| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241120162120.z6zteeespf4cir4s@jpoimboe> Date: Wed, 20 Nov 2024 08:21:20 -0800 From: "jpoimboe@...nel.org" <jpoimboe@...nel.org> To: "Shah, Amit" <Amit.Shah@....com> Cc: "Phillips, Kim" <kim.phillips@....com>, "x86@...nel.org" <x86@...nel.org>, "corbet@....net" <corbet@....net>, "pawan.kumar.gupta@...ux.intel.com" <pawan.kumar.gupta@...ux.intel.com>, "kai.huang@...el.com" <kai.huang@...el.com>, "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "andrew.cooper3@...rix.com" <andrew.cooper3@...rix.com>, "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>, "Lendacky, Thomas" <Thomas.Lendacky@....com>, "daniel.sneddon@...ux.intel.com" <daniel.sneddon@...ux.intel.com>, "boris.ostrovsky@...cle.com" <boris.ostrovsky@...cle.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "seanjc@...gle.com" <seanjc@...gle.com>, "mingo@...hat.com" <mingo@...hat.com>, "pbonzini@...hat.com" <pbonzini@...hat.com>, "tglx@...utronix.de" <tglx@...utronix.de>, "Moger, Babu" <Babu.Moger@....com>, "Das1, Sandipan" <Sandipan.Das@....com>, "dwmw@...zon.co.uk" <dwmw@...zon.co.uk>, "amit@...nel.org" <amit@...nel.org>, "hpa@...or.com" <hpa@...or.com>, "peterz@...radead.org" <peterz@...radead.org>, "bp@...en8.de" <bp@...en8.de>, "Kaplan, David" <David.Kaplan@....com> Subject: Re: [PATCH 2/2] x86/bugs: Don't fill RSB on context switch with eIBRS On Wed, Nov 20, 2024 at 10:27:42AM +0000, Shah, Amit wrote: > On Tue, 2024-11-19 at 23:27 -0800, Josh Poimboeuf wrote: > > User->user Spectre v2 attacks (including RSB) across context switches > > are already mitigated by IBPB in cond_mitigation(), if enabled > > globally > > or if at least one of the tasks has opted in to protection. RSB > > filling > > without IBPB serves no purpose for protecting user space, as indirect > > branches are still vulnerable. > > > > User->kernel RSB attacks are mitigated by eIBRS. In which case the > > RSB > > filling on context switch isn't needed. Fix that. > > > > While at it, update and coalesce the comments describing the various > > RSB > > mitigations. > > Looks good from first impressions - but there's something that needs > some deeper analysis: AMD's Automatic IBRS piggybacks on eIBRS, and has > some special cases. Adding Kim to CC to check and confirm if > everything's still as expected. FWIW, so "Technical Guidance for Mitigating Branch Type Confusion" has the following: Finally, branches that are predicted as ‘ret’ instructions get their predicted targets from the Return Address Predictor (RAP). AMD recommends software use a RAP stuffing sequence (mitigation V2-3 in [2]) and/or Supervisor Mode Execution Protection (SMEP) to ensure that the addresses in the RAP are safe for speculation. Collectively, we refer to these mitigations as “RAP Protection”. So it sounds like user->kernel RAP poisoning is mitigated by SMEP on AMD. -- Josh
Powered by blists - more mailing lists