lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241202233521.u2bygrjg5toyziba@desk>
Date: Mon, 2 Dec 2024 15:35:21 -0800
From: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
To: Borislav Petkov <bp@...en8.de>
Cc: Josh Poimboeuf <jpoimboe@...nel.org>, x86@...nel.org,
	linux-kernel@...r.kernel.org, amit@...nel.org, kvm@...r.kernel.org,
	amit.shah@....com, thomas.lendacky@....com, tglx@...utronix.de,
	peterz@...radead.org, corbet@....net, mingo@...hat.com,
	dave.hansen@...ux.intel.com, hpa@...or.com, seanjc@...gle.com,
	pbonzini@...hat.com, daniel.sneddon@...ux.intel.com,
	kai.huang@...el.com, sandipan.das@....com,
	boris.ostrovsky@...cle.com, Babu.Moger@....com,
	david.kaplan@....com, dwmw@...zon.co.uk, andrew.cooper3@...rix.com
Subject: Re: [PATCH v2 1/2] x86/bugs: Don't fill RSB on VMEXIT with
 eIBRS+retpoline

On Sat, Nov 30, 2024 at 04:31:25PM +0100, Borislav Petkov wrote:
> On Thu, Nov 21, 2024 at 12:07:18PM -0800, Josh Poimboeuf wrote:
> > eIBRS protects against RSB underflow/poisoning attacks.  Adding
> > retpoline to the mix doesn't change that.  Retpoline has a balanced
> > CALL/RET anyway.
> 
> This is exactly why I've been wanting for us to document our mitigations for
> a long time now.
> 
> A bunch of statements above for which I can only rhyme up they're correct if
> I search for the vendor docs. On the AMD side I've found:
> 
> "When Automatic IBRS is enabled, the internal return address stack used for
> return address predictions is cleared on VMEXIT."
> 
> APM v2, p. 58/119
> 
> For the Intel side I'm not that lucky. There's something here:
> 
> https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html
> 
> Or is it this one:
> 
> https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/speculative-execution-side-channel-mitigations.html#inpage-nav-1-3-undefined
> 
> Or is this written down explicitly in some other doc?

It is in this doc:

  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html

  "Processors with enhanced IBRS still support the usage model where IBRS is
  set only in the OS/VMM for OSes that enable SMEP. To do this, such
  processors will ensure that guest behavior cannot control the RSB after a
  VM exit once IBRS is set, even if IBRS was not set at the time of the VM
  exit."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ