[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <be9eaafc-a3cd-4c46-93bd-fe611a45c94f@citrix.com>
Date: Mon, 16 Sep 2024 10:16:56 +0100
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: Xin Li <xin@...or.com>, linux-kernel@...r.kernel.org
Cc: tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, x86@...nel.org, hpa@...or.com,
peterz@...radead.org
Subject: Re: [PATCH v1 1/1] x86/fred: Clear the WFE bit in missing-ENDBRANCH
#CP
On 15/09/2024 7:17 pm, Xin Li wrote:
> On 9/11/2024 4:35 PM, Andrew Cooper wrote:
>> On 12/09/2024 12:19 am, Xin Li (Intel) wrote:
>>> The WFE, i.e., WAIT_FOR_ENDBRANCH, bit in the augmented CS of FRED
>>> stack frame is set to 1 in missing-ENDBRANCH #CP exceptions.
>>>
>>> The CPU will generate another missing-ENDBRANCH #CP if the WFE bit
>>> is left as 1, because the indirect branch tracker will be set in
>>> the WAIT_FOR_ENDBRANCH state upon completion of the following ERETS
>>> instruction and the CPU will restart from the IP that just caused a
>>> previous missing-ENDBRANCH #CP.
>>>
>>> Clear the WFE bit to avoid dead looping in missing-ENDBRANCH #CP.
>>>
>>> Signed-off-by: Xin Li (Intel) <xin@...or.com>
>>
>> Ah - good. Finally some evidence that this hole in CET has been plugged
>> by FRED.
>>
>> However, I'd suggest describing it differently.
>>
>>
>> By definition, all missing-ENDBRANCH #CPs are a result of WFE && !ENDBR.
>>
>> But, in original CET under IDT delivery, any transfer for
>> interrupt/exception/etc that does not change privilege will clobber the
>> WFE state because MSR_{U,S}_CET.WFE is intentionally set by microcode so
>> as to expect to find an ENDBR at the interrupt/exception/syscall
>> entrypoint.
>>
>> In practice, this means interrupts and exceptions hitting the kernel, or
>> user interrupts, loose the WFE state of the interrupted context. And
>
> loose -> lose?
Yes indeed. Sorry.
~Andrew
Powered by blists - more mailing lists