On 04/27/2018 03:26 PM, speck for Tim Chen wrote:
> On 04/27/2018 11:30 AM, speck for Linus Torvalds wrote:
>>
>>
>> On Fri, 27 Apr 2018, speck for Thomas Gleixner wrote:
>>> On Fri, 27 Apr 2018, speck for Thomas Gleixner wrote:
>>>>
>>>> Sure. You set it on that sandbox thing and then the thread which is spawned
>>>> of from there can disable it. Brilliant idea.
>>>
>>> And in fact you want it even inherit on exec because then you can start the
>>> JVM or whatever you want to protect with it disabled and never have to
>>> worry about it again.
>>
>> I don't think that's the attack people are worried about.
>>
>> Basically, for the store buffer bypass, the *only* worry is JIT'ed code. 
>> I don't think people expect it to leak from supervisor to user mode, for 
>> example, so it's not primarily a protection domain issue.
>>
>> It's almost purely a "I generated code assuming the architecture would 
>> actualy execute the code I wrote" issue.
>>
>> That means that it's not like you're really executing "untrusted" code in 
>> general. Your jitted code isn't going to just run random sysctl's without 
>> any checking or anything like that. You trust your JVM to take care of 
>> *those* kinds of security issues.
>>
>> So "user can turn it on and off as they please" is not really an issue. In 
>> fact, it could easily be seen as a feature. Making it expensive or hard to 
>> turn off the mitigation means that you can't necessarily just turn it on 
>> temporarily for the code you really care about.

> I'll keep the option in prctl to turn the mitigation off then till we
> find a strong reason to do otherwise.

Konrad and I are sitting here chatting in my office. We debated the
enumeration for this. Do we think simply calling and getting an EINVAL
on older kernels is ok, or do we need a specific enumeration for the
ability to control SSB from software? An enumeration would be nice. You
might want to look to how the kernel handles MPX today to indicate
whether the prctl implemented, and also whether runtime supported.

(he's not got his encrypted email in front of him but he says he'll work
in your update to his patch series if you send it out tonight)

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop