| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c51dd20a-2cea-1bd1-bee7-48ca25f9bdb9@linux.intel.com>
Date: Mon, 26 Nov 2018 10:35:39 -0800
From: Tim Chen <tim.c.chen@...ux.intel.com>
To: Ingo Molnar <mingo@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>
Cc: LKML <linux-kernel@...r.kernel.org>, x86@...nel.org,
Peter Zijlstra <peterz@...radead.org>,
Andy Lutomirski <luto@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jiri Kosina <jkosina@...e.cz>,
Tom Lendacky <thomas.lendacky@....com>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Andrea Arcangeli <aarcange@...hat.com>,
David Woodhouse <dwmw@...zon.co.uk>,
Andi Kleen <ak@...ux.intel.com>,
Dave Hansen <dave.hansen@...el.com>,
Casey Schaufler <casey.schaufler@...el.com>,
Asit Mallick <asit.k.mallick@...el.com>,
Arjan van de Ven <arjan@...ux.intel.com>,
Jon Masters <jcm@...hat.com>,
Waiman Long <longman9394@...il.com>,
Greg KH <gregkh@...uxfoundation.org>,
Dave Stewart <david.c.stewart@...el.com>,
Kees Cook <keescook@...omium.org>
Subject: Re: [patch 20/24] x86/speculation: Split out TIF update
On 11/22/2018 11:37 PM, Ingo Molnar wrote:
>>> I think all the call paths from prctl and seccomp coming here
>>> has tsk == current.
>>
>> We had that discussion before with SSBD:
>>
>> seccomp_set_mode_filter()
>> seccomp_attach_filter()
>> seccomp_sync_threads()
>> for_each_thread(t)
>> if (t == current)
>> continue;
>> seccomp_assign_mode(t)
>> arch_seccomp_spec_mitigate(t);
>>
>> seccomp_assign_mode(current...)
>> arch_seccomp_spec_mitigate();
>>
>>> But if task_update_spec_tif gets used in the future where tsk is running
>>> on a remote CPU, this could lead to the MSR getting out of sync with the
>>> running task's TIF flag. This will break either performance or security.
>>
>> We also had that discussion with SSBD and decided that we won't chase
>> threads and send IPIs around. Yes, it's not perfect, but not the end of the
>> world either. For PRCTL it's a non issue.
Looks like seccomp thread can be running on a remote CPU when its TIF_SPEC_IB flag
gets updated.
I wonder if this will cause STIBP to be always off in this scenario, when
two tasks with SPEC_IB flags running on a remote CPU have STIBP bit always
*off* in SPEC MSR.
Let's say we have tasks A and B running on a remote CPU:
task A: SPEC_IB flag is on
task B: SPEC_IB flag is off but is currently running on remote CPU, SPEC MSR's STIBP bit is off
Now arch_seccomp_spec_mitigation is called, setting SPEC_IB flag on task B.
SPEC MSR becomes out of sync with running task B's SPEC_IB flag.
Task B context switches to task A. Because both tasks have SPEC_IB flag set and the flag
status is unchanged, SPEC MSR's STIBP bit is not updated.
SPEC MSR STIBP bit remains off if tasks A and B are the only tasks running
on the CPU.
There is an equivalent scenario where the SPEC MSR's STIBP bit remains on even though both
running task A and B's SPEC_IB flags are turned off.
Wonder if I may be missing something so the above scenario is not of concern?
Thanks.
Tim
>
> Fair enough and agreed - but please add a comment for all this, as it's a
> non-trivial and rare call context and a non-trivial implementation
> trade-off as a result.
>
Powered by blists - more mailing lists