| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aChB9ORFxaL8VfyD@gmail.com>
Date: Sat, 17 May 2025 09:59:48 +0200
From: Ingo Molnar <mingo@...nel.org>
To: Rik van Riel <riel@...riel.com>
Cc: Dave Hansen <dave.hansen@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
x86@...nel.org, linux-kernel@...r.kernel.org, kernel-team@...a.com
Subject: Re: [PATCH] x86/mm: resize user_pcid_flush_mask for PTI / broadcast
TLB flush combination
* Rik van Riel <riel@...riel.com> wrote:
> @@ -121,7 +140,11 @@ struct tlb_state {
> * the corresponding user PCID needs a flush next time we
> * switch to it; see SWITCH_TO_USER_CR3.
> */
> +#if defined(CONFIG_X86_TLB_BROADCAST_TLB_FLUSH) && defined(CONFIG_MITIGATION_PAGE_TABLE_ISOLATION)
> + unsigned long user_pcid_flush_mask[(1 << CR3_AVAIL_PCID_BITS) / BITS_PER_LONG];
> +#else
> unsigned short user_pcid_flush_mask;
> +#endif
1)
CONFIG_X86_TLB_BROADCAST_TLB_FLUSH doesn't actually exist, the name is
CONFIG_BROADCAST_TLB_FLUSH.
This patch could not possibly have been tested on a vanilla kernel on
actual hardware in the PTI usecase it claims to fix...
2)
Testing aside, this definition and the usage of user_pcid_flush_mask is
unnecessarily confusing, as it also defines user_pcid_flush_mask when
it's not actually used by runtime code. user_pcid_flush_mask is only
used if CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y, so as an interim step
we could make this a more obvious:
#ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
# ifdef CONFIG_BROADCAST_TLB_FLUSH
unsigned long user_pcid_flush_mask[(1 << CR3_AVAIL_PCID_BITS) / BITS_PER_LONG];
# else
unsigned short user_pcid_flush_mask;
# endif
#endif
And wrap the body of invalidate_user_asid() in an #ifdef
CONFIG_MITIGATION_PAGE_TABLE_ISOLATION. The entry assembly code is
already under such an #ifdef.
And once we do that it becomes obvious that the two definitions of
user_pcid_flush_mask can be merged by doing something like:
#ifdef CONFIG_BROADCAST_TLB_FLUSH
# define CR3_AVAIL_PCID_LONGS ((1 << CR3_AVAIL_PCID_BITS) / BITS_PER_LONG)
#else
# define CR3_AVAIL_PCID_LONGS 1
#endif
#ifdef CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
unsigned long user_pcid_flush_mask[CR3_AVAIL_PCID_LONGS];
#endif
(Or so, if I counted my bits and longs right.)
And we can drop the ugly & fragile type cast in invalidate_user_asid():
- __set_bit(kern_pcid(asid),
- (unsigned long *)this_cpu_ptr(&cpu_tlbstate.user_pcid_flush_mask));
+ __set_bit(kern_pcid(asid), this_cpu_ptr(cpu_tlbstate.user_pcid_flush_mask));
And yeah, this means user_pcid_flush_mask is a long on
!CONFIG_BROADCAST_TLB_FLUSH kernels, while it was a short before.
Literally nobody cares, because it's enabled on all distro kernels that
have CPU_SUP_AMD:
config BROADCAST_TLB_FLUSH
def_bool y
depends on CPU_SUP_AMD && 64BIT
Literally no Linux distribution is going to have this option disabled.
Ie. we'd be uglifying and obfuscating the code for a config that people
aren't actually using...
3)
If we are going to grow user_pcid_flush_mask from 2 bytes to 256 bytes
then please reorder 'struct tlb_state' for cache efficiency: at minimum
the ::cr4 shadow should move to before ::user_pcid_flush_mask. But I
think we should probably move user_pcid_flush_mask to the end of the
structure, where it does the least damage to cache layout.
Thanks,
Ingo
Powered by blists - more mailing lists