[MODERATED] GPZv4

[MODERATED] GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 5855 bytes --]

Hi all,

We're working on numerous current and upcoming issues, alongside our
peer vendors. Looking forward to collaboration with everyone here (I
have some reproducers that I've built). I gather you're all read in on
those too, but meanwhile, let's discuss a few things about variant 4.

A broad range of vendors are impacted by variant 4 (Speculative Store
Bypass), but the exposure varies of course, as do the mitigations. I
have personally spoken with 10 different vendors so far and would like
to synthesize what I know below, along with some suggestions. I'll be
getting back to Konrad with some proposals for his patches rsn.

Classes of attack
-----------------

We're concerned not only with the (quite viable) attack against JITs and
sandboxes (e.g. JavaScript) in which a malicious address is written to a
variable whose type is subsequently changed and used as a memory gadget,
but also with stack attacks. Depending upon the uarch[0] it might be
(theoretically) possible to construct a gadget that reads memory based
upon reuse of older stack frames (older entry containing possibly
untrusted user data is forwarded speculatively). Similar works with
uninitialized variables in Java, though we haven't repro'd that yet.

The point is it's not just about turning of SSB/MD for specific
processes. It's potentially a bigger attack. At least AFAICS on x86
today the existing retpoline lfences keep us safe on syscall entry save
of registers at least up until we make the actual function call. But
after that, it's possible that a gadget could be found in a syscall.
This would mean either convincing ourselves that the stack attack is
infeasible, toggling the MD bit on every kernel entry (too painful in
most cases), or creating a scanning tool and looking for gadgets.

It is my believe anyway that we need at least following:

1). A boot time big hammer to disable SSB
	- I propose "ssb=" with options of "on", "off", and perhaps
	  later also "userspace" to allow it to be prctl()'d per task
	- It is unclear whether a "kernel" version makes sense
2). A new prctl that allows a task to request it be disabled (seccomp
alone isn't sufficient since we can't migrate everything to seccomp)

We would generally fallback to the first option for total safety but
hopefully convert most of the obvious attack vectors to use the second.
That is, if we can convince ourselves that the stack attack is unlikely
(and this will vary from one uarch to another).

RED HAT NOTE: On the RH end we are leaning toward default disabling SSB
globally on boot unless we can get all of the other vendors to agree
with leaving it on and have them make the ask/statement that this is
considered safe to do. The risk doesn't outweigh the benefit. AMD in
particular would like to retain this on by default, and I've instigated
discussions between them and Intel on this, as well as Microsoft.

Cross-architecture solution
---------------------------

Intel refer to this technique as "Smart Memory Access" and "Memory
Disambiguation", but the industry term (as used by GPZ) is "Speculative
Store Bypass". Therefore, I suggest that Linux refer to this technique
also as "SSB" for cross-architecture mitigation.

Here's the exposure as I understand it so far:

* Intel - They have exposed the new MD bit of SPEC_CTRL. The uarch will
default to MD enabled while Intel will provide recommendations. Plenty
of Intel folks already involved so I imagine they can handle this part.

* AMD - They have chicken bits that can disable SSB. They won't provide
these except on the condition that we agree not to disable by default.
Therefore, I have the magic bit info but can't share it quite yet. It
involves writing into two uarch specific MSRs and won't be SPEC_CTRL. I
can assist coordinating whatever is agreed here getting back to AMD.

* Arm - I've requested a new SMC for SSB disabling (SMCC similar to for
Spectre) and this has been allocated. It's currently under review. This
would fit with "ssb=" nomenclature and behave identically to x86. I've
spoken with a half dozen different Arm licensees about individual
exposure and their ability to adopt the overall SMC interface on kernel
entry/exit as necessary, or via a global hammer at boot time. I hear
Will has the ball on the Arm kernel end for working this and I would
like us to agree soon on kernel interfaces. I can assist coordinating.

* IBM p - A new "stf-flush" (store forward flush) instruction has been
allocated that will be used on every entry/exit to/from the kernel to
mitigate against the kernel stack attack. Working on additional bits. I
would like them to align around something like "ssb" for options. I am
coordinating with the architecture team, while Anton has the ball on the
IBM kernel end for this. I can summarize any interfaces agreed here.

* IBM z - Not vulnerable to the stack attack. Working on defining
additional facility that will allow for further mitigations. I am
coordinating with the design team, expect Martin will handle kernel. I
can coordinate whatever is agreed here feeding back into IBM z team.

The above is just for architectures that we track on the Red Hat end.

Next steps
----------

Currently looking at Konrad's initial patches. I'm proposing to change
"mdd" to "ssb" as above, and only define the big hammer for now while we
discuss what should be the prctl() type interfaces for per-task control.

Best,

Jon.

[0] Some uarches will allow speculative store bypass for same base
pointer, while others will not. For example, Intel will allow a bypass
to occur for the same stack location, but AMD never will provided a
common stack base pointer is used. Similarly, IBM z never will.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Borislav Petkov]

On Tue, Apr 17, 2018 at 02:26:58PM -0400, speck for Jon Masters wrote:
> * AMD - They have chicken bits that can disable SSB. They won't provide
> these except on the condition that we agree not to disable by default.
> Therefore, I have the magic bit info but can't share it quite yet. It

Oh, we know the bits.

> involves writing into two uarch specific MSRs and won't be SPEC_CTRL. I
> can assist coordinating whatever is agreed here getting back to AMD.

There's nothing to coordinate - the default setting should be off on
AMD, that's it.

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- 

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 1422 bytes --]

On 04/17/2018 03:31 PM, speck for Borislav Petkov wrote:
> On Tue, Apr 17, 2018 at 02:26:58PM -0400, speck for Jon Masters wrote:
>> * AMD - They have chicken bits that can disable SSB. They won't provide
>> these except on the condition that we agree not to disable by default.
>> Therefore, I have the magic bit info but can't share it quite yet. It
> 
> Oh, we know the bits.
> 
>> involves writing into two uarch specific MSRs and won't be SPEC_CTRL. I
>> can assist coordinating whatever is agreed here getting back to AMD.
> 
> There's nothing to coordinate - the default setting should be off on
> AMD, that's it.

Let's make sure we're talking about the right thing when we talk about
things being on or off. I usually always talk about a performance
feature being on or off, not a mitigation. Therefore, I read the above
as "MD is off by default", meaning the performance feature is disabled.

This is our current thinking. However, AMD disagree with this and prefer
to leave the feature enabled by default. That would mean having to (at a
minimum) address all of the userspace exposure with prctl(), seccomp(),
or other interfaces, and get that all done within the next month. For
the actual browsers, sure, there will be process isolation updates.

So can you clarify what you meant by "off on AMD" by default?

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Borislav Petkov]

On Tue, Apr 17, 2018 at 03:56:55PM -0400, speck for Jon Masters wrote:
> Let's make sure we're talking about the right thing when we talk about
> things being on or off. I usually always talk about a performance
> feature being on or off, not a mitigation. Therefore, I read the above
> as "MD is off by default", meaning the performance feature is disabled.

I mean the opposite. MD is enabled, as it is the default setting
normally, on any CPU that has MD. So the performance feature remains
enabled.

> This is our current thinking. However, AMD disagree with this and prefer
> to leave the feature enabled by default.

Yes.

> That would mean having to (at a minimum) address all of the userspace
> exposure with prctl(), seccomp(), or other interfaces, and get that
> all done within the next month. For the actual browsers, sure, there
> will be process isolation updates.

Yes. Paranoid people can boot with mdd=on - meaning "memory
disambiguation disable - on"

   [ and yap, if anything, we very very quickly need to agree on one
     terminology and stick with it because the confusion will be insane...
   ]

or, in your suggested nomenclature, ssb=off.

The finer-grained stuff we can do in parallel.

> So can you clarify what you meant by "off on AMD" by default?

AFAIK, AMD wants MD on by default, i.e., unchanged from the current
setting. The user who wants to buy into the perf hit and is paranoid
will be able to disable MD and thus enable the mitigation.

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- 

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 3290 bytes --]

On 04/17/2018 04:37 PM, speck for Borislav Petkov wrote:
> On Tue, Apr 17, 2018 at 03:56:55PM -0400, speck for Jon Masters wrote:
>> Let's make sure we're talking about the right thing when we talk about
>> things being on or off. I usually always talk about a performance
>> feature being on or off, not a mitigation. Therefore, I read the above
>> as "MD is off by default", meaning the performance feature is disabled.
> 
> I mean the opposite. MD is enabled, as it is the default setting
> normally, on any CPU that has MD. So the performance feature remains
> enabled.
> 
>> This is our current thinking. However, AMD disagree with this and prefer
>> to leave the feature enabled by default.
> 
> Yes.

Great! Then we're at least talking about the right thing, even if we
have differing opinions on the default ;)

[my one comment in this email on RHEL, feel free to skip next para]
Red Hat's perspective is that we need to be "secure by default". I would
/love/ to be able to leave MD enabled globally on all arches, but in
order for that to happen, everyone across the industry would have to
agree to that with no vendors going a different way at the 11th hour and
using it for PR win. To that end, I've asked all of the big players to
consider a commitment to this plan prior to RH making the default be
enabled. Intel and AMD agreed to go do some driving there, and I met
with MS in Redmond last week to discuss this in a bit more detail. If we
don't get such a plan in place, AMD would currently be the only uarch
for which we would leave the default of SSB enabled in RHEL (by virtue
of the terms under which we have the chicken bit information provided).

>> That would mean having to (at a minimum) address all of the userspace
>> exposure with prctl(), seccomp(), or other interfaces, and get that
>> all done within the next month. For the actual browsers, sure, there
>> will be process isolation updates.
> 
> Yes.

This is a fair amount of work. In particular, we don't have any prctl
defined yet and we need one for applications to use to toggle userspace.

> Paranoid people can boot with mdd=on - meaning "memory
> disambiguation disable - on"

Indeed.

>    [ and yap, if anything, we very very quickly need to agree on one
>      terminology and stick with it because the confusion will be insane...
>    ]
> 
> or, in your suggested nomenclature, ssb=off.
> 
> The finer-grained stuff we can do in parallel.

So we need to close on the following urgently:

1). What are we going to refer to this as?
	- MDD
	- SSB
	- something else?

In the case of "MDD" it's x86 specific and "enabling" it means you
disable a feature (MD). To me, that seems to be inverted logic. You
would set it to "on", "off", or "kernel" (MD only in userspace).

In the case of "SSB" it's more industry wide terminology but it's not
the Intel term. You would set it to "on", "off", or "userspace".

2). We need a prctl option for a task to request behavior for SSB. One
option could be a new PR_SET_MITIGATION where we then have minor
parameters for additional mitigations that are required later.

Can we get some closure on the two above asap?

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Borislav Petkov]

On Tue, Apr 17, 2018 at 05:03:01PM -0400, speck for Jon Masters wrote:
> [my one comment in this email on RHEL, feel free to skip next para]
> Red Hat's perspective is that we need to be "secure by default". I would
> /love/ to be able to leave MD enabled globally on all arches, but in
> order for that to happen, everyone across the industry would have to

I don't think you can do global decisions like that - it should be
per-vendor thing as everything else arch-specific is and we do what the
vendor suggests.

> So we need to close on the following urgently:
> 
> 1). What are we going to refer to this as?
> 	- MDD
> 	- SSB
> 	- something else?
> 
> In the case of "MDD" it's x86 specific and "enabling" it means you
> disable a feature (MD). To me, that seems to be inverted logic. You
> would set it to "on", "off", or "kernel" (MD only in userspace).
> 
> In the case of "SSB" it's more industry wide terminology but it's not
> the Intel term. You would set it to "on", "off", or "userspace".

I for one - and this is just me - see the point of calling it something
vendor- and arch-agnostic so sbb I guess. But whatever, as long as it is
only one name and the logic is spelled out somewhere.

> 2). We need a prctl option for a task to request behavior for SSB. One
> option could be a new PR_SET_MITIGATION where we then have minor
> parameters for additional mitigations that are required later.

I'd look towards other people here for ideas. But prctl() sounds simple
enough to me.

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- 

Re: GPZv4

[Thomas Gleixner]

On Tue, 17 Apr 2018, speck for Jon Masters wrote:
> So we need to close on the following urgently:
>
> 1). What are we going to refer to this as?
> 	- MDD
> 	- SSB
> 	- something else?
> 
> In the case of "MDD" it's x86 specific and "enabling" it means you
> disable a feature (MD). To me, that seems to be inverted logic. You
> would set it to "on", "off", or "kernel" (MD only in userspace).

No it's not inverted logic. It's the same logic as kpti= and spectre_v2=
and we are not going to make this one the other way round just because.

So we need a acronym for it, which fits the problem. Either use the code
name for this thing like we did with spectre or 'mdd' which describes it
really well.

> 2). We need a prctl option for a task to request behavior for SSB. One
> option could be a new PR_SET_MITIGATION where we then have minor
> parameters for additional mitigations that are required later.

And we need ponies.....

Seriously. We do the simple 'xxx=' command line option now and have that
ready ASAP in case the embargo ends early.

The prctl is an optimization which can be done afterwards and we first need
to agree whether we want it at all. I'm not too fond of yet another
conditional branch in the entry/exit code. The code patching there is
already bad enough. If we keep up adding this crap at that rate then we
have sooner than later more NOOPs and conditionals than actual code.

Thanks,

	tglx

[MODERATED] Re: GPZv4

[Jiri Kosina]

On Tue, 17 Apr 2018, speck for Thomas Gleixner wrote:

> The prctl is an optimization which can be done afterwards and we first 
> need to agree whether we want it at all. I'm not too fond of yet another 
> conditional branch in the entry/exit code. The code patching there is 
> already bad enough. If we keep up adding this crap at that rate then we 
> have sooner than later more NOOPs and conditionals than actual code.

Plus the prctl() aproach opens a potential hole for attacks that can first 
trick some vulnerable binary to call prctl() (ROP, return into libc ...) 
on itself.

-- 
Jiri Kosina
SUSE Labs

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 892 bytes --]

On 04/17/2018 05:25 PM, speck for Jiri Kosina wrote:
> On Tue, 17 Apr 2018, speck for Thomas Gleixner wrote:
> 
>> The prctl is an optimization which can be done afterwards and we first 
>> need to agree whether we want it at all. I'm not too fond of yet another 
>> conditional branch in the entry/exit code. The code patching there is 
>> already bad enough. If we keep up adding this crap at that rate then we 
>> have sooner than later more NOOPs and conditionals than actual code.
> 
> Plus the prctl() aproach opens a potential hole for attacks that can first 
> trick some vulnerable binary to call prctl() (ROP, return into libc ...) 
> on itself.

The proposal would be that it only allows you to go one-way. You can say
"I am vulnerable", turn off MD, but you can't say "I am not vulnerable".

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Jiri Kosina]

On Tue, 17 Apr 2018, speck for Jon Masters wrote:

> The proposal would be that it only allows you to go one-way. You can say
> "I am vulnerable", turn off MD, but you can't say "I am not vulnerable".

That means we probably never reach full coverage; the problem with this 
"opt-in" aproach is that noone would ever bother (even more so as time 
passess) to add this explicit "I am vulnerable" call into the source; it's 
basically out of control, and thus unmaintainable.

-- 
Jiri Kosina
SUSE Labs

Re: GPZv4

[Thomas Gleixner]

On Tue, 17 Apr 2018, speck for Jiri Kosina wrote:

> On Tue, 17 Apr 2018, speck for Jon Masters wrote:
> 
> > The proposal would be that it only allows you to go one-way. You can say
> > "I am vulnerable", turn off MD, but you can't say "I am not vulnerable".
> 
> That means we probably never reach full coverage; the problem with this 
> "opt-in" aproach is that noone would ever bother (even more so as time 
> passess) to add this explicit "I am vulnerable" call into the source; it's 
> basically out of control, and thus unmaintainable.

We had the same discussion with the per process kpti control ...

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 792 bytes --]

On 04/17/2018 06:01 PM, speck for Thomas Gleixner wrote:
> On Tue, 17 Apr 2018, speck for Jiri Kosina wrote:
> 
>> On Tue, 17 Apr 2018, speck for Jon Masters wrote:
>>
>>> The proposal would be that it only allows you to go one-way. You can say
>>> "I am vulnerable", turn off MD, but you can't say "I am not vulnerable".
>>
>> That means we probably never reach full coverage; the problem with this 
>> "opt-in" aproach is that noone would ever bother (even more so as time 
>> passess) to add this explicit "I am vulnerable" call into the source; it's 
>> basically out of control, and thus unmaintainable.
> 
> We had the same discussion with the per process kpti control ...

Ok. Big hammer it is.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Konrad Rzeszutek Wilk]

On Tue, Apr 17, 2018 at 06:02:47PM -0400, speck for Jon Masters wrote:
> On 04/17/2018 06:01 PM, speck for Thomas Gleixner wrote:
> > On Tue, 17 Apr 2018, speck for Jiri Kosina wrote:
> > 
> >> On Tue, 17 Apr 2018, speck for Jon Masters wrote:
> >>
> >>> The proposal would be that it only allows you to go one-way. You can say
> >>> "I am vulnerable", turn off MD, but you can't say "I am not vulnerable".
> >>
> >> That means we probably never reach full coverage; the problem with this 
> >> "opt-in" aproach is that noone would ever bother (even more so as time 
> >> passess) to add this explicit "I am vulnerable" call into the source; it's 
> >> basically out of control, and thus unmaintainable.
> > 
> > We had the same discussion with the per process kpti control ...
> 
> Ok. Big hammer it is.

1) Are you thinking of a mix of a) big hammer (at boot up always disable
memory disambiguation, aka mdd=auto or sbb=auto or sbbd=auto), along with b)
inverting the prctl to opt-out - that is applications that feel they are safe
can opt-out and do an prctl saying: memory disambiguation security issues
be dammed - I want memory disambiguation on to get that 5% performance
back. Obviously they would need to be new to know about this bit.

And then any old application would suffer the performance penalty but
would be secure.

?

2). SBB vs MDD vs SBBD.

MDD = Memory Disambiguation Disable
SBB = Speculative Store Bypass
SBBD = Speculative Store Bypass Disable

Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.

3). Semantics of SBBD or MDD boot time knob. I followed the way spectre_v2 did it.

That is this is knob is to disable something and they are:
'auto' - follow what the platform recommends. This being linux upstream
         discussion means following:
		on AMD - enable memory disambiguation.
		on Intel - no clue. For testing purposes I've left it
                           as disable memory disambiguation.

'off' - ignore what the vendor/distro recommends.
'force' - disable it, even if the platform says enable it (like on AMD).

And then two more to figure out when to apply the security glue:
'boot' or 'userspace'.

This ties in to 1) - that is if we are not going to provide a 'userspace'
option then there is no need to even provide the 'boot' option
so then this sub-discussion becomes moot.

Thomas (and Linus if you are skulking in the background) - you are the
top-dog(s) here, can you give the guidance please so I can redo the
patches on Thursday/Friday?

P.S.
I know the AMD secret sauce bits and can do the patches for this, but
are other folks authorized for this?

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 5814 bytes --]

On 04/17/2018 10:48 PM, speck for Konrad Rzeszutek Wilk wrote:
> On Tue, Apr 17, 2018 at 06:02:47PM -0400, speck for Jon Masters wrote:
>> On 04/17/2018 06:01 PM, speck for Thomas Gleixner wrote:
>>> On Tue, 17 Apr 2018, speck for Jiri Kosina wrote:
>>>
>>>> On Tue, 17 Apr 2018, speck for Jon Masters wrote:
>>>>
>>>>> The proposal would be that it only allows you to go one-way. You can say
>>>>> "I am vulnerable", turn off MD, but you can't say "I am not vulnerable".
>>>>
>>>> That means we probably never reach full coverage; the problem with this 
>>>> "opt-in" aproach is that noone would ever bother (even more so as time 
>>>> passess) to add this explicit "I am vulnerable" call into the source; it's 
>>>> basically out of control, and thus unmaintainable.
>>>
>>> We had the same discussion with the per process kpti control ...
>>
>> Ok. Big hammer it is.
> 
> 1) Are you thinking of a mix of a) big hammer (at boot up always disable
> memory disambiguation, aka mdd=auto or sbb=auto or sbbd=auto), along with b)
> inverting the prctl to opt-out - that is applications that feel they are safe
> can opt-out and do an prctl saying: memory disambiguation security issues
> be dammed - I want memory disambiguation on to get that 5% performance
> back. Obviously they would need to be new to know about this bit.
> 
> And then any old application would suffer the performance penalty but
> would be secure.
> 
> ?

I get the vibe that no prctl is going to be agreed here. We as a distro
can't introduce that without upstream support, so I'm currently thinking
it's a big hammer with "auto","on",off" options that defaults to
disabling MDD on boot with "auto" (which is the same logic as your
previous patch series, different terms). This is what I'm in the middle
of refactoring your previous patch series to do (and will send to you).

The performance hit is going to vary across uarches. It's up to 12% on
x86 systems if done globally, which is why I would like a prctl.

> 2). SBB vs MDD vs SBBD.
> 
> MDD = Memory Disambiguation Disable
> SBB = Speculative Store Bypass
> SBBD = Speculative Store Bypass Disable
> 
> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.

I'm refactoring your patches to recognize either "mdd" or "ssbd" (double
s, not sbb :) ) on x86 and then other arches can target the latter one.

> 3). Semantics of SBBD or MDD boot time knob. I followed the way spectre_v2 did it.
> 
> That is this is knob is to disable something and they are:
> 'auto' - follow what the platform recommends. This being linux upstream
>          discussion means following:
> 		on AMD - enable memory disambiguation.
> 		on Intel - no clue. For testing purposes I've left it
>                            as disable memory disambiguation.
> 
> 'off' - ignore what the vendor/distro recommends.
> 'force' - disable it, even if the platform says enable it (like on AMD).
> 
> And then two more to figure out when to apply the security glue:
> 'boot' or 'userspace'.

Indeed. Here's the current text as I reworded it:

--- begin ---
mdd stands for "Memory Disambiguation Disable". It is used to disable
a common industry performance optimization known as "Speculative
Store Bypass" in which loads from addresses to which a recent store
has occurred may (speculatively) see an older value. Intel refers
to this feature as "Memory Disambiguation", which is part of their
"Smart Memory Access" capability in Haswell and later processors.

Some processors have an implementation bug that enables a cache
side-channel attack against such speculatively read values. An
attacker can create exploit code that allows them to read memory
outside of a sandbox environment (for example, malicious JavaScript
in a web page), or to perform more complex attacks against code
running within the same privilege level, e.g. via the stack.

We provide two sets of knobs. The first are x86 specific:

 nomdd
 mdd=[off,auto,on]

We also support cross-architecture versions of these:

 nossbd
 ssbd=[off,auto,on]

By default Memory Disambiguation is enabled hence the parameters are:

 - auto - if possible will disable Memory Disambiguation (MD) at boot
          if CPU is vulnerable to speculation attacks against MD
 - on   - disable Memory Disambiguation
 - off  - enable Memory Disambiguation

And as mentioned - some CPUs may have an Memory Disambiguation
implementation is not vulnerable to speculation attack. For those,
the 'auto' (default) option will pick the right choice.
--- end ---

> This ties in to 1) - that is if we are not going to provide a 'userspace'
> option then there is no need to even provide the 'boot' option
> so then this sub-discussion becomes moot.

As it stands, I'm just refactoring to do the global knob. Regardless of
the prctl piece I think Thomas is 100% correct that we should have the
set get that right first, and then layer on any switching logic.

> Thomas (and Linus if you are skulking in the background) - you are the
> top-dog(s) here, can you give the guidance please so I can redo the
> patches on Thursday/Friday?

This would be great. I'll send you what I have directly when done and
you can use or not according to what is decided as the direction.

> P.S.
> I know the AMD secret sauce bits and can do the patches for this, but
> are other folks authorized for this?

The AMD bits were shared on the condition that MD not be disabled by
default on AMD without further discussion. Since I can't control what
others will do with those bits, I am not in a position to share them at
this time without further discussion with AMD. So, I think "no".

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 960 bytes --]

On 04/17/2018 11:44 PM, Jon Masters wrote:
> On 04/17/2018 10:48 PM, speck for Konrad Rzeszutek Wilk wrote:

>> 2). SBB vs MDD vs SBBD.
>>
>> MDD = Memory Disambiguation Disable
>> SBB = Speculative Store Bypass
>> SBBD = Speculative Store Bypass Disable
>>
>> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
> 
> I'm refactoring your patches to recognize either "mdd" or "ssbd" (double
> s, not sbb :) ) on x86 and then other arches can target the latter one.

I'm also changing "md_mitigation" to "mdd_mitigation" and standardizing
on "md_" and "MDD_" prefixes. If we are to "enable" mitigations rather
than disabling features, then let's make sure that's what we're always
referring to it in that manner. Otherwise it's confusing to see "MD_ON"
meaning that MDD is set and we are actually not enabling MD. So I change
that to "MDD_ON", etc.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 1132 bytes --]

On 04/18/2018 12:09 AM, Jon Masters wrote:
> On 04/17/2018 11:44 PM, Jon Masters wrote:
>> On 04/17/2018 10:48 PM, speck for Konrad Rzeszutek Wilk wrote:
> 
>>> 2). SBB vs MDD vs SBBD.
>>>
>>> MDD = Memory Disambiguation Disable
>>> SBB = Speculative Store Bypass
>>> SBBD = Speculative Store Bypass Disable
>>>
>>> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
>>
>> I'm refactoring your patches to recognize either "mdd" or "ssbd" (double
>> s, not sbb :) ) on x86 and then other arches can target the latter one.
> 
> I'm also changing "md_mitigation" to "mdd_mitigation" and standardizing
> on "md_" and "MDD_" prefixes.
     ^^^ "mdd_" and "MDD_"

(ie always refer to "disabling" something so it's clear what it does)

> If we are to "enable" mitigations rather
> than disabling features, then let's make sure that's what we're always
> referring to it in that manner. Otherwise it's confusing to see "MD_ON"
> meaning that MDD is set and we are actually not enabling MD. So I change
> that to "MDD_ON", etc.


-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 2746 bytes --]

On 04/17/2018 11:44 PM, Jon Masters wrote:
> On 04/17/2018 10:48 PM, speck for Konrad Rzeszutek Wilk wrote:

>> And then two more to figure out when to apply the security glue:
>> 'boot' or 'userspace'.
> 
> Indeed. Here's the current text as I reworded it:
> 
> --- begin ---
> mdd stands for "Memory Disambiguation Disable". It is used to disable
> a common industry performance optimization known as "Speculative
> Store Bypass" in which loads from addresses to which a recent store
> has occurred may (speculatively) see an older value. Intel refers
> to this feature as "Memory Disambiguation", which is part of their
> "Smart Memory Access" capability in Haswell and later processors.
> 
> Some processors have an implementation bug that enables a cache
> side-channel attack against such speculatively read values. An
> attacker can create exploit code that allows them to read memory
> outside of a sandbox environment (for example, malicious JavaScript
> in a web page), or to perform more complex attacks against code
> running within the same privilege level, e.g. via the stack.
> 
> We provide two sets of knobs. The first are x86 specific:
> 
>  nomdd
>  mdd=[off,auto,on]
> 
> We also support cross-architecture versions of these:
> 
>  nossbd
>  ssbd=[off,auto,on]
> 
> By default Memory Disambiguation is enabled hence the parameters are:
> 
>  - auto - if possible will disable Memory Disambiguation (MD) at boot
>           if CPU is vulnerable to speculation attacks against MD
>  - on   - disable Memory Disambiguation
>  - off  - enable Memory Disambiguation
> 
> And as mentioned - some CPUs may have an Memory Disambiguation
> implementation is not vulnerable to speculation attack. For those,
> the 'auto' (default) option will pick the right choice.
> --- end ---

Additionally, your previous patch would turn MD back on when in the
kernel. I get why, but I think this is not safe. We know there are the
usual BPF exploits already, but more novel gadgets are likely, e.g.
against kernel stack, so it's definitely not safe to do that IMO. If
we're going to do more than a hammer later, then it should be *always*
MD disabled in the kernel, and possibly enabled in userspace.

I'm keeping spec_ctl_priv for now because I see why it makes sense to
have some baseline for the SPEC_CTRL, though I rename it to
x86_spec_ctl_priv and kill the other one. Also, we should add a rdmsr to
get the initial reset value in case additional bits are defined later
(per our discussion the other night, Intel's docs are unclear there).
However I'm not making that change at this point - it's a later todo.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1.1: Type: text/plain, Size: 977 bytes --]

On 04/17/2018 11:44 PM, Jon Masters wrote:
> On 04/17/2018 10:48 PM, speck for Konrad Rzeszutek Wilk wrote:

>> 2). SBB vs MDD vs SBBD.
>>
>> MDD = Memory Disambiguation Disable
>> SBB = Speculative Store Bypass
>> SBBD = Speculative Store Bypass Disable
>>
>> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
> 
> I'm refactoring your patches to recognize either "mdd" or "ssbd" (double
> s, not sbb :) ) on x86 and then other arches can target the latter one.

Attached the refactored set with all of my suggestions incorporated.
Lightly tested so far on a Coffeelake with updated microcode. Confirmed
that the settings are correct using rdmsr from userspace, etc. Will do
further testing (including some VMs) later today.

Do whatever you think is best Konrad and I'll followup to your next
official posting now that I'm on the list with any further feedback.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[-- Attachment #1.2: mdd.v1.4.0.tgz --]
[-- Type: application/x-compressed-tar, Size: 8621 bytes --]

Re: GPZv4

[Thomas Gleixner]

On Tue, 17 Apr 2018, speck for Konrad Rzeszutek Wilk wrote:
> 2). SBB vs MDD vs SBBD.
> 
> MDD = Memory Disambiguation Disable
> SBB = Speculative Store Bypass
> SBBD = Speculative Store Bypass Disable
> 
> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.

I'm fine with SBBD as well. It's the same semantics as the other knobs as
it controls the mitigation.

> 3). Semantics of SBBD or MDD boot time knob. I followed the way spectre_v2 did it.
> 
> That is this is knob is to disable something and they are:
> 'auto' - follow what the platform recommends. This being linux upstream
>          discussion means following:
> 		on AMD - enable memory disambiguation.
> 		on Intel - no clue. For testing purposes I've left it
>                            as disable memory disambiguation.
> 
> 'off' - ignore what the vendor/distro recommends.
> 'force' - disable it, even if the platform says enable it (like on AMD).

'on' is what spectre_v2 uses.

> And then two more to figure out when to apply the security glue:
> 'boot' or 'userspace'.
> 
> This ties in to 1) - that is if we are not going to provide a 'userspace'
> option then there is no need to even provide the 'boot' option
> so then this sub-discussion becomes moot.
> 
> Thomas (and Linus if you are skulking in the background) - you are the
> top-dog(s) here, can you give the guidance please so I can redo the
> patches on Thursday/Friday?

Linus is not yet lurking. He'll be on the list soon and I'll replay the
discussion to him so he's on the same page.

So can we for now just start with the minimal set of auto, off, on and then
hash out the prctl or not question. The big hammer is the most important
piece we need to have ready for merging when the embargo is lifted.

> P.S.
> I know the AMD secret sauce bits and can do the patches for this, but
> are other folks authorized for this?

Groan. I do not know whether I am or not.

This needs to stop. At some point we need to queue and stage the damned
patches for both Intel and AMD. So AMD should get their act together and
clarify the situation. Borislav can you please reach out to AMD?

Thanks,

	tglx

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 1868 bytes --]

On 04/18/2018 04:54 AM, speck for Thomas Gleixner wrote:
> On Tue, 17 Apr 2018, speck for Konrad Rzeszutek Wilk wrote:
>> 2). SBB vs MDD vs SBBD.
>>
>> MDD = Memory Disambiguation Disable
>> SBB = Speculative Store Bypass
>> SBBD = Speculative Store Bypass Disable
>>
>> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
> 
> I'm fine with SBBD as well. It's the same semantics as the other knobs as
> it controls the mitigation.

Great. Might I recommend keeping what I sent to Konrad (both mdd and
ssbd recognized), but do whichever you like Konrad ;)

> So can we for now just start with the minimal set of auto, off, on and then
> hash out the prctl or not question. The big hammer is the most important
> piece we need to have ready for merging when the embargo is lifted.

I've sent the big hammer patches last night. Konrad's original set with
a few fixes, and just does "auto", "off", "on", and tested working ok.

>> P.S.
>> I know the AMD secret sauce bits and can do the patches for this, but
>> are other folks authorized for this?
> 
> Groan. I do not know whether I am or not.
> 
> This needs to stop. At some point we need to queue and stage the damned
> patches for both Intel and AMD. So AMD should get their act together and
> clarify the situation. Borislav can you please reach out to AMD?

The problem is the performance hit. Both Intel and AMD take a hit, but
AMD have a few mitigating circumstances that causes them to be more
alarmed by disabling MD by default on their silicon. Chiefly, it's that
AMD won't speculatively bypass a load against the same base pointer, so
they're not vulnerable to the stack attack or some of the worst of it.
They will want the prctl type solution with userspace fixes deployed.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

Re: GPZv4

[Thomas Gleixner]

On Wed, 18 Apr 2018, speck for Jon Masters wrote:
> On 04/18/2018 04:54 AM, speck for Thomas Gleixner wrote:
> > On Tue, 17 Apr 2018, speck for Konrad Rzeszutek Wilk wrote:
> >> 2). SBB vs MDD vs SBBD.
> >>
> >> MDD = Memory Disambiguation Disable
> >> SBB = Speculative Store Bypass
> >> SBBD = Speculative Store Bypass Disable
> >>
> >> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
> > 
> > I'm fine with SBBD as well. It's the same semantics as the other knobs as
> > it controls the mitigation.
> 
> Great. Might I recommend keeping what I sent to Konrad (both mdd and
> ssbd recognized), but do whichever you like Konrad ;)
> 
> > So can we for now just start with the minimal set of auto, off, on and then
> > hash out the prctl or not question. The big hammer is the most important
> > piece we need to have ready for merging when the embargo is lifted.
> 
> I've sent the big hammer patches last night. Konrad's original set with
> a few fixes, and just does "auto", "off", "on", and tested working ok.

Can we please have proper mail submitted patches? These tarballs are a
PITA.

> >> P.S.
> >> I know the AMD secret sauce bits and can do the patches for this, but
> >> are other folks authorized for this?
> > 
> > Groan. I do not know whether I am or not.
> > 
> > This needs to stop. At some point we need to queue and stage the damned
> > patches for both Intel and AMD. So AMD should get their act together and
> > clarify the situation. Borislav can you please reach out to AMD?
> 
> The problem is the performance hit. Both Intel and AMD take a hit, but
> AMD have a few mitigating circumstances that causes them to be more
> alarmed by disabling MD by default on their silicon. Chiefly, it's that
> AMD won't speculatively bypass a load against the same base pointer, so
> they're not vulnerable to the stack attack or some of the worst of it.
> They will want the prctl type solution with userspace fixes deployed.

Again. This is not the I want a pony session. I think I made it entirely
clear how the procedure is:

1) Have working mitigation in place in the most simple way. That means the
   big on/off switch which comes with a big performance hit

2) Discuss the acceptance and the semantics of a prctl

3) If we agreed on #2, implement it and if #2 is dismissed then go out and
   have a drink.

It's really that simple and I'm tired of this managerial education attidute
which is coming in on every other mail. That's not helping at all and we
all know by now that there is a performance hit and interested parties want
to have a prctl of some sort to mitigate the performance hit.

So instead of repeating this like a mantra, can we please get a proper
description of the prctl semantics including a analysis of the security
implications and the potential downsides vs. bitrot and maintainability.

Thanks,

	tglx

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 1348 bytes --]

On 04/18/2018 10:04 AM, speck for Thomas Gleixner wrote:
> On Wed, 18 Apr 2018, speck for Jon Masters wrote:
>> On 04/18/2018 04:54 AM, speck for Thomas Gleixner wrote:
>>> On Tue, 17 Apr 2018, speck for Konrad Rzeszutek Wilk wrote:
>>>> 2). SBB vs MDD vs SBBD.
>>>>
>>>> MDD = Memory Disambiguation Disable
>>>> SBB = Speculative Store Bypass
>>>> SBBD = Speculative Store Bypass Disable
>>>>
>>>> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
>>>
>>> I'm fine with SBBD as well. It's the same semantics as the other knobs as
>>> it controls the mitigation.
>>
>> Great. Might I recommend keeping what I sent to Konrad (both mdd and
>> ssbd recognized), but do whichever you like Konrad ;)
>>
>>> So can we for now just start with the minimal set of auto, off, on and then
>>> hash out the prctl or not question. The big hammer is the most important
>>> piece we need to have ready for merging when the embargo is lifted.
>>
>> I've sent the big hammer patches last night. Konrad's original set with
>> a few fixes, and just does "auto", "off", "on", and tested working ok.
> 
> Can we please have proper mail submitted patches? These tarballs are a
> PITA.

Leaving the ball with Konrad to review/post when he's happy.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Konrad Rzeszutek Wilk]

On Wed, Apr 18, 2018 at 10:07:44AM -0400, speck for Jon Masters wrote:
> On 04/18/2018 10:04 AM, speck for Thomas Gleixner wrote:
> > On Wed, 18 Apr 2018, speck for Jon Masters wrote:
> >> On 04/18/2018 04:54 AM, speck for Thomas Gleixner wrote:
> >>> On Tue, 17 Apr 2018, speck for Konrad Rzeszutek Wilk wrote:
> >>>> 2). SBB vs MDD vs SBBD.
> >>>>
> >>>> MDD = Memory Disambiguation Disable
> >>>> SBB = Speculative Store Bypass
> >>>> SBBD = Speculative Store Bypass Disable
> >>>>
> >>>> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
> >>>
> >>> I'm fine with SBBD as well. It's the same semantics as the other knobs as
> >>> it controls the mitigation.
> >>
> >> Great. Might I recommend keeping what I sent to Konrad (both mdd and
> >> ssbd recognized), but do whichever you like Konrad ;)
> >>
> >>> So can we for now just start with the minimal set of auto, off, on and then
> >>> hash out the prctl or not question. The big hammer is the most important
> >>> piece we need to have ready for merging when the embargo is lifted.
> >>
> >> I've sent the big hammer patches last night. Konrad's original set with
> >> a few fixes, and just does "auto", "off", "on", and tested working ok.
> > 
> > Can we please have proper mail submitted patches? These tarballs are a
> > PITA.
> 
> Leaving the ball with Konrad to review/post when he's happy.

Sure thing. Will crank on them tonight/tomorrow morning. And tomorrow
night or Friday folks can rip in them.

Will post them as v2!

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 2462 bytes --]

On 04/18/2018 10:52 AM, speck for Konrad Rzeszutek Wilk wrote:
> On Wed, Apr 18, 2018 at 10:07:44AM -0400, speck for Jon Masters wrote:
>> On 04/18/2018 10:04 AM, speck for Thomas Gleixner wrote:
>>> On Wed, 18 Apr 2018, speck for Jon Masters wrote:
>>>> On 04/18/2018 04:54 AM, speck for Thomas Gleixner wrote:
>>>>> On Tue, 17 Apr 2018, speck for Konrad Rzeszutek Wilk wrote:
>>>>>> 2). SBB vs MDD vs SBBD.
>>>>>>
>>>>>> MDD = Memory Disambiguation Disable
>>>>>> SBB = Speculative Store Bypass
>>>>>> SBBD = Speculative Store Bypass Disable
>>>>>>
>>>>>> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
>>>>>
>>>>> I'm fine with SBBD as well. It's the same semantics as the other knobs as
>>>>> it controls the mitigation.
>>>>
>>>> Great. Might I recommend keeping what I sent to Konrad (both mdd and
>>>> ssbd recognized), but do whichever you like Konrad ;)
>>>>
>>>>> So can we for now just start with the minimal set of auto, off, on and then
>>>>> hash out the prctl or not question. The big hammer is the most important
>>>>> piece we need to have ready for merging when the embargo is lifted.
>>>>
>>>> I've sent the big hammer patches last night. Konrad's original set with
>>>> a few fixes, and just does "auto", "off", "on", and tested working ok.
>>>
>>> Can we please have proper mail submitted patches? These tarballs are a
>>> PITA.
>>
>> Leaving the ball with Konrad to review/post when he's happy.
> 
> Sure thing. Will crank on them tonight/tomorrow morning. And tomorrow
> night or Friday folks can rip in them.
> 
> Will post them as v2!

Great. Paolo is pondering the KVM side of things some more - we just
synced up on a few concerns I've got around exposing SPEC_CTRL. Due to
how Intel did this for guests, of course a guest can be started with MD
set but then whack it because it's not aware of that bit. From a Linux
PoV this is why I suggested a todo (feel free to incorporate if you
like) that x86_spec_ctrl_base be initially set at boot with an rdmsr.
Then we'd at least preserve additional new bits that are added later.

For other OSes, it might be we end up with a trapping solution for those
who want to be able to override a guest's view of MD if Intel can't be
persuaded to make MD lockable or something (as Paolo said, shadowing is
probably overkill/not possible at this point).

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Konrad Rzeszutek Wilk]

On Wed, Apr 18, 2018 at 11:02:35AM -0400, speck for Jon Masters wrote:
> On 04/18/2018 10:52 AM, speck for Konrad Rzeszutek Wilk wrote:
> > On Wed, Apr 18, 2018 at 10:07:44AM -0400, speck for Jon Masters wrote:
> >> On 04/18/2018 10:04 AM, speck for Thomas Gleixner wrote:
> >>> On Wed, 18 Apr 2018, speck for Jon Masters wrote:
> >>>> On 04/18/2018 04:54 AM, speck for Thomas Gleixner wrote:
> >>>>> On Tue, 17 Apr 2018, speck for Konrad Rzeszutek Wilk wrote:
> >>>>>> 2). SBB vs MDD vs SBBD.
> >>>>>>
> >>>>>> MDD = Memory Disambiguation Disable
> >>>>>> SBB = Speculative Store Bypass
> >>>>>> SBBD = Speculative Store Bypass Disable
> >>>>>>
> >>>>>> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
> >>>>>
> >>>>> I'm fine with SBBD as well. It's the same semantics as the other knobs as
> >>>>> it controls the mitigation.
> >>>>
> >>>> Great. Might I recommend keeping what I sent to Konrad (both mdd and
> >>>> ssbd recognized), but do whichever you like Konrad ;)
> >>>>
> >>>>> So can we for now just start with the minimal set of auto, off, on and then
> >>>>> hash out the prctl or not question. The big hammer is the most important
> >>>>> piece we need to have ready for merging when the embargo is lifted.
> >>>>
> >>>> I've sent the big hammer patches last night. Konrad's original set with
> >>>> a few fixes, and just does "auto", "off", "on", and tested working ok.
> >>>
> >>> Can we please have proper mail submitted patches? These tarballs are a
> >>> PITA.
> >>
> >> Leaving the ball with Konrad to review/post when he's happy.
> > 
> > Sure thing. Will crank on them tonight/tomorrow morning. And tomorrow
> > night or Friday folks can rip in them.
> > 
> > Will post them as v2!
> 
> Great. Paolo is pondering the KVM side of things some more - we just
> synced up on a few concerns I've got around exposing SPEC_CTRL. Due to
> how Intel did this for guests, of course a guest can be started with MD
> set but then whack it because it's not aware of that bit. From a Linux

Exactly. One of the patches takes care of that. It worked for me
correctly, but I always appreciate more folks eye-balling it.

> PoV this is why I suggested a todo (feel free to incorporate if you
> like) that x86_spec_ctrl_base be initially set at boot with an rdmsr.
> Then we'd at least preserve additional new bits that are added later.

Right. And we can mask it.
> 
> For other OSes, it might be we end up with a trapping solution for those
> who want to be able to override a guest's view of MD if Intel can't be
> persuaded to make MD lockable or something (as Paolo said, shadowing is
> probably overkill/not possible at this point).

But having an 'ignore these XYZ guest bitfields' would be good. Thank
you for poking Intel on this.
> 
> Jon.
> 
> -- 
> Computer Architect | Sent from my Fedora powered laptop
> 

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 3224 bytes --]

On 04/18/2018 05:12 PM, speck for Konrad Rzeszutek Wilk wrote:
> On Wed, Apr 18, 2018 at 11:02:35AM -0400, speck for Jon Masters wrote:
>> On 04/18/2018 10:52 AM, speck for Konrad Rzeszutek Wilk wrote:
>>> On Wed, Apr 18, 2018 at 10:07:44AM -0400, speck for Jon Masters wrote:
>>>> On 04/18/2018 10:04 AM, speck for Thomas Gleixner wrote:
>>>>> On Wed, 18 Apr 2018, speck for Jon Masters wrote:
>>>>>> On 04/18/2018 04:54 AM, speck for Thomas Gleixner wrote:
>>>>>>> On Tue, 17 Apr 2018, speck for Konrad Rzeszutek Wilk wrote:
>>>>>>>> 2). SBB vs MDD vs SBBD.
>>>>>>>>
>>>>>>>> MDD = Memory Disambiguation Disable
>>>>>>>> SBB = Speculative Store Bypass
>>>>>>>> SBBD = Speculative Store Bypass Disable
>>>>>>>>
>>>>>>>> Thomas likes 'MDD', Jon likes 'SBB', but he is also fine with 'SBBD'.
>>>>>>>
>>>>>>> I'm fine with SBBD as well. It's the same semantics as the other knobs as
>>>>>>> it controls the mitigation.
>>>>>>
>>>>>> Great. Might I recommend keeping what I sent to Konrad (both mdd and
>>>>>> ssbd recognized), but do whichever you like Konrad ;)
>>>>>>
>>>>>>> So can we for now just start with the minimal set of auto, off, on and then
>>>>>>> hash out the prctl or not question. The big hammer is the most important
>>>>>>> piece we need to have ready for merging when the embargo is lifted.
>>>>>>
>>>>>> I've sent the big hammer patches last night. Konrad's original set with
>>>>>> a few fixes, and just does "auto", "off", "on", and tested working ok.
>>>>>
>>>>> Can we please have proper mail submitted patches? These tarballs are a
>>>>> PITA.
>>>>
>>>> Leaving the ball with Konrad to review/post when he's happy.
>>>
>>> Sure thing. Will crank on them tonight/tomorrow morning. And tomorrow
>>> night or Friday folks can rip in them.
>>>
>>> Will post them as v2!
>>
>> Great. Paolo is pondering the KVM side of things some more - we just
>> synced up on a few concerns I've got around exposing SPEC_CTRL. Due to
>> how Intel did this for guests, of course a guest can be started with MD
>> set but then whack it because it's not aware of that bit. From a Linux
> 
> Exactly. One of the patches takes care of that. It worked for me
> correctly, but I always appreciate more folks eye-balling it.
> 
>> PoV this is why I suggested a todo (feel free to incorporate if you
>> like) that x86_spec_ctrl_base be initially set at boot with an rdmsr.
>> Then we'd at least preserve additional new bits that are added later.
> 
> Right. And we can mask it.
>>
>> For other OSes, it might be we end up with a trapping solution for those
>> who want to be able to override a guest's view of MD if Intel can't be
>> persuaded to make MD lockable or something (as Paolo said, shadowing is
>> probably overkill/not possible at this point).
> 
> But having an 'ignore these XYZ guest bitfields' would be good. Thank
> you for poking Intel on this.

You're welcome :)

Btw, do you want me to post my broken out patches from the gzip for
discussion purposes, or wait for you to followup? I'm in NYC tonight
meeting up with Andrea and we'll probably also ponder more on this.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop

[MODERATED] Re: GPZv4

[Jon Masters]

[-- Attachment #1: Type: text/plain, Size: 2706 bytes --]

On 04/17/2018 05:22 PM, speck for Thomas Gleixner wrote:
> On Tue, 17 Apr 2018, speck for Jon Masters wrote:
>> So we need to close on the following urgently:
>>
>> 1). What are we going to refer to this as?
>> 	- MDD
>> 	- SSB
>> 	- something else?
>> 
>> In the case of "MDD" it's x86 specific and "enabling" it means you
>> disable a feature (MD). To me, that seems to be inverted logic. You
>> would set it to "on", "off", or "kernel" (MD only in userspace).
> 
> No it's not inverted logic. It's the same logic as kpti= and spectre_v2=
> and we are not going to make this one the other way round just because.
> 
> So we need a acronym for it, which fits the problem. Either use the code
> name for this thing like we did with spectre or 'mdd' which describes it
> really well.

Ok, how about "ssbd" for the generic term then? And you can have "mdd"
be a synonym on x86 if you like? So we would have "Speculative Store
Bypass Disable" with the same options as currently in Konrad's patch.
Let's just agree on something now so that the other arches can follow
(e.g. IBM POWER folks say they are waiting to hear what they should use)

>> 2). We need a prctl option for a task to request behavior for SSB. One
>> option could be a new PR_SET_MITIGATION where we then have minor
>> parameters for additional mitigations that are required later.
> 
> And we need ponies.....
> 
> Seriously. We do the simple 'xxx=' command line option now and have that
> ready ASAP in case the embargo ends early.

Agree strongly. We should first simplify Konrad's patches to just do the
big hammer without trying to do per-entry/exit frobbing. I am looking at
that currently and will ping Konrad with some feedback in a few hours.

> The prctl is an optimization which can be done afterwards and we first need
> to agree whether we want it at all. I'm not too fond of yet another
> conditional branch in the entry/exit code. The code patching there is
> already bad enough. If we keep up adding this crap at that rate then we
> have sooner than later more NOOPs and conditionals than actual code.

However, I've a concern with the above. If you want to be able to run
with MD enabled in userspace by default then you'll soon need a way to
turn it off that isn't global. And folks working on patches are going to
ask for something that can be used from userspace for pre-embargo lift
patches, e.g. in OpenJDK. A prctl can't be added that isn't agreed, and
this all takes time to stage, so it would be better to agree soon prior
to the planned embargo lift, but it's fine if after the big hammer.

Jon.

-- 
Computer Architect | Sent from my Fedora powered laptop