| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241206230212.whcnkib4icz4aabx@jpoimboe> Date: Fri, 6 Dec 2024 15:02:12 -0800 From: Josh Poimboeuf <jpoimboe@...nel.org> To: x86@...nel.org Cc: linux-kernel@...r.kernel.org, amit@...nel.org, kvm@...r.kernel.org, amit.shah@....com, thomas.lendacky@....com, bp@...en8.de, tglx@...utronix.de, peterz@...radead.org, pawan.kumar.gupta@...ux.intel.com, corbet@....net, mingo@...hat.com, dave.hansen@...ux.intel.com, hpa@...or.com, seanjc@...gle.com, pbonzini@...hat.com, daniel.sneddon@...ux.intel.com, kai.huang@...el.com, sandipan.das@....com, boris.ostrovsky@...cle.com, Babu.Moger@....com, david.kaplan@....com, dwmw@...zon.co.uk, andrew.cooper3@...rix.com Subject: Re: [PATCH v2 2/2] x86/bugs: Don't fill RSB on context switch with eIBRS On Thu, Dec 05, 2024 at 04:53:03PM -0800, Josh Poimboeuf wrote: > On Thu, Dec 05, 2024 at 03:32:47PM -0800, Josh Poimboeuf wrote: > > On Thu, Nov 21, 2024 at 12:07:19PM -0800, Josh Poimboeuf wrote: > > > User->user Spectre v2 attacks (including RSB) across context switches > > > are already mitigated by IBPB in cond_mitigation(), if enabled globally > > > or if either the prev or the next task has opted in to protection. RSB > > > filling without IBPB serves no purpose for protecting user space, as > > > indirect branches are still vulnerable. > > > > Question for Intel/AMD folks: where is it documented that IBPB clears > > the RSB? I thought I'd seen this somewhere but I can't seem to find it. > > For Intel, I found this: > > https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html > > "Software that executed before the IBPB command cannot control the > predicted targets of indirect branches executed after the command on > the same logical processor. The term indirect branch in this context > includes near return instructions, so these predicted targets may come > from the RSB. > > This article uses the term RSB-barrier to refer to either an IBPB > command event, or (on processors which support enhanced IBRS) either a > VM exit with IBRS set to 1 or setting IBRS to 1 after a VM exit." > > I haven't seen anything that explicit for AMD. Found it. As Andrew mentioned earlier, AMD IBPB only clears RSB if the IBPB_RET CPUID bit is set. From APM vol 3: CPUID Fn8000_0008_EBX Extended Feature Identifiers: 30 IBPB_RET The processor clears the return address predictor when MSR PRED_CMD.IBPB is written to 1. We check that already for the IBPB entry mitigation, but now we'll also need to do so for the context switch IBPB. Question for AMD, does SBPB behave the same way, i.e. does it clear RSB if IBPB_RET? -- Josh
Powered by blists - more mailing lists