Re: [PATCH 2/3] x86/speculation: Support Automatic IBRS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 11, 2022 at 4:46 PM Kim Phillips <kim.phillips@xxxxxxx> wrote:
>
> On 11/11/22 6:40 AM, Thadeu Lima de Souza Cascardo wrote:
> > On Fri, Nov 11, 2022 at 01:09:37PM +0100, Borislav Petkov wrote:
> >> On Mon, Nov 07, 2022 at 04:39:02PM -0600, Kim Phillips wrote:
> >>> I've started a version that has AUTOIBRS reuse SPECTRE_V2_EIBRS
> >>> spectre_v2_mitigation enum, but, so far, it's change to bugs.c
> >>> looks bigger: 58 lines changed vs. 34 (see below).
> >>
> >> It can be smaller. You simply do:
> >>
> >>      if (cpu_has(c, X86_FEATURE_AUTOIBRS))
> >>              setup_force_cpu_cap(X86_FEATURE_IBRS_ENHANCED);
> >>
> >> and the rest should just work - see below.
> >>
> >> And yes, as Peter says, when the user requests something, the user
> >> should get it. No matter whether it makes sense or not.
>
> OK & thanks.
>
> >> @@ -1474,11 +1477,19 @@ static void __init spectre_v2_select_mitigation(void)
> >>              break;
> >>
> >>      case SPECTRE_V2_CMD_EIBRS_LFENCE:
> >> -            mode = SPECTRE_V2_EIBRS_LFENCE;
> >> +            if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
> >> +                    pr_err(SPECTRE_V2_EIBRS_AMD_MSG);
> >> +                    mode = SPECTRE_V2_EIBRS;
> >> +            } else
> >> +                    mode = SPECTRE_V2_EIBRS_LFENCE;
> >>              break;
> >>
> >>      case SPECTRE_V2_CMD_EIBRS_RETPOLINE:
> >> -            mode = SPECTRE_V2_EIBRS_RETPOLINE;
> >> +            if (boot_cpu_has(X86_FEATURE_AUTOIBRS)) {
> >> +                    pr_err(SPECTRE_V2_EIBRS_AMD_MSG);
> >> +                    mode = SPECTRE_V2_EIBRS;
> >> +            } else
> >> +                    mode = SPECTRE_V2_EIBRS_RETPOLINE;
> >>              break;
> >>      }
> >>
> >
> > I am confused here. Isn't the agreement that the user should get what they
> > asked for? That is, instead of warning and changing the mode to
> > SPECTRE_V2_EIBRS, the kernel should still use lfence or retpoline as requested?
> >
> > The point of those options was to protect against Branch History Injection
> > attacks and Intra-Mode Branch Target Injection attacks. The first one might not
> > affect the CPUs that support AUTOIBRS, though we haven't heard that.
> >
> > The second one (IMBTI) is very likely still possible with AUTOIBRS and
> > retpolines should still protect against those attacks. So users who want to be
> > paranoid should still be able to opt for "eibrs,retpoline" and have retpolines
> > enabled.
>
> I've removed the above and have the complete diff below.  It includes patch 1/3 and
> drops 3/3 for now due to Jim Mattson's comments.  After some more testing, I'll
> resubmit.

I bought the argument that AutoIBRS => Same Mode IBRS, so L2 should
not be able to steer L1's indirect branches, even if they share a
predictor mode.



[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux