lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YmxRnwSUBIkOIjLA@zn.tnic>
Date:   Fri, 29 Apr 2022 22:59:11 +0200
From:   Borislav Petkov <bp@...en8.de>
To:     Sean Christopherson <seanjc@...gle.com>
Cc:     Jon Kohler <jon@...anix.com>, Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        "x86@...nel.org" <x86@...nel.org>,
        "H. Peter Anvin" <hpa@...or.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Joerg Roedel <joro@...tes.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Balbir Singh <sblbir@...zon.com>,
        Kim Phillips <kim.phillips@....com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        Andrea Arcangeli <aarcange@...hat.com>,
        Kees Cook <keescook@...omium.org>,
        Waiman Long <longman@...hat.com>
Subject: Re: [PATCH v3] x86/speculation, KVM: only IBPB for
 switch_mm_always_ibpb on vCPU load

On Fri, Apr 29, 2022 at 08:29:30PM +0000, Sean Christopherson wrote:
> That's why there's a bunch of hand-waving.

Well, I'm still not sure what this patch is trying to fix but both your
latest replies do sound clearer...

> Can you clarify what "this" is?  Does "this" mean "this patch", or does it mean

This patch.

> "this IBPB when switching vCPUs"?  Because if it means the latter, then I think
> you're in violent agreement; the IBPB when switching vCPUs is pointless and
> unnecessary.

Ok, let's concentrate on the bug first - whether a second IBPB - so to
speak - is needed. Doing some git archeology points to:

  15d45071523d ("KVM/x86: Add IBPB support")

which - and I'm surprised - goes to great lengths to explain what
those IBPB calls in KVM protect against. From that commit message, for
example:

"    * Mitigate attacks from guest/ring3->host/ring3.
      These would require a IBPB during context switch in host, or after
      VMEXIT."

so with my very limited virt understanding, when you vmexit, you don't
do switch_mm(), right?

If so, you need to do a barrier. Regardless of conditional IBPB or not
as you want to protect the host from a malicious guest.

In general, the whole mitigation strategies are enumerated in

Documentation/admin-guide/hw-vuln/spectre.rst

There's also a "3. VM mitigation" section.

And so on...

Bottomline is this: at the time, we went to great lengths to document
what the attacks are and how we are protecting against them.

So now, if you want to change all that, I'd like to see

- the attack scenario is this

- we don't think it is relevant because...

- therefore, we don't need to protect against it anymore

and all that should be properly documented.

Otherwise, there's no surviving this mess.

Thx!

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ