From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <mingo.kernel.org@gmail.com>
Received: from mail-wr0-x229.google.com ([2a00:1450:400c:c0c::229])
	by Galois.linutronix.de with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128)
	(Exim 4.80)
	(envelope-from <mingo.kernel.org@gmail.com>)
	id 1fE7GX-0001Ee-MF
	for speck@linutronix.de; Thu, 03 May 2018 07:58:53 +0200
Received: by mail-wr0-x229.google.com with SMTP id g21-v6so16196189wrb.8
        for <speck@linutronix.de>; Wed, 02 May 2018 22:58:53 -0700 (PDT)
Received: from gmail.com (2E8B0CD5.catv.pool.telekom.hu. [46.139.12.213])
        by smtp.gmail.com with ESMTPSA id
 o53-v6sm14680319wrc.96.2018.05.02.22.58.46        for <speck@linutronix.de>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 02 May 2018 22:58:46 -0700 (PDT)
Sender: Ingo Molnar <mingo.kernel.org@gmail.com>
Date: Thu, 3 May 2018 07:58:44 +0200
From: Ingo Molnar <mingo@kernel.org>
Subject: [MODERATED] Re: SBB V10 Bundle
Message-ID: <20180503055844.mbb5x6uoiu2dy5ri@gmail.com>
References: <alpine.DEB.2.21.1805020051330.1596@nanos.tec.linutronix.de>
 <20180502120716.ohnwlckp7qi7njs3@gmail.com>
 <alpine.DEB.2.21.1805021508230.1560@nanos.tec.linutronix.de>
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.21.1805021508230.1560@nanos.tec.linutronix.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>


* speck for Thomas Gleixner <speck@linutronix.de> wrote:

> > Another question is:
> > 
> > +static int ssb_prctl_set(unsigned long ctrl)
> > +{
> > +       bool rds = !!test_tsk_thread_flag(current, TIF_RDS);
> > +
> > +       if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
> > +               return -ENXIO;
> > 
> > This might be overly permissive in the 'auto' case which defaulted to 'on', where 
> > an application might still want to disable it for good reasons?
> 
> Permissive? Its restrictive.

I mean when 'auto' set it to 'off', i.e. turned off mitigation. (Darn all the 
negatives ...)

> Also the default is 'prctl' now and I don't think that you want applications
> let override the admin decision, which might be 'on' == global mitigation or
> 'off' == 'no mitigation at all'.

Sure, explicit 'on' and 'off' is an admin choice - but 'auto' isn't really: it's 
the admin saying "whatever you think is right".

> So when the mitigation mode is 'prctl' which is the default then
> applications can fiddle with it. If the admin decided global on or off then
> it's rightfully rejected.
> 
> Hmm?

Correct, the only question is when 'auto' decides 'off' and app uses the prctl().

Do we even care, or do we think if the kernel thinks 'off' is correct then it 
should be forced?

I'd be fine with "we don't care" if "prctl" is the expected distro default.

Thanks,

	Ingo