From: Josh Poimboeuf <jpoimboe@redhat.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: x86@kernel.org, Borislav Petkov <bp@alien8.de>,
LKML <linux-kernel@vger.kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Joerg Roedel <joro@8bytes.org>, Jiri Olsa <jolsa@redhat.com>,
Andi Kleen <ak@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH v2 3/3] x86/pti/64: Remove the SYSCALL64 entry trampoline
Date: Fri, 7 Sep 2018 11:40:14 -0500 [thread overview]
Message-ID: <20180907164014.g6logz3piqptaj2s@treble> (raw)
In-Reply-To: <8c7c6e483612c3e4e10ca89495dc160b1aa66878.1536015544.git.luto@kernel.org>
On Mon, Sep 03, 2018 at 03:59:44PM -0700, Andy Lutomirski wrote:
> The SYSCALL64 trampoline has a couple of nice properties:
>
> - The usual sequence of SWAPGS followed by two GS-relative accesses to
> set up RSP is somewhat slow because the GS-relative accesses need
> to wait for SWAPGS to finish. The trampoline approach allows
> RIP-relative accesses to set up RSP, which avoids the stall.
>
> - The trampoline avoids any percpu access before CR3 is set up,
> which means that no percpu memory needs to be mapped in the user
> page tables. This prevents using Meltdown to read any percpu memory
> outside the cpu_entry_area and prevents using timing leaks
> to directly locate the percpu areas.
>
> The downsides of using a trampoline may outweigh the upsides, however.
> It adds an extra non-contiguous I$ cache line to system calls, and it
> forces an indirect jump to transfer control back to the normal kernel
> text after CR3 is set up. The latter is because x86 lacks a 64-bit
> direct jump instruction that could jump from the trampoline to the entry
> text. With retpolines enabled, the indirect jump is extremely slow.
>
> This patch changes the code to map the percpu TSS into the user page
> tables to allow the non-trampoline SYSCALL64 path to work under PTI.
> This does not add a new direct information leak, since the TSS is
> readable by Meltdown from the cpu_entry_area alias regardless. It
> does allow a timing attack to locate the percpu area, but KASLR is
> more or less a lost cause against local attack on CPUs vulnerable to
> Meltdown regardless. As far as I'm concerned, on current hardware,
> KASLR is only useful to mitigate remote attacks that try to attack
> the kernel without first gaining RCE against a vulnerable user
> process.
>
> On Skylake, with CONFIG_RETPOLINE=y and KPTI on, this reduces
> syscall overhead from ~237ns to ~228ns.
>
> There is a possible alternative approach: we could instead move the
> trampoline within 2G of the entry text and make a separate copy for
> each CPU. Then we could use a direct jump to rejoin the normal
> entry path.
>
> Signed-off-by: Andy Lutomirski <luto@kernel.org>
The following commit should also be reverted:
4d99e4136580 ("perf machine: Workaround missing maps for x86 PTI entry trampolines")
--
Josh
next prev parent reply other threads:[~2018-09-07 16:40 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-03 22:59 [PATCH v2 0/3] x86/pti: Get rid of entry trampolines and add some docs Andy Lutomirski
2018-09-03 22:59 ` [PATCH v2 1/3] x86/entry/64: Document idtentry Andy Lutomirski
2018-09-06 9:50 ` Borislav Petkov
2018-09-08 9:33 ` [tip:x86/pti] " tip-bot for Andy Lutomirski
2018-09-03 22:59 ` [PATCH v2 2/3] x86/entry/64: Use the TSS sp2 slot for SYSCALL/SYSRET scratch space Andy Lutomirski
2018-09-07 8:00 ` Borislav Petkov
2018-09-08 9:34 ` [tip:x86/pti] " tip-bot for Andy Lutomirski
2018-09-03 22:59 ` [PATCH v2 3/3] x86/pti/64: Remove the SYSCALL64 entry trampoline Andy Lutomirski
2018-09-04 7:04 ` Peter Zijlstra
2018-09-05 21:31 ` Andy Lutomirski
2018-09-07 12:36 ` Peter Zijlstra
2018-09-07 19:54 ` Thomas Gleixner
2018-09-08 0:04 ` Linus Torvalds
2018-09-08 4:32 ` Andy Lutomirski
2018-09-08 6:36 ` Thomas Gleixner
2018-09-08 6:33 ` Thomas Gleixner
2018-09-07 9:35 ` Borislav Petkov
2018-09-07 16:40 ` Josh Poimboeuf [this message]
2018-09-08 4:35 ` Andy Lutomirski
2018-09-08 9:35 ` [tip:x86/pti] " tip-bot for Andy Lutomirski
2018-09-08 9:57 ` tip-bot for Andy Lutomirski
2018-09-12 19:33 ` tip-bot for Andy Lutomirski
2018-09-12 19:36 ` tip-bot for Andy Lutomirski
2018-09-04 3:43 ` [PATCH v2 0/3] x86/pti: Get rid of entry trampolines and add some docs Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180907164014.g6logz3piqptaj2s@treble \
--to=jpoimboe@redhat.com \
--cc=acme@kernel.org \
--cc=adrian.hunter@intel.com \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=jolsa@redhat.com \
--cc=joro@8bytes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.