lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 10 Jan 2018 14:05:51 +0100
From:   Andrea Arcangeli <aarcange@...hat.com>
To:     David Woodhouse <dwmw2@...radead.org>
Cc:     Jiri Kosina <jikos@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Dave Hansen <dave.hansen@...el.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        LKML <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...uxfoundation.org>, x86@...nel.org,
        Borislav Petkov <bp@...en8.de>,
        Tim Chen <tim.c.chen@...ux.intel.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Greg KH <gregkh@...uxfoundation.org>,
        Andy Lutomirski <luto@...nel.org>,
        Arjan Van De Ven <arjan.van.de.ven@...el.com>
Subject: Re: [patch RFC 5/5] x86/speculation: Add basic speculation control
 code

On Wed, Jan 10, 2018 at 02:02:02PM +0100, Andrea Arcangeli wrote:
> On Wed, Jan 10, 2018 at 12:51:13PM +0000, David Woodhouse wrote:
> > If it worked as Andrea suggests, then there would be absolutely no
> > point in the patches we've seen which add the IBRS-frobbing on syscall
> > entry and vmexit.
> 
> This is perhaps what you're missing I think, there is a huge point:
> performance.

And note, if you run getppid in a loop you're perfectly right
ibrs_enabled 2 will perform better than ibrs_enabled 1, but we run
multiple set of macro benchmarks and ibrs_enabled 1 ibpb_enabled 1
always wins. So ibrs_enabled 2 ibpb_enabled 1 is left as an optional
"paranoid" security mode, more secure but even slower.

We draw a line for the default to stop the PoC which we know can be
mounted (at least in theory :) and is practical attack.

Also note, the slowdown of setting IBRS varies with older CPUs being
more affected, but for all current silicon ibrs_enabled 1 ibpb_enabled
1 is faster in 99% of real life workloads.

The future silicon will set the CPUID that will tell us set
"ibrs_enabled 2" by default, but you can do it right and it's even
more secure as it completely solves any HT effect in userland and it
prevents the KVM guest kernel to be attacked by guest userland through
a spectre variant#2 attack from guest userland to qemu host userland.

Hope this helps,
Andrea

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ