lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180110130202.GI9706@redhat.com>
Date:   Wed, 10 Jan 2018 14:02:02 +0100
From:   Andrea Arcangeli <aarcange@...hat.com>
To:     David Woodhouse <dwmw2@...radead.org>
Cc:     Jiri Kosina <jikos@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Dave Hansen <dave.hansen@...el.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        LKML <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...uxfoundation.org>, x86@...nel.org,
        Borislav Petkov <bp@...en8.de>,
        Tim Chen <tim.c.chen@...ux.intel.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Greg KH <gregkh@...uxfoundation.org>,
        Andy Lutomirski <luto@...nel.org>,
        Arjan Van De Ven <arjan.van.de.ven@...el.com>
Subject: Re: [patch RFC 5/5] x86/speculation: Add basic speculation control
 code

On Wed, Jan 10, 2018 at 12:51:13PM +0000, David Woodhouse wrote:
> If it worked as Andrea suggests, then there would be absolutely no
> point in the patches we've seen which add the IBRS-frobbing on syscall
> entry and vmexit.

This is perhaps what you're missing I think, there is a huge point:
performance.

ibrs_enabled 1 ibpb_enabled 1 is much faster than ibrs_enabled 2
ibpb_enabled 1.

The current IBRS is disabling IBP, it can't do the "finegrined" thing
that leaves IBP speculation enabled.

Kernel is not a 100% C++ virtual template, so for kernel IBRS enabled
is not as a big deal as userland with IBRS enabled.

Once the new CPUid bit will be set it'll tell us IBRS is really
restricting speculation in a finegrined way with all privilege levels
ordered, so it simply tells is ibrs_enabled 2 ibpb_enabled 1 will be
faster than ibrs_enabled 1 ibpb_enabled 1, so the only thing we've to
do with the new CPUID bit you're talking about from the future, is to
change the default to ibrs_enabled 2 and it'll perform even better
with zero overhead in kernel entry points.

We already optimized for the future silicon, we've only to add a tweak
to detect cpuid and set the default ibrs_enabled to 2.

> The "IBRS all the time" feature is something we get on *future*
> hardware, not current hardware.

No, for current hardware it's the most secure option available and
required in fact if you want to fix guest userland attack on host
userland with math certainty which can matter for some customer.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ