lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210108121056.21940-1-sblbir@amazon.com>
Date:   Fri, 8 Jan 2021 23:10:51 +1100
From:   Balbir Singh <sblbir@...zon.com>
To:     <tglx@...utronix.de>, <mingo@...hat.com>
CC:     <peterz@...radead.org>, <linux-kernel@...r.kernel.org>,
        <keescook@...omium.org>, <jpoimboe@...hat.com>,
        <tony.luck@...el.com>, <benh@...nel.crashing.org>,
        <x86@...nel.org>, <dave.hansen@...el.com>,
        <thomas.lendacky@....com>, <torvalds@...ux-foundation.org>,
        Balbir Singh <sblbir@...zon.com>
Subject: [PATCH v4 0/5] Next revision of the L1D flush patches

Implement a mechanism that allows tasks to conditionally flush
their L1D cache (mitigation mechanism suggested in [2]). The previous
posts of these patches were sent for inclusion (see [3]) and were not
included due to the concern for the need for additional checks,
those checks were:

1. Implement this mechanism only for CPUs affected by the L1TF bug
2. Disable the software fallback
3. Provide an override to enable this mechanism
4. Be SMT aware in the implementation

The patches support a use case where the entire system is not in
non SMT mode, but rather a few CPUs can have their SMT turned off
and processes that want to opt-in are expected to run on non SMT
cores. This gives the administrator complete control over setting
up the mitigation for the issue. In addition, the administrator
has a boot time override (l1d_flush=on) to turn on the mechanism
without which this mechanism will not work.

To implement these efficiently, a new per cpu view of whether the core
is in SMT mode or not is implemented in patch 1. The code is refactored
in patch 2 so that the existing code can allow for other speculation
related checks when switching mm between tasks, this mechanism has not
changed since the last post. The ability to flush L1D for tasks if the
TIF_SPEC_L1D_FLUSH bit is set and the task has context switched out of a
non SMT core is provided by patch 3. Hooks for the user space API, for
this feature to be invoked via prctl are provided in patch 4, along with
the checks described above (1, 2, and 3). Documentation updates are in
patch 5, with updates on l1d_flush, the prctl changes and updates to the
kernel-parameters (l1d_flush_out).

The checks for opting into L1D flushing are:
	a. If the CPU is affected by L1TF
        b. Hardware L1D flush mechanism is available

A task running on a core with SMT enabled and opting into this feature will
receive a SIGBUS.

References
[1] https://software.intel.com/security-software-guidance/software-guidance/snoop-assisted-l1-data-sampling
[2] https://software.intel.com/security-software-guidance/insights/deep-dive-snoop-assisted-l1-data-sampling
[3] https://lkml.org/lkml/2020/6/2/1150
[4] https://lore.kernel.org/lkml/20200729001103.6450-1-sblbir@amazon.com/
[5] https://lore.kernel.org/lkml/20201117234934.25985-2-sblbir@amazon.com/

Reviewers guide to v4
- The key patch in the series and most of the changes to this
  revision are to patch 4. patches 3 and 5 have been modified
  to keep them consistent with the changes to patch 4.

Changelog v4:
- Use a static key to enable the mechanism (remove overheads)
- By default have the mechanism turned off, so there are two
  opt-ins needed, one by the administrator at boot time, second
  by the application
- Rename l1d_flush_out/L1D_FLUSH_OUT to l1d_flush/L1D_FLUSH
- Implement other review recommendations
Changelog v3:
- Implement the SIGBUS mechansim
- Update and fix the documentation


Balbir Singh (5):
  x86/smp: Add a per-cpu view of SMT state
  x86/mm: Refactor cond_ibpb() to support other use cases
  x86/mm: Optionally flush L1D on context switch
  prctl: Hook L1D flushing in via prctl
  Documentation: Add L1D flushing Documentation

 Documentation/admin-guide/hw-vuln/index.rst   |  1 +
 .../admin-guide/hw-vuln/l1d_flush.rst         | 70 +++++++++++++++
 .../admin-guide/kernel-parameters.txt         | 17 ++++
 Documentation/userspace-api/spec_ctrl.rst     |  8 ++
 arch/Kconfig                                  |  4 +
 arch/x86/Kconfig                              |  1 +
 arch/x86/include/asm/cacheflush.h             |  8 ++
 arch/x86/include/asm/nospec-branch.h          |  2 +
 arch/x86/include/asm/processor.h              |  2 +
 arch/x86/include/asm/thread_info.h            |  6 +-
 arch/x86/include/asm/tlbflush.h               |  2 +-
 arch/x86/kernel/cpu/bugs.c                    | 71 +++++++++++++++
 arch/x86/kernel/smpboot.c                     | 10 ++-
 arch/x86/mm/tlb.c                             | 88 ++++++++++++++-----
 include/linux/sched.h                         | 10 +++
 include/uapi/linux/prctl.h                    |  1 +
 16 files changed, 273 insertions(+), 28 deletions(-)
 create mode 100644 Documentation/admin-guide/hw-vuln/l1d_flush.rst

-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ