| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180105102824.GA247671@google.com>
Date: Fri, 5 Jan 2018 02:28:24 -0800
From: Paul Turner <pjt@...gle.com>
To: David Woodhouse <dwmw2@...radead.org>
Cc: Alexei Starovoitov <alexei.starovoitov@...il.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andi Kleen <ak@...ux.intel.com>,
LKML <linux-kernel@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...ux-foundation.org>,
Tim Chen <tim.c.chen@...ux.intel.com>,
Dave Hansen <dave.hansen@...el.com>,
Thomas Gleixner <tglx@...utronix.de>,
Kees Cook <keescook@...gle.com>,
Rik van Riel <riel@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Andy Lutomirski <luto@...capital.net>,
Jiri Kosina <jikos@...nel.org>,
One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
Subject: Re: [PATCH v3 01/13] x86/retpoline: Add initial retpoline support
On Thu, Jan 04, 2018 at 07:27:58PM +0000, David Woodhouse wrote:
> On Thu, 2018-01-04 at 10:36 -0800, Alexei Starovoitov wrote:
> >
> > Pretty much.
> > Paul's writeup: https://support.google.com/faqs/answer/7625886
> > tldr: jmp *%r11 gets converted to:
> > call set_up_target;
> > capture_spec:
> > pause;
> > jmp capture_spec;
> > set_up_target:
> > mov %r11, (%rsp);
> > ret;
> > where capture_spec part will be looping speculatively.
>
> That is almost identical to what's in my latest patch set, except that
> the capture_spec loop has 'lfence' instead of 'pause'.
When choosing this sequence I benchmarked several alternatives here, including
(nothing, nops, fences, and other serializing instructions such as cpuid).
The "pause; jmp" sequence proved minutely faster than "lfence;jmp" which is why
it was chosen.
"pause; jmp" 33.231 cycles/call 9.517 ns/call
"lfence; jmp" 33.354 cycles/call 9.552 ns/call
(Timings are for a complete retpolined indirect branch.)
>
> As Andi says, I'd want to see explicit approval from the CPU architects
> for making that change.
Beyond guaranteeing that speculative execution is constrained, the choice of
sequence here is a performance detail and not one of correctness.
>
> We've already had false starts there — for a long time, Intel thought
> that a much simpler option with an lfence after the register load was
> sufficient, and then eventually worked out that in some rare cases it
> wasn't. While AMD still seem to think it *is* sufficient for them,
> apparently.
As an interesting aside, that speculation proceeds beyond lfence can be
trivially proven using the timings above. In fact, if we substitute only:
"lfence" (with no jmp)
We see:
29.573 cycles/call 8.469 ns/call
Now, the only way for this timing to be different, is if speculation beyond the
lfence was executed differently.
That said, this is a negative result, it does suggest that the jmp is
contributing a larger than realized cost to our speculative loop. We can likely
shave off some additional time with some unrolling. I did try this previously,
but did not see results above the noise floor; it seems worth trying this again;
will take a look tomorrow.
Powered by blists - more mailing lists