[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210113195301.tyeeyrf5y7ajd5yw@treble>
Date: Wed, 13 Jan 2021 13:53:01 -0600
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Anand K Mistry <amistry@...gle.com>
Cc: x86@...nel.org, asteinhauser@...gle.com, tglx@...utronix.de,
bp@...en8.de, joelaf@...gle.com,
Anand K Mistry <amistry@...omium.org>,
Alexandre Chartre <alexandre.chartre@...cle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
Julien Thierry <jthierry@...hat.com>,
Maciej Fijalkowski <maciej.fijalkowski@...el.com>,
Mark Gross <mgross@...ux.intel.com>,
Mike Rapoport <rppt@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Tony Luck <tony.luck@...el.com>, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH] x86/speculation: Add finer control for when to issue
IBPB
On Wed, Jan 13, 2021 at 07:47:19PM +1100, Anand K Mistry wrote:
> When IB speculation is conditionally disabled for a process (via prctl()
> or seccomp), IBPB is issued whenever that process is switched to/from.
> However, this results more IBPBs than necessary. The goal is to protect
> a victim process from an attacker poisoning the BTB by issuing IBPB in
> the attacker->victim switch. However, the current logic will also issue
> IBPB in the victim->attacker switch, because there's no notion of
> whether the attacker or victim has IB speculation disabled.
>
> Instead of always issuing IBPB when either the previous or next process
> has IB speculation disabled, add a boot flag to explicitly choose
> to issue IBPB when the IB spec disabled process is entered or left.
>
> Signed-off-by: Anand K Mistry <amistry@...gle.com>
> Signed-off-by: Anand K Mistry <amistry@...omium.org>
> ---
> Background:
> IBPB is slow on some CPUs.
>
> More detailed background:
> On some CPUs, issuing an IBPB can cause the address space switch to be
> 10x more expensive (yes, 10x, not 10%). On a system that makes heavy use
> of processes, this can cause a very significant performance hit.
> Although we can choose which processes will pay the IBPB
> cost by using prctl(), the performance hit is often still too high
> because IBPB is being issued more often than necessary.
>
> This proposal attempts to reduce that cost by letting the system
> developer choose whether to issue the IBPB on entry or exit of an IB
> speculation disabled process (default is both, which is current
> behaviour). Documentation/admin-guide/hw-vuln/spectre.rst documents two
> mitigation strategies that use conditional IBPB;
> "Protect sensitive programs", and "Sandbox untrusted programs".
Why make the setting system-wide? Shouldn't this decision be made on a
per-task basis, depending on whether the task is sensitive or untrusted?
--
Josh
Powered by blists - more mailing lists