From mboxrd@z Thu Jan  1 00:00:00 1970
From: Will Deacon <will.deacon@arm.com>
Subject: Re: [PATCH bpf] bpf: prevent out-of-bounds speculation
Date: Wed, 10 Jan 2018 19:47:33 +0000
Message-ID: <20180110194733.GO9723@arm.com>
References: <20180105042811.1590965-1-ast@fb.com>
 <20180108170553.yrs46fawfpr62wtr@lakrids.cambridge.arm.com>
 <CA+55aFz0tsreoa=5Ud2noFCpng-dizLBhT9WU9asyhpLfjdcYA@mail.gmail.com>
 <20180109102129.GG4297@arm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Mark Rutland <mark.rutland@arm.com>,
        Alexei Starovoitov <ast@fb.com>,
        "David S . Miller" <davem@davemloft.net>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Jann Horn <jannh@google.com>,
        Dan Williams <dan.j.williams@intel.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Elena Reshetova <elena.reshetova@intel.com>,
        Alan Cox <alan@linux.intel.com>,
        Network Development <netdev@vger.kernel.org>,
        kernel-team <kernel-team@fb.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Return-path: <netdev-owner@vger.kernel.org>
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:48538 "EHLO
        foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751451AbeAJTrb (ORCPT <rfc822;netdev@vger.kernel.org>);
        Wed, 10 Jan 2018 14:47:31 -0500
Content-Disposition: inline
In-Reply-To: <20180109102129.GG4297@arm.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Hi again Linus, Alexei,

On Tue, Jan 09, 2018 at 10:21:29AM +0000, Will Deacon wrote:
> On Mon, Jan 08, 2018 at 10:49:01AM -0800, Linus Torvalds wrote:
> > In this particular case, we should be very much aware of future CPU's
> > being more _constrained_, because CPU vendors had better start taking
> > this thing into account.
> > 
> > So the masking approach is FUNDAMENTALLY SAFER than the "let's try to
> > limit control speculation".
> > 
> > If somebody can point to a CPU that actually speculates across an
> > address masking operation, I will be very surprised. And unless you
> > can point to that, then stop trying to dismiss the masking approach.
> 
> Whilst I agree with your comments about future CPUs, this stuff is further
> out of academia than you might think. We're definitely erring on the
> belt-and-braces side of things at the moment, so let me go check what's
> *actually* been built and I suspect we'll be able to make the masking work.
> 
> Stay tuned...

I can happily confirm that there aren't any (ARM architecture) CPUs where
the masking approach is not sufficient, so there's no need to worry about
value speculation breaking this.

Will