lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 05 Jan 2018 16:46:40 +0000
From:   David Woodhouse <dwmw2@...radead.org>
To:     Andrea Arcangeli <aarcange@...hat.com>
Cc:     "Van De Ven, Arjan" <arjan.van.de.ven@...el.com>,
        Paul Turner <pjt@...gle.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Tim Chen <tim.c.chen@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Andy Lutomirski <luto@...nel.org>,
        Greg KH <gregkh@...uxfoundation.org>,
        "Hansen, Dave" <dave.hansen@...el.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 0/7] IBRS patch series

On Fri, 2018-01-05 at 17:42 +0100, Andrea Arcangeli wrote:
> On Fri, Jan 05, 2018 at 04:37:30PM +0000, David Woodhouse wrote:
> > You are completely ignoring pre-Skylake here.
> > 
> > On pre-Skylake, retpoline is perfectly sufficient and it's a *lot*
> > faster than the IBRS option which is almost prohibitively slow.
> > 
> > We didn't do it just for fun. And it's working fine; it isn't *that*
> > complex.
> 
> How do you enable IBRS when the CPU switches to SMM?

SMM is fine, as Arjan said. It's only for stuff like EFI runtime calls,
and then only if you're really paranoid.

> Do you already have this 2-way code emission from gcc and patching
> with a 3-way alternatives at boot between ibrs and 2 reptoline version
> emitted by gcc and alternatives between ibrs and ibpb where SPEC_CTRL
> is missing on some CPU but IBPB_SUPPORT is available?

This was implemented in Intel's patch sets that they've been sending
out. I don't really know why we've suddenly gone back to the drawing
board and turned things around to put retpoline first in the series,
etc.

I'm also mildly concerned that all the variant 1 patches have just
disappeared.

> Or are you talking about having done this on a non upstream Xen build
> only without the 2-way code emission for gcc?

Xen has it too, but no. I was talking about Linux.
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5213 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ