lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1515586174.22302.126.camel@infradead.org>
Date:   Wed, 10 Jan 2018 12:09:34 +0000
From:   David Woodhouse <dwmw2@...radead.org>
To:     Andrea Arcangeli <aarcange@...hat.com>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Dave Hansen <dave.hansen@...el.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        LKML <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...uxfoundation.org>, x86@...nel.org,
        Borislav Petkov <bp@...en8.de>,
        Tim Chen <tim.c.chen@...ux.intel.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Greg KH <gregkh@...uxfoundation.org>,
        Andy Lutomirski <luto@...nel.org>,
        Arjan Van De Ven <arjan.van.de.ven@...el.com>
Subject: Re: [patch RFC 5/5] x86/speculation: Add basic speculation control
 code

On Wed, 2018-01-10 at 13:01 +0100, Andrea Arcangeli wrote:
> 
> > On all current hardware, if you only set IBRS when you exit a guest,
> > then you are not protecting yourself from userspace at all. IBRS acts
> > as a *barrier* in all current hardware.
> 
> Kernel memory is 100% protected if you set only IBRS at vmexit.
> 
> Once IBRS is set, there's no way any userland (nor host nor guest) can
> attack the kernel memory through spectre variant#2.

That is not consistent with the documentation I've seen, which Intel
have so far utterly failed to publish AFAICT.

"a near indirect jump/call/return may be affected by code in a less privileged
prediction mode that executed AFTER IBRS mode was last written with a value of 1"

The kernel is only protected from branch targets set in userspace
*BEFORE* the IBRS mode was last set to 1. If you set it to 1, then
leave it like that while you run userspace and then kernel code again,
you are not protected.
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5213 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ