[Patch v7 00/18] Provide task property based options to enable Spectre v2 userspace-userspace protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



My apology that the v6 patches are missing the first two patch in
the series.  Resending the patch series as v7.

Fix in this version bugs causing build problems for UP configuration.

Also merged in Jiri's change to extend STIBP for SECCOMP processes and
renaming TIF_STIBP to TIF_SPEC_INDIR_BRANCH.

I've updated the boot options spectre_v2_app2app to 
on, off, auto, prctl and seccomp.  This aligns with
the options for other speculation related mitigations.

I tried to incorporate sched_smt_present to detect when we have all SMT
going offline and we can disable the SMT path that Peter suggested.
this is an optimization that can be easily left out of the patch
series.  I've put these two patches at the end and they can be considered
separately.

I've dropped the TIF flags re-organization patches
as they are orthogonal to this patch series.

To do: Create a dedicated document on the mitigation options for Spectre V2.

Since Jiri's patchset to always turn on STIBP
has big performance impact, I think that it should
be reverted from 4.20 and stable kernels for now, till this
patchset to mitigate its performance impact can be merged
with it.

Thanks.

Tim

Patch 1 to 3 are clean up patches.
Patch 4 and 5 disable STIBP for enhacned IBRS.
Patch 6 to 9 reorganize and clean up the code without affecting
 functionality for easier modification later.
Patch 10 introduces the STIBP flag on a task to dynamically
 enable STIBP for that task.
Patch 11 introduces different modes to protect a
 task against Spectre v2 user space attack.
Patch 12 adds prctl interface to turn on Spectre v2 user mode defenses on a task. 
Patch 13 Put IBPB usage under the mode chosen for app2app mitigation.
Patch 14 Add STIBP protection for SECCOMP tasks.
Patch 15-16 add Spectre v2 defenses for non-dumpable tasks.
Patch 15-16 reorganizes the TIF flags, and can be dropped without affecting this series 
Patch 17-18 When there are no paired SMT left, disable SMT specific code

Changes:
v6:
1. Fix bugs for UP build configuration.
2. Add protection for SECCOMP tasks. 
3. Rename TIF_STIBP to TIF_SPEC_INDIR_BRANCH.
4. Update boot options to align with other speculation mitigations.
5. Separate out IBPB change that makes it depend on TIF_SPEC_INDIR_BRANCH.
6. Move some checks for SPEC_CTRL updates to spec_ctrl_update_msr to avoid
unnecesseary MSR writes.
7. Drop TIF reorg patches.
8. Incorporate optimization to disable SMT code paths when no paired SMT is present.

v5:
1. Drop patch to extend TIF_STIBP changes to all related threads on 
a task's dumpabibility change.
2. Drop patch to replace sched_smt_present with cpu_smt_enabled.
3. Drop export of cpu_smt_control in kernel/cpu.c and replace external
usages of cpu_smt_control with cpu_smt_enabled.
4. Rebase patch series on 4.20-rc2.

v4:
1. Extend STIBP update to all threads of a process changing
it dumpability.
2. Add logic to update SPEC_CTRL MSR on a remote CPU when TIF flags
affecting speculation changes for task running on the remote CPU.
3. Regroup x86 TIF_* flags according to their functions.
4. Various code clean up.

v3:
1. Add logic to skip STIBP when Enhanced IBRS is used.
2. Break up v2 patches into smaller logical patches. 
3. Fix bug in arch_set_dumpable that did not update SPEC_CTRL
MSR right away when according to task's STIBP flag clearing which
caused SITBP to be left on.
4. Various code clean up. 

v2:
1. Extend per process STIBP to AMD cpus
2. Add prctl option to control per process indirect branch speculation
3. Bug fixes and cleanups 

Jiri's patchset to harden Spectre v2 user space mitigation makes IBPB
and STIBP in use for Spectre v2 mitigation on all processes.  IBPB will
be issued for switching to an application that's not ptraceable by the
previous application and STIBP will be always turned on.

However, leaving STIBP on all the time is expensive for certain
applications that have frequent indirect branches. One such application
is perlbench in the SpecInt Rate 2006 test suite which shows a
21% reduction in throughput.
There're also reports of drop in performance on Python and PHP benchmarks:
https://www.phoronix.com/scan.php?page=article&item=linux-420-bisect&num=2

Other applications like bzip2 with minimal indirct branches have
only a 0.7% reduction in throughput. IBPB will also impose
overhead during context switches.

Users may not wish to incur performance overhead from IBPB and STIBP for
general non security sensitive processes and use these mitigations only
for security sensitive processes.

This patchset provides a process property based lite protection mode.
In this mode, IBPB and STIBP mitigation are applied only to security
sensitive non-dumpable processes and processes that users want to protect
by having indirect branch speculation disabled via PRCTL.  So the overhead
from IBPB and STIBP are avoided for low security processes that don't
require extra protection.



Jiri Kosina (1):
  x86/speculation: Add 'seccomp' Spectre v2 app to app protection mode

Peter Zijlstra (1):
  sched/smt: Make sched_smt_present track topology

Tim Chen (16):
  x86/speculation: Clean up spectre_v2_parse_cmdline()
  x86/speculation: Remove unnecessary ret variable in cpu_show_common()
  x86/speculation: Reorganize cpu_show_common()
  x86/speculation: Add X86_FEATURE_USE_IBRS_ENHANCED
  x86/speculation: Disable STIBP when enhanced IBRS is in use
  x86/speculation: Rename SSBD update functions
  x86/speculation: Reorganize speculation control MSRs update
  smt: Create cpu_smt_enabled static key for SMT specific code
  x86/smt: Convert cpu_smt_control check to cpu_smt_enabled static key
  x86/speculation: Turn on or off STIBP according to a task's TIF_STIBP
  x86/speculation: Add Spectre v2 app to app protection modes
  x86/speculation: Create PRCTL interface to restrict indirect branch
    speculation
  x86/speculation: Enable IBPB for tasks with
    TIF_SPEC_BRANCH_SPECULATION
  security: Update speculation restriction of a process when modifying
    its dumpability
  x86/speculation: Use STIBP to restrict speculation on non-dumpable
    task
  x86/smt: Allow disabling of SMT when last SMT is offlined

 Documentation/admin-guide/kernel-parameters.txt |  34 +++
 Documentation/userspace-api/spec_ctrl.rst       |   9 +
 arch/x86/include/asm/cpufeatures.h              |   1 +
 arch/x86/include/asm/msr-index.h                |   6 +-
 arch/x86/include/asm/nospec-branch.h            |  10 +
 arch/x86/include/asm/spec-ctrl.h                |  18 +-
 arch/x86/include/asm/thread_info.h              |   5 +-
 arch/x86/kernel/cpu/bugs.c                      | 336 +++++++++++++++++++++---
 arch/x86/kernel/process.c                       |  58 +++-
 arch/x86/kvm/vmx.c                              |   2 +-
 arch/x86/mm/tlb.c                               |  23 +-
 fs/exec.c                                       |   3 +
 include/linux/cpu.h                             |  31 ++-
 include/linux/sched.h                           |   9 +
 include/uapi/linux/prctl.h                      |   1 +
 kernel/cpu.c                                    |  28 +-
 kernel/cred.c                                   |   5 +-
 kernel/sched/core.c                             |  19 +-
 kernel/sched/sched.h                            |   2 -
 kernel/sys.c                                    |   7 +
 tools/include/uapi/linux/prctl.h                |   1 +
 21 files changed, 526 insertions(+), 82 deletions(-)

-- 
2.9.4




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux