| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Nov 2022 16:54:27 -0800
From: Jim Mattson <jmattson@...gle.com>
To: Kim Phillips <kim.phillips@....com>
Cc: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>,
Borislav Petkov <bp@...en8.de>,
Peter Zijlstra <peterz@...radead.org>, x86@...nel.org,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
Joao Martins <joao.m.martins@...cle.com>,
Jonathan Corbet <corbet@....net>,
Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Sean Christopherson <seanjc@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>,
David Woodhouse <dwmw@...zon.co.uk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Juergen Gross <jgross@...e.com>,
Tony Luck <tony.luck@...el.com>,
Babu Moger <Babu.Moger@....com>,
Tom Lendacky <thomas.lendacky@....com>, kvm@...r.kernel.org,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/3] x86/speculation: Support Automatic IBRS
On Fri, Nov 11, 2022 at 4:46 PM Kim Phillips <kim.phillips@....com> wrote:
>
> On 11/11/22 6:40 AM, Thadeu Lima de Souza Cascardo wrote:
> > On Fri, Nov 11, 2022 at 01:09:37PM +0100, Borislav Petkov wrote:
> >> On Mon, Nov 07, 2022 at 04:39:02PM -0600, Kim Phillips wrote:
> >>> I've started a version that has AUTOIBRS reuse SPECTRE_V2_EIBRS
> >>> spectre_v2_mitigation enum, but, so far, it's change to bugs.c
> >>> looks bigger: 58 lines changed vs. 34 (see below).
> >>
> >> It can be smaller. You simply do:
> >>
> >> if (cpu_has(c, X86_FEATURE_AUTOIBRS))
> >> setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
> >>
> >> and the rest should just work - see below.
> >>
> >> And yes, as Peter says, when the user requests something, the user
> >> should get it. No matter whether it makes sense or not.
>
> OK & thanks.
>
> >> @@ -1474,11 +1477,19 @@ static void __init spectre_v2_select_mitigation(void)
> >> break;
> >>
> >> case SPECTRE_V2_CMD_EIBRS_LFENCE:
> >> - mode = SPECTRE_V2_EIBRS_LFENCE;
> >> + if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
> >> + pr_err(SPECTRE_V2_EIBRS_AMD_MSG);
> >> + mode = SPECTRE_V2_EIBRS;
> >> + } else
> >> + mode = SPECTRE_V2_EIBRS_LFENCE;
> >> break;
> >>
> >> case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
> >> - mode = SPECTRE_V2_EIBRS_RETPOLINE;
> >> + if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
> >> + pr_err(SPECTRE_V2_EIBRS_AMD_MSG);
> >> + mode = SPECTRE_V2_EIBRS;
> >> + } else
> >> + mode = SPECTRE_V2_EIBRS_RETPOLINE;
> >> break;
> >> }
> >>
> >
> > I am confused here. Isn't the agreement that the user should get what they
> > asked for? That is, instead of warning and changing the mode to
> > SPECTRE_V2_EIBRS, the kernel should still use lfence or retpoline as requested?
> >
> > The point of those options was to protect against Branch History Injection
> > attacks and Intra-Mode Branch Target Injection attacks. The first one might not
> > affect the CPUs that support AUTOIBRS, though we haven't heard that.
> >
> > The second one (IMBTI) is very likely still possible with AUTOIBRS and
> > retpolines should still protect against those attacks. So users who want to be
> > paranoid should still be able to opt for "eibrs,retpoline" and have retpolines
> > enabled.
>
> I've removed the above and have the complete diff below. It includes patch 1/3 and
> drops 3/3 for now due to Jim Mattson's comments. After some more testing, I'll
> resubmit.
I bought the argument that AutoIBRS => Same Mode IBRS, so L2 should
not be able to steer L1's indirect branches, even if they share a
predictor mode.
Powered by blists - more mailing lists