlstra
2018-10-17 17:59 ` [Patch v3 06/13] mm: Pass task instead of task->mm as argument to set_dumpable Tim Chen
2018-10-18 13:22 ` Thomas Gleixner
2018-10-19 20:02 ` Peter Zijlstra
2018-10-17 17:59 ` [Patch v3 07/13] x86/process Add arch_set_dumpable Tim Chen
2018-10-18 13:28 ` Thomas Gleixner
2018-10-18 18:46 ` Tim Chen
2018-10-19 19:12 ` Thomas Gleixner
2018-10-19 20:16 ` Thomas Gleixner
2018-10-22 23:55 ` Tim Chen
2018-10-17 17:59 ` [Patch v3 08/13] x86/speculation: Rename SSBD update functions Tim Chen
2018-10-18 13:37 ` Thomas Gleixner
2018-10-17 17:59 ` [Patch v3 09/13] x86/speculation: Reorganize SPEC_CTRL MSR update Tim Chen
2018-10-18 13:47 ` Thomas Gleixner
2018-10-26 17:21 ` Waiman Long
2018-10-26 18:25 ` Tim Chen
2018-10-17 17:59 ` [Patch v3 10/13] x86/speculation: Add per thread STIBP flag Tim Chen
2018-10-18 13:53 ` Thomas Gleixner
2018-10-17 17:59 ` [Patch v3 11/13] x86/speculation: Add Spectre v2 lite app to app protection mode Tim Chen
2018-10-18 15:12 ` Thomas Gleixner
2018-10-17 17:59 ` [Patch v3 12/13] x86/speculation: Protect non-dumpable processes against Spectre v2 attack Tim Chen
2018-10-18 15:17 ` Thomas Gleixner
2018-10-26 17:46 ` Waiman Long
2018-10-26 18:10 ` Tim Chen
2018-10-17 17:59 ` [Patch v3 13/13] x86/speculation: Create PRCTL interface to restrict indirect branch speculation Tim Chen
2018-10-17 19:12 ` Randy Dunlap
2018-10-18 15:31 ` Thomas Gleixner
2018-10-19 7:57 ` [Patch v3 00/13] Provide process property based options to enable Spectre v2 userspace-userspace protection Peter Zijlstra
2018-10-19 16:43 ` Tim Chen
2018-10-19 18:38 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1539798901.git.tim.c.chen@linux.intel.com \
--to=tim.c.chen@linux.intel.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=asit.k.mallick@intel.com \
--cc=casey.schaufler@intel.com \
--cc=dave.hansen@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=jcm@redhat.com \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox