| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z-2XAx9u8l-73aXM@gmail.com> Date: Wed, 2 Apr 2025 21:58:59 +0200 From: Ingo Molnar <mingo@...nel.org> To: Josh Poimboeuf <jpoimboe@...nel.org> Cc: x86@...nel.org, linux-kernel@...r.kernel.org, amit@...nel.org, kvm@...r.kernel.org, amit.shah@....com, thomas.lendacky@....com, bp@...en8.de, tglx@...utronix.de, peterz@...radead.org, pawan.kumar.gupta@...ux.intel.com, corbet@....net, mingo@...hat.com, dave.hansen@...ux.intel.com, hpa@...or.com, seanjc@...gle.com, pbonzini@...hat.com, daniel.sneddon@...ux.intel.com, kai.huang@...el.com, sandipan.das@....com, boris.ostrovsky@...cle.com, Babu.Moger@....com, david.kaplan@....com, dwmw@...zon.co.uk, andrew.cooper3@...rix.com Subject: Re: [PATCH v3 6/6] x86/bugs: Add RSB mitigation document * Josh Poimboeuf <jpoimboe@...nel.org> wrote: > Create a document to summarize hard-earned knowledge about RSB-related > mitigations, with references, and replace the overly verbose yet > incomplete comments with a reference to the document. Just a few nits: > +RSB poisoning (Intel and AMD) > +============================= > + > +SpectreRSB > +~~~~~~~~~~ > >+ >+RSB poisoning is a technique used by Spectre-RSB [#spectre-rsb]_ where >+an attacker poisons an RSB entry to cause a victim's return instruction >+to speculate to an attacker-controlled address. This can happen when >+there are unbalanced CALLs/RETs after a context switch or VMEXIT. s/Spectre-RSB /SpectreRSB Which is the name the title just a few lines above uses, and which appears to be broadly the in-tree consensus spelling as well. > + > +AMD Retbleed / SRSO / Branch Type Confusion > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nit: the underline is one character too long. :-) > +On AMD, poisoned RSB entries can also be created by the AMD Retbleed > +variant [#retbleed-paper]_ and/or Speculative Return Stack Overflow > +[#amd-srso]_ (Inception [#inception-paper]_). These attacks are made > +possible by Branch Type Confusion [#amd-btc]_. The kernel protects > +itself by replacing every RET in the kernel with a branch to a single > +safe RET. s/Retbleed /RETBleed Seems to be the consensus spelling in-tree. (There's a few more cases in this document as well.) > + * WARNING! There are many subtleties to consider when changing *any* > + * code related to RSB-related mitigations. Before doing so, carefully > + * read the following document, and update if necessary: > * > + * Documentation/admin-guide/hw-vuln/rsb.rst > * > + * In an overly simplified nutshell: > * > + * - User->user RSB attacks are conditionally mitigated during > + * context switch by cond_mitigation -> __write_ibpb(). s/during context switch /during context switches > * > + * - User->kernel and guest->host attacks are mitigated by eIBRS or > + * RSB filling. > * > + * Though, depending on config, note that other alternative > + * mitigations may end up getting used instead, e.g., IBPB on > + * entry/vmexit, call depth tracking, or return thunks. > */ s/__write_ibpb() /write_ibpb() as per the discussion under patch #1. Thanks, Ingo
Powered by blists - more mailing lists