lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 8 Jan 2019 16:58:26 -0800
From:   Ben Greear <greearb@...delatech.com>
To:     Tim Chen <tim.c.chen@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>
Cc:     Jiri Kosina <jikos@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Tom Lendacky <thomas.lendacky@....com>,
        Ingo Molnar <mingo@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Andrea Arcangeli <aarcange@...hat.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        Andi Kleen <ak@...ux.intel.com>,
        Dave Hansen <dave.hansen@...el.com>,
        Asit Mallick <asit.k.mallick@...el.com>,
        Arjan van de Ven <arjan@...ux.intel.com>,
        Jon Masters <jcm@...hat.com>,
        Waiman Long <longman9394@...il.com>,
        Greg KH <gregkh@...uxfoundation.org>,
        Borislav Petkov <bp@...en8.de>, linux-kernel@...r.kernel.org,
        x86@...nel.org, stable@...r.kernel.org
Subject: Re: [PATCH] x86/speculation: Add document to describe Spectre and its
 mitigations

On 1/7/19 9:57 AM, Tim Chen wrote:
> On 12/31/18 8:22 AM, Ben Greear wrote:
>>
>>
>> On 12/21/2018 05:17 PM, Tim Chen wrote:
>>>
>>> If you don't worry about security and performance is paramount, then
>>> boot with "nospectre_v2".  That's explained in the document.
>>
>> There seem to be lots of different variants of this type of problem.  It was not clear
>> to me that just doing nospectre_v2 would be sufficient to get back full performance.
> 
> The performance penalty comes from retpoline penalizing indirect branch predictions in kernel.
> With nospectre_v2, retpoline is disabled so you should get all the performance
> back from spectre mitigation.
> 
> This does not disable kernel page table isolation for meltdown mitigation, which also
> needs to be turned off if you want to get the full performance back.  That's somewhat
> beyond the scope of this doc on Spectre.

The two bug families (spectre and meltdown) are conflated in my mind, at least.

For those of us who do not really understand this stuff in detail, it would
be good to at least mention some notes about Meltdown I think.

>> And anyway, I would like to compile the kernel to not need that command-line option,
>> so I am still interesting in what compile options need to be set to what values...
>>
> 
> If you just want to disable spectre mitigation, setting CONFIG_RETPOLINE=n should do
> the  trick.  If you also want to disable meltdown mitigation,
> set CONFIG_PAGE_TABLE_ISOLATION=n.

Ok, are there any other CONFIG options that relate to fixing security bugs that
have noticeable performance impacts or are these two the complete list?

Thanks,
Ben

-- 
Ben Greear <greearb@...delatech.com>
Candela Technologies Inc  http://www.candelatech.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ