lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 10 Jan 2018 15:48:53 +0000
From:   "Woodhouse, David" <dwmw@...zon.co.uk>
To:     Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
        Paolo Bonzini <pbonzini@...hat.com>
CC:     Arjan van de Ven <arjan@...ux.intel.com>,
        Nadav Amit <nadav.amit@...il.com>,
        Liran Alon <liran.alon@...cle.com>, <jmattson@...gle.com>,
        <x86@...nel.org>, <bp@...en8.de>, <aliguori@...zon.com>,
        <thomas.lendacky@....com>, <rkrcmar@...hat.com>,
        <linux-kernel@...r.kernel.org>, <kvm@...r.kernel.org>
Subject: Re: [PATCH 3/8] kvm: vmx: pass MSR_IA32_SPEC_CTRL and
 MSR_IA32_PRED_CMD down to the guest

On Wed, 2018-01-10 at 10:41 -0500, Konrad Rzeszutek Wilk wrote:
> On Wed, Jan 10, 2018 at 03:28:43PM +0100, Paolo Bonzini wrote:
> > On 10/01/2018 15:06, Arjan van de Ven wrote:
> > > On 1/10/2018 5:20 AM, Paolo Bonzini wrote:
> > >> * a simple specification that does "IBRS=1 blocks indirect
> branch
> > >> prediction altogether" would actually satisfy the specification
> just as
> > >> well, and it would be nice to know if that's what the processor
> actually
> > >> does.
> > > 
> > > it doesn't exactly, not for all.
> > > 
> > > so you really do need to write ibrs again.
> > 
> > Okay, so "always set IBRS=1" does *not* protect against variant 2. 
> Thanks,
> 
> And what is the point of this "always set IBRS=1" then? Are there
> some other things lurking in the shadows?

Yes. *FUTURE* CPUs will have a mode where you can just set IBRS and
leave it set for ever and not worry about any of this, and the
performance won't even suck.

Quite why it's still an option you have to set in an MSR, and not just
a feature bit that they advertise and do it unconditionally, I have no
idea. But apparently that's the plan.

But no current hardware will do this; they've done the best they can do
with microcode already.
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5210 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ