lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 20 Nov 2018 17:27:59 -0800
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Tim Chen <tim.c.chen@...ux.intel.com>
Cc:     Jiri Kosina <jikos@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>, thomas.lendacky@....com,
        Ingo Molnar <mingo@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Andrea Arcangeli <aarcange@...hat.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        Andi Kleen <ak@...ux.intel.com>, dave.hansen@...el.com,
        Casey Schaufler <casey.schaufler@...el.com>,
        "Mallick, Asit K" <asit.k.mallick@...el.com>,
        "Van De Ven, Arjan" <arjan@...ux.intel.com>, jcm@...hat.com,
        longman9394@...il.com, Greg KH <gregkh@...uxfoundation.org>,
        david.c.stewart@...el.com,
        Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
        "the arch/x86 maintainers" <x86@...nel.org>, stable@...r.kernel.org
Subject: Re: [Patch v6 14/16] x86/speculation: Use STIBP to restrict
 speculation on non-dumpable task

On Tue, Nov 20, 2018 at 4:33 PM Tim Chen <tim.c.chen@...ux.intel.com> wrote:
>
> Implements arch_update_spec_restriction() for x86.  Use STIBP to
> restrict speculative execution when running a task set to non-dumpable,
> or clear the restriction if the task is set to dumpable.

I don't think this necessarily makes sense.

The new "auto" behavior is that we aim to restrict untrusted code (and
the loader of such code uses prctrl to set that flag), then this whole
"set STIBP for non-dumpable" makes little sense.

A non-dumpable app by definition is *more* trusted, not less trusted.

So this model of "let's disable prediction for system processes" not
only doesn't make sense, but it also unnecessarily penalizes those
potentially very important system processes.

Also, "dumpable" in general is pretty oddly defined to be used for this.

The same (privileged) process can be dumpable or not depending on how
it was started (ie if it was started by a regular user and became
trusted through suid, it's not dumpable, but if it was started from a
root process it remains dumpable.

So I'm just not convinced "dumpability" is meaningful for STIBP.

                  Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ