From: Babu Moger <babu.moger@amd.com>
To: Josh Poimboeuf <jpoimboe@redhat.com>, "Moger, Babu" <bmoger@amd.com>
Cc: bp@alien8.de, bsd@redhat.com, corbet@lwn.net, hpa@zytor.com,
linux-kernel@vger.kernel.org, mingo@redhat.com,
tglx@linutronix.de, x86@kernel.org
Subject: Re: [v6 1/1] x86/bugs: Implement mitigation for Predictive Store
Date: Tue, 7 Sep 2021 18:15:53 -0500 [thread overview]
Message-ID: <35a32225-25d3-88eb-f427-14c93c38c97b@amd.com> (raw)
In-Reply-To: <20210904172334.lfjyqi4qfzvbxef7@treble>
On 9/4/21 12:23 PM, Josh Poimboeuf wrote:
> On Fri, Sep 03, 2021 at 07:52:43PM -0500, Moger, Babu wrote:
>>> BTW, is the list of PSF-affected CPUs the same as the list of
>>> SSB-affected CPUs? If there might be PSF CPUs which don't have SSB,
>>> then more logic will need to be added to ensure a sensible default.
>> I can't think of a scenario where it is not same on a system.
>
> To clarify, I'm asking about CPU capabilities. Are there any AMD CPUs
> with the PSF feature, which don't have SSB?
No. That combination is not there. It is always SSB + PSF.
>
>>> On a related note, is there a realistic, non-hypothetical need to have
>>> separate policies and cmdline options for both SSB and PSF? i.e. is
>>> there a real-world scenario where a user needs to disable PSF while
>>> leaving SSB enabled?
>>
>> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2Fdocuments%2Fsecurity-analysis-predictive-store-forwarding.pdf&data=04%7C01%7CBabu.Moger%40amd.com%7Cfcbc2781e8b54ed6ca6b08d96fc8bdf2%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637663730522361553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eI8DisfM4gpj%2B4AOfOUFGOFRZP6zqhSsTJIwINHK5GY%3D&reserved=0 <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.amd.com%2Fsystem%2Ffiles%2Fdocuments%2Fsecurity-analysis-predictive-store-forwarding.pdf&data=04%7C01%7CBabu.Moger%40amd.com%7Cfcbc2781e8b54ed6ca6b08d96fc8bdf2%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637663730522361553%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eI8DisfM4gpj%2B4AOfOUFGOFRZP6zqhSsTJIwINHK5GY%3D&reserved=0>
>> There are some examples in the document. Probably it is too soon to tell if
>> those are real real-world scenarios as this feature is very new.
>
> I didn't see any actual examples. Are you referring to this sentence?
Agree. It is not an actual example. There is also this text about where it
can be useful.
"AMD believes that for most applications, the security risk of PSF is
likely low and where isolation is required, techniques such as address
space isolation are preferred over software sandboxing."
>
> "PSFD may be desirable for software which is concerned with the
> speculative behavior of PSF but desires a smaller performance impact
> than setting SSBD."
>
>>> Because trying to give them separate interfaces, when PSF disable is
>>> intertwined with SSB disable in hardware, is awkward and confusing. And
>>> the idea of adding another double-negative interface (disable=off!),
>>> just because a vulnerability is considered to be a CPU "feature", isn't
>>> very appetizing.
>>>
>>> So instead of adding a new double-negative interface, which only *half*
>>> works due to the ssb_disable dependency, and which is guaranteed to
>>> further confuse users, and which not even be used in the real world
>>> except possibly by confused users...
>>>
>>> I'm wondering if we can just start out with the simplest possible
>>> approach: don't change any code and instead just document the fact that
>>> "spec_store_bypass_disable=" also affects PSF.
>>>
>>> Then, later on, if a real-world need is demonstrated, actual code could
>>> be added to support disabling PSF independently (but of course it would
>>> never be fully independent since PSF disable is forced by SSB disable).
>>
>> Do you mean for now keep only 'on' and 'auto' and remove "off"?
>
> No, since PSF can already be mitigated with SSBD today, I'm suggesting
> that all code be removed from the patch and instead just update the
> documentation.
>
Hmm Interesting..
Just updating the documentation and without giving interface to enable or
disable will not be a much of a value add. In the earlier
discussion, the direction was to go with simple "on" and "off".
https://lore.kernel.org/lkml/202105101508.BC6CC99FAD@keescook/
But, I am not sure right now.
thanks
Babu
next prev parent reply other threads:[~2021-09-07 23:16 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 22:00 [v6 0/1] Introduce support for PSF control Ramakrishna Saripalli
2021-05-17 22:00 ` [v6 1/1] x86/bugs: Implement mitigation for Predictive Store Forwarding Ramakrishna Saripalli
2021-05-18 2:55 ` Randy Dunlap
2021-05-18 12:27 ` Saripalli, RK
2021-05-18 20:35 ` Pawan Gupta
2021-05-19 5:38 ` Pawan Gupta
2021-05-19 13:19 ` Saripalli, RK
2021-05-19 5:50 ` Pawan Gupta
2021-09-01 20:20 ` [v6 1/1] x86/bugs: Implement mitigation for Predictive Store Babu Moger
2021-09-01 20:30 ` Babu Moger
2021-09-01 20:35 ` Babu Moger
2021-09-02 17:35 ` Pawan Gupta
2021-08-12 23:44 ` [v6 1/1] x86/bugs: Implement mitigation for Predictive Store Forwarding Josh Poimboeuf
2021-09-02 18:16 ` [v6 1/1] x86/bugs: Implement mitigation for Predictive Store Babu Moger
2021-09-03 0:07 ` Josh Poimboeuf
[not found] ` <dca004cf-bacc-1a1f-56d6-c06e8bec167a@amd.com>
2021-09-04 17:23 ` Josh Poimboeuf
2021-09-07 23:15 ` Babu Moger [this message]
2021-09-08 18:20 ` Josh Poimboeuf
2021-09-10 16:08 ` Babu Moger
2021-09-09 16:20 ` Bandan Das
2021-06-17 20:47 ` [v6 0/1] Introduce support for PSF control Saripalli, RK
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=35a32225-25d3-88eb-f427-14c93c38c97b@amd.com \
--to=babu.moger@amd.com \
--cc=bmoger@amd.com \
--cc=bp@alien8.de \
--cc=bsd@redhat.com \
--cc=corbet@lwn.net \
--cc=hpa@zytor.com \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.