| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <11ebe489-0734-28af-07a4-f658709cfd9e@citrix.com>
Date: Thu, 6 Oct 2022 02:42:10 +0000
From: Andrew Cooper <Andrew.Cooper3@...rix.com>
To: Suraj Jitindar Singh <surajjs@...zon.com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>
CC: "sjitindarsingh@...il.com" <sjitindarsingh@...il.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"x86@...nel.org" <x86@...nel.org>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"mingo@...hat.com" <mingo@...hat.com>, "bp@...e.de" <bp@...e.de>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"seanjc@...gle.com" <seanjc@...gle.com>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"peterz@...radead.org" <peterz@...radead.org>,
"jpoimboe@...nel.org" <jpoimboe@...nel.org>,
"daniel.sneddon@...ux.intel.com" <daniel.sneddon@...ux.intel.com>,
"pawan.kumar.gupta@...ux.intel.com"
<pawan.kumar.gupta@...ux.intel.com>,
"benh@...nel.crashing.org" <benh@...nel.crashing.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
Andrew Cooper <Andrew.Cooper3@...rix.com>
Subject: Re: [PATCH] x86/speculation: Mitigate eIBRS PBRSB predictions with
WRMSR
On 05/10/2022 23:02, Suraj Jitindar Singh wrote:
> tl;dr: The existing mitigation for eIBRS PBRSB predictions uses an INT3 to
> ensure a call instruction retires before a following unbalanced RET.
No it doesn't. The INT3 is transient. The existing mitigation uses an
LFENCE.
> Replace this with a WRMSR serialising instruction which has a lower performance
> penalty.
What is "this"? The INT3^W LFENCE?
WRMSR is not lower overhead than an LFENCE.
> == Solution ==
>
> The WRMSR instruction can be used as a speculation barrier and a serialising
> instruction. Use this on the VM exit path instead to ensure that a CALL
> instruction (in this case the call to vmx_spec_ctrl_restore_host) has retired
> before the prediction of a following unbalanced RET.
While both of these sentences are true statements, you've missed the
necessary safety property.
One CALL has to retire before *any* RET can execute.
There are several ways the frontend can end up eventually consuming the
bad RSB entry; they all stem from an execute (not prediction) of the
next RET instruction.
As to the change, ...
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index c9b49a09e6b5..fdcd8e10c2ab 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -7049,8 +7049,13 @@ void noinstr vmx_spec_ctrl_restore_host(struct vcpu_vmx *vmx,
... out of context above this hunk is:
if (!cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL))
return;
meaning that there is a return instruction which is programmatically
reachable ahead of the WRMSR.
Whether it is speculatively reachable depends on whether the frontend
can see through the _static_cpu_has(), as well as
X86_FEATURE_MSR_SPEC_CTRL never becoming compile time evaluable.
There is also a second latent bug, to do with the code generation for
this_cpu_read(x86_spec_ctrl_current).
It's worth saying that, in principle, this optimisation is safe, but
pretty much all the discussion about it is wrong. Here is one I
prepared earlier:
https://lore.kernel.org/xen-devel/20220809170016.25148-3-andrew.cooper3@citrix.com/
OTOH, below the hunk in question, there's a barrier_nospec() which is
giving you the actual projection you need (subject to latent and/or code
layout bugs), irrespective of the extra WRMSR.
~Andrew
Powered by blists - more mailing lists