LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Dave Hansen <dave.hansen@intel.com>
To: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
David Woodhouse <dwmw@amazon.co.uk>,
KarimAllah Ahmed <karahmed@amazon.de>,
Andi Kleen <ak@linux.intel.com>,
Tim Chen <tim.c.chen@linux.intel.com>,
thomas.lendacky@amd.com, x86@kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86/speculation: Fill the RSB on context switch also on non-IBPB CPUs
Date: Thu, 22 Mar 2018 08:46:20 -0700 [thread overview]
Message-ID: <9f9d0c1f-a889-d2bc-e9d9-d4ef9d99770b@intel.com> (raw)
In-Reply-To: <4d7cfea4-a86a-c8f2-aaff-c8429fc107b8@maciej.szmigiero.name>
On 03/21/2018 05:09 PM, Maciej S. Szmigiero wrote:
> As far as I understand the issue this should provide a good protection
> for userspace processes that were recompiled with retpolines as they
> won't have any indirect jumps and calls.
Instead of saying "good protection", let's just say that it could
mitigate attacks that require consumption of attacker-placed RSB entries.
>> Do you perhaps want to do RSB manipulation in lieu of IBPB when
>> switching *to* a non-dumpable process and IBPB is not available?
>
> Is it worth differentiating such processes in this case?
> IBPB is supposed to be very expensive so certainly it is worthwhile
> to do it only for high-value processes (=non-dumpable).
>
> However, it is unlikely that existing RSB entries from the previous
> task match the new task call stack anyway.
> We already do unconditional RSB-filling-on-context-switch in many
> cases.
I think this case is a bit too obscure and theoretical to complicate the
kernel with it. You need an unmitigated processor, a
userspace-to-userspace attack that manages to satisfy the five "exploit
composition" steps of Spectre/V2[1], and an application that has been
retpoline-mitigated.
While RSB manipulation is almost certainly less onerous than IBPB, it's
still going to hurt context-switch rates, especially if applied
indiscriminately like this patch does.
So, I totally agree with your analysis about the theoretical potential
for an issue, I'm just not really convinced the fix is worth it.
1.
https://software.intel.com/sites/default/files/managed/1d/46/Retpoline-A-Branch-Target-Injection-Mitigation.pdf
next prev parent reply other threads:[~2018-03-22 15:46 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-20 11:17 Maciej S. Szmigiero
2018-03-21 14:05 ` Dave Hansen
2018-03-21 22:57 ` Maciej S. Szmigiero
2018-03-21 23:30 ` Dave Hansen
2018-03-22 0:09 ` Maciej S. Szmigiero
2018-03-22 15:46 ` Dave Hansen [this message]
2018-03-23 23:11 ` Maciej S. Szmigiero
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9f9d0c1f-a889-d2bc-e9d9-d4ef9d99770b@intel.com \
--to=dave.hansen@intel.com \
--cc=ak@linux.intel.com \
--cc=dwmw@amazon.co.uk \
--cc=hpa@zytor.com \
--cc=karahmed@amazon.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mail@maciej.szmigiero.name \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tim.c.chen@linux.intel.com \
--cc=x86@kernel.org \
--subject='Re: [PATCH] x86/speculation: Fill the RSB on context switch also on non-IBPB CPUs' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).