Re: [Patch v6 14/16] x86/speculation: Use STIBP to restrict speculation on non-dumpable task

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 20 Nov 2018, Linus Torvalds wrote:

> > Implements arch_update_spec_restriction() for x86.  Use STIBP to
> > restrict speculative execution when running a task set to non-dumpable,
> > or clear the restriction if the task is set to dumpable.
> 
> I don't think this necessarily makes sense.
> 
> The new "auto" behavior is that we aim to restrict untrusted code (and
> the loader of such code uses prctrl to set that flag), then this whole
> "set STIBP for non-dumpable" makes little sense.
> 
> A non-dumpable app by definition is *more* trusted, not less trusted.

I understand your argument. I believe actually both ways of protection do 
make sense in some way (but it doesn't mean we should do it by default). 
Basically:

- process marks itself "I am loading untrusted code" via that prctl() in 
  order to avoid its untrusted code to be used as spectrev2 gadgets

- process marks itself "I am loading untrusted code" via that prctl() in
  order to have its all threads/subprocesses marked the same way, so that
  one thread can't influence speculative code flow of the other in order
  to read its memory (the "javascript in one browser tab reads secrets 
  from another tab")

- non-dumpable tasks have the branch predictor flushed when 
  context switching to them (IBPB) or when sibling is running untrusted 
  code (STIBP) in order not guarantee that its speculative code flow can
  never be influenced by previous / sibling process mistraining branch
  predictor for it, and therefore do not allow reading its secrets from 
  memory through gadgets that'd have to be in the process code itself

But I agree there are many reasons why this shouldn't be done by default 
if we accept 'prctl' as the default mode. Namely:

- the whole "proper gadgets need to be present in the process' .text" is 
  dubious by itself

- the unavoidable overhead it'd impose on network daemons that you can't 
  really get rid of

The distiled patchset that Thomas will be sending around today is not have 
the dumpability restriction in it.

Thanks,

-- 
Jiri Kosina
SUSE Labs




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux