lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 9 Jan 2018 17:49:08 +0100
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Arjan van de Ven <arjan@...ux.intel.com>,
        Liran Alon <liran.alon@...cle.com>
Cc:     jmattson@...gle.com, dwmw@...zon.co.uk, bp@...en8.de,
        aliguori@...zon.com, thomas.lendacky@....com,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Subject: Re: [PATCH 6/7] x86/svm: Set IBPB when running a different VCPU

On 09/01/2018 17:23, Arjan van de Ven wrote:
> On 1/9/2018 8:17 AM, Paolo Bonzini wrote:
>> On 09/01/2018 16:19, Arjan van de Ven wrote:
>>> On 1/9/2018 7:00 AM, Liran Alon wrote:
>>>>
>>>> ----- arjan@...ux.intel.com wrote:
>>>>
>>>>> On 1/9/2018 3:41 AM, Paolo Bonzini wrote:
>>>>>> The above ("IBRS simply disables the indirect branch predictor")
>>>>>> was my
>>>>>> take-away message from private discussion with Intel.  My guess is
>>>>>> that
>>>>>> the vendors are just handwaving a spec that doesn't match what
>>>>>> they have
>>>>>> implemented, because honestly a microcode update is unlikely to do
>>>>>> much
>>>>>> more than an old-fashioned chicken bit.  Maybe on Skylake it does
>>>>>> though, since the performance characteristics of IBRS are so
>>>>>> different
>>>>>> from previous processors.  Let's ask Arjan who might have more
>>>>>> information about it, and hope he actually can disclose it...
>>>>>
>>>>> IBRS will ensure that, when set after the ring transition, no earlier
>>>>> branch prediction data is used for indirect branches while IBRS is
>>>>> set
>>
>> Let me ask you my questions, which are independent of L0/L1/L2
>> terminology.
>>
>> 1) Is vmentry/vmexit considered a ring transition, even if the guest is
>> running in ring 0?  If IBRS=1 in the guest and the host is using IBRS,
>> the host will not do a wrmsr on exit.  Is this safe for the host kernel?
> 
> I think the CPU folks would want us to write the msr again.

Want us, or need us---and if we don't do that, what happens?  And if we
have to do it, how is IBRS=1 different from an IBPB?...

Since I am at it, what happens on *current generation* CPUs if you
always leave IBRS=1?  Slow and safe, or fast and unsafe?

>> 2) How will the future processors work where IBRS should always be =1?
> 
> IBRS=1 should be "fire and forget this ever happened".
> This is the only time anyone should use IBRS in practice

And IBPB too I hope?  But besides that, I need to know exactly how that
is implemented to ensure that it's doing the right thing.

> (and then the host turns it on and makes sure to not expose it to the
> guests I hope)

That's not that easy, because guests might have support for SPEC_CTRL
but not for IA32_ARCH_CAPABILITIES.

You could disable the SPEC_CTRL bit, but then the guest might think it
is not secure.  It might also actually *be* insecure, if you migrated to
an older CPU where IBRS is not fire-and-forget.

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ