[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ee268494-c35e-422f-1aaf-baab12191c38@linux.intel.com>
Date: Tue, 17 Mar 2020 12:07:43 -0700
From: Tim Chen <tim.c.chen@...ux.intel.com>
To: Joel Fernandes <joel@...lfernandes.org>,
Julien Desfossez <jdesfossez@...italocean.com>,
Peter Zijlstra <peterz@...radead.org>
Cc: Vineeth Remanan Pillai <vpillai@...italocean.com>,
Aubrey Li <aubrey.intel@...il.com>,
Nishanth Aravamudan <naravamudan@...italocean.com>,
Ingo Molnar <mingo@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Paul Turner <pjt@...gle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
Dario Faggioli <dfaggioli@...e.com>,
Frédéric Weisbecker <fweisbec@...il.com>,
Kees Cook <keescook@...omium.org>,
Greg Kerr <kerrnel@...gle.com>, Phil Auld <pauld@...hat.com>,
Aaron Lu <aaron.lwe@...il.com>,
Valentin Schneider <valentin.schneider@....com>,
Mel Gorman <mgorman@...hsingularity.net>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
Paolo Bonzini <pbonzini@...hat.com>,
"Luck, Tony" <tony.luck@...el.com>
Subject: Re: [RFC PATCH v4 00/19] Core scheduling v4
Joel,
>
> Looks quite interesting. We are trying apply this work to ChromeOS. What we
> want to do is selectively marking tasks, instead of grouping sets of trusted
> tasks. I have a patch that adds a prctl which a task can call, and it works
> well (task calls prctl and gets a cookie which gives it a dedicated core).
>
> However, I have the following questions, in particular there are 4 scenarios
> where I feel the current patches do not resolve MDS/L1TF, would you guys
> please share your thoughts?
>
> 1. HT1 is running either hostile guest or host code.
> HT2 is running an interrupt handler (victim).
>
> In this case I see there is a possible MDS issue between HT1 and HT2.
Core scheduling mitigates the userspace to userspace attacks via MDS between the HT.
It does not prevent the userspace to kernel space attack. That will
have to be mitigated via other means, e.g. redirecting interrupts to a core
that don't run potentially unsafe code.
>
> 2. HT1 is executing hostile host code, and gets interrupted by a victim
> interrupt. HT2 is idle.
Similar to above.
>
> In this case, I see there is a possible MDS issue between interrupt and
> the host code on the same HT1.
The cpu buffers are cleared before return to the hostile host code. So
MDS shouldn't be an issue if interrupt handler and hostile code
runs on the same HT thread.
>
> 3. HT1 is executing hostile guest code, HT2 is executing a victim interrupt
> handler on the host.
>
> In this case, I see there is a possible L1TF issue between HT1 and HT2.
> This issue does not happen if HT1 is running host code, since the host
> kernel takes care of inverting PTE bits.
The interrupt handler will be run with PTE inverted. So I don't think
there's a leak via L1TF in this scenario.
>
> 4. HT1 is idle, and HT2 is running a victim process. Now HT1 starts running
> hostile code on guest or host. HT2 is being forced idle. However, there is
> an overlap between HT1 starting to execute hostile code and HT2's victim
> process getting scheduled out.
> Speaking to Vineeth, we discussed an idea to monitor the core_sched_seq
> counter of the sibling being idled to detect that it is now idle.
> However we discussed today that looking at this data, it is not really an
> issue since it is such a small window.
>
> My concern is now cases 1, 2 to which there does not seem a good solution,
> short of disabling interrupts. For 3, we could still possibly do something on
> the guest side, such as using shadow page tables. Any thoughts on all this?
>
+ Tony who may have more insights on L1TF and MDS.
Thanks.
Tim
Powered by blists - more mailing lists