From: Jon Masters <jcm@redhat.com>
To: Tim Chen <tim.c.chen@linux.intel.com>,
Thomas Gleixner <tglx@linutronix.de>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Ben Greear <greearb@candelatech.com>,
stable@vger.kernel.org, Andi Kleen <ak@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Jun Nakajima <jun.nakajima@intel.com>,
Jiri Kosina <jikos@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Asit Mallick <asit.k.mallick@intel.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Waiman Long <longman9394@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Mark Gross <mgross@linux.intel.com>,
LKML <linux-kernel@vger.kernel.org>,
x86@kernel.org
Subject: Re: [PATCH v3] Documentation: Add section about CPU vulnerabilities for Spectre
Date: Mon, 17 Jun 2019 16:22:19 -0400 [thread overview]
Message-ID: <5ff842bb-e0b8-c4aa-134d-32c9d838a162@redhat.com> (raw)
In-Reply-To: <c63945d34bfc9df2412f813d0b9b3a321a65de5d.1560795378.git.tim.c.chen@linux.intel.com>
Hi Tim,
Nice writeup. A few suggestions inline.
On 6/17/19 3:11 PM, Tim Chen wrote:
> +In Spectre variant 2 attacks, the attacker can steer speculative indirect
> +branches in the victim to gadget code by poisoning the branch target
> +buffer of a CPU used for predicting indirect branch addresses. Such
> +poisoning could be done by indirect branching into existing code, with the
> +address offset of the indirect branch under the attacker's control. Since
> +the branch prediction hardware does not fully disambiguate branch address
> +and uses the offset for prediction, this could cause privileged code's
> +indirect branch to jump to a gadget code with the same offset.
Maybe mention "on impacted hardware" (implied).
> +One other variant 2 attack vector is for the attacker to poison the
> +return stack buffer (RSB) [13] to cause speculative RET execution to go
> +to an gadget. An attacker's imbalanced CALL instructions might "poison"
> +entries in the return stack buffer which are later consumed by a victim's
> +RET instruction. This attack can be mitigated by flushing the return
> +stack buffer on context switch, or VM exit.
Maybe replace CALL and RET with generic equivalents or label as x86
examples.
> + For kernel code that has been identified where data pointers could
> + potentially be influenced for Spectre attacks, new "nospec" accessor
> + macros are used to prevent speculative loading of data.
Maybe explain that nospec (speculative clamping) relies on the absence
of value prediction in the masking (in current hardware). It may NOT
always be a safe approach in future hardware, where Spectre-v1 attacks
are likely to persist but hardware may speculate about the mask value.
> + On x86, a user process can protect itself against Spectre variant
> + 2 attacks by using the prctl() syscall to disable indirect branch
> + speculation for itself.
This is not x86 specific. The same prctl is wired up elsewhere also.
Jon.
--
Computer Architect | Sent with my Fedora powered laptop
next prev parent reply other threads:[~2019-06-17 20:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-17 19:11 [PATCH v3] Documentation: Add section about CPU vulnerabilities for Spectre Tim Chen
2019-06-17 20:21 ` Thomas Gleixner
2019-06-17 20:23 ` Thomas Gleixner
2019-06-17 22:16 ` Jonathan Corbet
2019-06-17 23:22 ` Tim Chen
2019-06-17 20:22 ` Jon Masters [this message]
2019-06-17 20:30 ` Jon Masters
2019-06-18 20:05 ` Tim Chen
2019-06-18 20:33 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5ff842bb-e0b8-c4aa-134d-32c9d838a162@redhat.com \
--to=jcm@redhat.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=alexei.starovoitov@gmail.com \
--cc=arjan@linux.intel.com \
--cc=asit.k.mallick@intel.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=greearb@candelatech.com \
--cc=gregkh@linuxfoundation.org \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=jun.nakajima@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=longman9394@gmail.com \
--cc=mgross@linux.intel.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.