lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 8 Jan 2018 12:49:39 -0000
From:   "David Woodhouse" <dwmw2@...radead.org>
To:     "Paul Turner" <pjt@...gle.com>
Cc:     "David Woodhouse" <dwmw2@...radead.org>,
        "Andi Kleen" <ak@...ux.intel.com>,
        "LKML" <linux-kernel@...r.kernel.org>,
        "Linus Torvalds" <torvalds@...ux-foundation.org>,
        "Greg Kroah-Hartman" <gregkh@...ux-foundation.org>,
        "Tim Chen" <tim.c.chen@...ux.intel.com>,
        "Dave Hansen" <dave.hansen@...el.com>,
        "Thomas Gleixner" <tglx@...utronix.de>,
        "Kees Cook" <keescook@...gle.com>,
        "Rik van Riel" <riel@...hat.com>,
        "Peter Zijlstra" <peterz@...radead.org>,
        "Andy Lutomirski" <luto@...capital.net>,
        "Jiri Kosina" <jikos@...nel.org>,
        "One Thousand Gnomes" <gnomes@...rguk.ukuu.org.uk>
Subject: Re: [PATCH v6 00/10] Retpoline: Avoid speculative indirect calls in
 kernel


> On Mon, Jan 8, 2018 at 2:45 AM, David Woodhouse <dwmw2@...radead.org>
> wrote:
>> On Mon, 2018-01-08 at 02:34 -0800, Paul Turner wrote:
>>> One detail that is missing is that we still need RSB refill in some
>>> cases.
>>> This is not because the retpoline sequence itself will underflow (it
>>> is actually guaranteed not to, since it consumes only RSB entries
>>> that it generates.
>>> But either to avoid poisoning of the RSB entries themselves, or to
>>> avoid the hardware turning to alternate predictors on RSB underflow.
>>>
>>> Enumerating the cases we care about:
>>>
>>> • user->kernel in the absence of SMEP:
>>> In the absence of SMEP, we must worry about user-generated RSB
>>> entries being consumable by kernel execution.
>>> Generally speaking, for synchronous execution this will not occur
>>> (e.g. syscall, interrupt), however, one important case remains.
>>> When we context switch between two threads, we should flush the RSB
>>> so that execution generated from the unbalanced return path on the
>>> thread that we just scheduled into, cannot consume RSB entries
>>> potentially installed by the prior thread.
>>
>> Or IBPB here, yes? That's what we had in the original patch set when
>> retpoline came last, and what I assume will be put back again once we
>> *finally* get our act together and reinstate the full set of microcode
>> patches.
>
> IBPB is *much* more expensive than the sequence I suggested.
> If the kernel has been protected with a retpoline compilation, it is
> much faster to not use IBPB here; we only need to prevent
> ret-poisoning in this case.

Retpoline protects the kernel but IBPB is needed on context switch anyway
to protect userspace processes from each other.

But...

> A) I am enumerating all of the cases for completeness.  It was missed
> by many that this detail was necessary on this patch, independently of
> IBRS.
> B) On the parts duplicated in (A), for specifics that are contributory to
> correctness in both cases, we should not hand-wave over the fact that
> they may or may not be covered by another patch-set.  Users need to
> understand what's required for complete protection.  Particularly if they
> are backporting.

... yes, agreed. Now we are putting retpoline first we shouldn't miss
things that we *were* doing anyway. TBH I really don't think we should
have spilt the patch sets apart; we'll work on getting the rest on top
ASAP.

-- 
dwmw2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ