| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Feb 2023 04:13:50 -0800
From: Josh Poimboeuf <jpoimboe@...nel.org>
To: KP Singh <kpsingh@...nel.org>
Cc: linux-kernel@...r.kernel.org, pjt@...gle.com, evn@...gle.com,
tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
peterz@...radead.org, pawan.kumar.gupta@...ux.intel.com,
kim.phillips@....com, alexandre.chartre@...cle.com,
daniel.sneddon@...ux.intel.com,
José Oliveira <joseloliveira11@...il.com>,
Rodrigo Branco <rodrigo@...nelhacking.com>,
Alexandra Sandulescu <aesa@...gle.com>,
Jim Mattson <jmattson@...gle.com>, stable@...r.kernel.org
Subject: Re: [PATCH RESEND] x86/speculation: Fix user-mode spectre-v2
protection with KERNEL_IBRS
On Mon, Feb 20, 2023 at 01:01:27PM +0100, KP Singh wrote:
> +static inline bool spectre_v2_user_no_stibp(enum spectre_v2_mitigation mode)
> +{
> + /* When IBRS or enhanced IBRS is enabled, STIBP is not needed.
> + *
> + * However, With KERNEL_IBRS, the IBRS bit is cleared on return
> + * to user and the user-mode code needs to be able to enable protection
> + * from cross-thread training, either by always enabling STIBP or
> + * by enabling it via prctl.
> + */
> + return (spectre_v2_in_ibrs_mode(mode) &&
> + !cpu_feature_enabled(X86_FEATURE_KERNEL_IBRS));
> +}
The comments and code confused me, they both seem to imply some
distinction between IBRS and KERNEL_IBRS, but in the kernel those are
functionally the same thing. e.g., the kernel doesn't have a user IBRS
mode.
And, unless I'm missing some subtlety here, it seems to be a convoluted
way of saying that eIBRS doesn't need STIBP in user space.
It would be simpler to just call it spectre_v2_in_eibrs_mode().
static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)
{
return mode == SPECTRE_V2_EIBRS ||
mode == SPECTRE_V2_EIBRS_RETPOLINE ||
mode == SPECTRE_V2_EIBRS_LFENCE;
}
And then spectre_v2_in_ibrs_mode() could be changed to call that:
static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)
{
return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS;
}
> @@ -1496,6 +1504,7 @@ static void __init spectre_v2_select_mitigation(void)
> break;
>
> case SPECTRE_V2_IBRS:
> + pr_err("enabling KERNEL_IBRS");
Why?
> @@ -2327,7 +2336,7 @@ static ssize_t mmio_stale_data_show_state(char *buf)
>
> static char *stibp_state(void)
> {
> - if (spectre_v2_in_ibrs_mode(spectre_v2_enabled))
> + if (spectre_v2_user_no_stibp(spectre_v2_enabled))
> return "";
This seems like old cruft, can we just remove this check altogether? In
the eIBRS case, spectre_v2_user_stibp will already have its default of
SPECTRE_V2_USER_NONE.
--
Josh
Powered by blists - more mailing lists