| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52473a9873b542f290cc1e07dae9acec00f061e3.camel@amd.com> Date: Mon, 30 Dec 2024 14:54:37 +0000 From: "Shah, Amit" <Amit.Shah@....com> To: "jpoimboe@...nel.org" <jpoimboe@...nel.org>, "x86@...nel.org" <x86@...nel.org> CC: "corbet@....net" <corbet@....net>, "pawan.kumar.gupta@...ux.intel.com" <pawan.kumar.gupta@...ux.intel.com>, "kai.huang@...el.com" <kai.huang@...el.com>, "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "andrew.cooper3@...rix.com" <andrew.cooper3@...rix.com>, "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>, "Lendacky, Thomas" <Thomas.Lendacky@....com>, "daniel.sneddon@...ux.intel.com" <daniel.sneddon@...ux.intel.com>, "boris.ostrovsky@...cle.com" <boris.ostrovsky@...cle.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "seanjc@...gle.com" <seanjc@...gle.com>, "mingo@...hat.com" <mingo@...hat.com>, "pbonzini@...hat.com" <pbonzini@...hat.com>, "tglx@...utronix.de" <tglx@...utronix.de>, "Moger, Babu" <Babu.Moger@....com>, "Das1, Sandipan" <Sandipan.Das@....com>, "dwmw@...zon.co.uk" <dwmw@...zon.co.uk>, "hpa@...or.com" <hpa@...or.com>, "peterz@...radead.org" <peterz@...radead.org>, "bp@...en8.de" <bp@...en8.de>, "Kaplan, David" <David.Kaplan@....com> Subject: Re: [PATCH v2 2/2] x86/bugs: Don't fill RSB on context switch with eIBRS On Fri, 2024-12-06 at 15:02 -0800, Josh Poimboeuf wrote: > On Thu, Dec 05, 2024 at 04:53:03PM -0800, Josh Poimboeuf wrote: > > On Thu, Dec 05, 2024 at 03:32:47PM -0800, Josh Poimboeuf wrote: > > > On Thu, Nov 21, 2024 at 12:07:19PM -0800, Josh Poimboeuf wrote: > > > > User->user Spectre v2 attacks (including RSB) across context > > > > switches > > > > are already mitigated by IBPB in cond_mitigation(), if enabled > > > > globally > > > > or if either the prev or the next task has opted in to > > > > protection. RSB > > > > filling without IBPB serves no purpose for protecting user > > > > space, as > > > > indirect branches are still vulnerable. > > > > > > Question for Intel/AMD folks: where is it documented that IBPB > > > clears > > > the RSB? I thought I'd seen this somewhere but I can't seem to > > > find it. > > > > For Intel, I found this: > > > > > > https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html > > > > "Software that executed before the IBPB command cannot control > > the > > predicted targets of indirect branches executed after the command > > on > > the same logical processor. The term indirect branch in this > > context > > includes near return instructions, so these predicted targets may > > come > > from the RSB. > > > > This article uses the term RSB-barrier to refer to either an IBPB > > command event, or (on processors which support enhanced IBRS) > > either a > > VM exit with IBRS set to 1 or setting IBRS to 1 after a VM exit." > > > > I haven't seen anything that explicit for AMD. > > Found it. As Andrew mentioned earlier, AMD IBPB only clears RSB if > the > IBPB_RET CPUID bit is set. From APM vol 3: > > CPUID Fn8000_0008_EBX Extended Feature Identifiers: > > 30 IBPB_RET The processor clears the return address > predictor when MSR PRED_CMD.IBPB is written > to 1. > > We check that already for the IBPB entry mitigation, but now we'll > also > need to do so for the context switch IBPB. > > Question for AMD, does SBPB behave the same way, i.e. does it clear > RSB > if IBPB_RET? I'm not sure about this. I'll ask around internally. Amit
Powered by blists - more mailing lists