From: "Schaufler, Casey" <casey.schaufler@intel.com>
To: Tim Chen <tim.c.chen@linux.intel.com>,
Jiri Kosina <jikos@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
"Hansen, Dave" <dave.hansen@intel.com>,
"Mallick, Asit K" <asit.k.mallick@intel.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Jon Masters <jcm@redhat.com>, Waiman Long <longman9394@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"Schaufler, Casey" <casey.schaufler@intel.com>
Subject: RE: [Patch v4 16/18] x86/speculation: Enable STIBP to protect security sensitive tasks
Date: Tue, 30 Oct 2018 22:02:44 +0000 [thread overview]
Message-ID: <99FC4B6EFCEFD44486C35F4C281DC6732148DD1C@ORSMSX110.amr.corp.intel.com> (raw)
In-Reply-To: <5793bddc-cd09-eebb-bc0c-51c9b3aca0c1@linux.intel.com>
> -----Original Message-----
> From: Tim Chen [mailto:tim.c.chen@linux.intel.com]
> Sent: Tuesday, October 30, 2018 2:35 PM
> To: Schaufler, Casey <casey.schaufler@intel.com>; Jiri Kosina
> <jikos@kernel.org>; Thomas Gleixner <tglx@linutronix.de>
> Cc: Tom Lendacky <thomas.lendacky@amd.com>; Ingo Molnar
> <mingo@redhat.com>; Peter Zijlstra <peterz@infradead.org>; Josh Poimboeuf
> <jpoimboe@redhat.com>; Andrea Arcangeli <aarcange@redhat.com>; David
> Woodhouse <dwmw@amazon.co.uk>; Andi Kleen <ak@linux.intel.com>;
> Hansen, Dave <dave.hansen@intel.com>; Mallick, Asit K
> <asit.k.mallick@intel.com>; Arjan van de Ven <arjan@linux.intel.com>; Jon
> Masters <jcm@redhat.com>; Waiman Long <longman9394@gmail.com>;
> linux-kernel@vger.kernel.org; x86@kernel.org
> Subject: Re: [Patch v4 16/18] x86/speculation: Enable STIBP to protect security
> sensitive tasks
>
> On 10/30/2018 02:07 PM, Schaufler, Casey wrote:
> >> -----Original Message-----
> >> From: Tim Chen [mailto:tim.c.chen@linux.intel.com]
> >> Sent: Tuesday, October 30, 2018 11:49 AM
> >> To: Jiri Kosina <jikos@kernel.org>; Thomas Gleixner <tglx@linutronix.de>
> >> Cc: Tim Chen <tim.c.chen@linux.intel.com>; Tom Lendacky
> >> <thomas.lendacky@amd.com>; Ingo Molnar <mingo@redhat.com>; Peter
> >> Zijlstra <peterz@infradead.org>; Josh Poimboeuf <jpoimboe@redhat.com>;
> >> Andrea Arcangeli <aarcange@redhat.com>; David Woodhouse
> >> <dwmw@amazon.co.uk>; Andi Kleen <ak@linux.intel.com>; Hansen, Dave
> >> <dave.hansen@intel.com>; Schaufler, Casey <casey.schaufler@intel.com>;
> >> Mallick, Asit K <asit.k.mallick@intel.com>; Arjan van de Ven
> >> <arjan@linux.intel.com>; Jon Masters <jcm@redhat.com>; Waiman Long
> >> <longman9394@gmail.com>; linux-kernel@vger.kernel.org; x86@kernel.org
> >> Subject: [Patch v4 16/18] x86/speculation: Enable STIBP to protect security
> >> sensitive tasks
> >>
> >> Enable STIBP defense on high security tasks.
> >>
> >> For normal tasks, STIBP is unused so they are not impacted by overhead
> >> from STIBP in lite protection mode.
> >>
> >> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
> >> ---
> >> arch/x86/kernel/cpu/bugs.c | 33 +++++++++++++++++++++++++++++++++
> >> 1 file changed, 33 insertions(+)
> >>
> >> diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
> >> index 54f4675..b402b96 100644
> >> --- a/arch/x86/kernel/cpu/bugs.c
> >> +++ b/arch/x86/kernel/cpu/bugs.c
> >> @@ -14,6 +14,8 @@
> >> #include <linux/module.h>
> >> #include <linux/nospec.h>
> >> #include <linux/prctl.h>
> >> +#include <linux/sched/coredump.h>
> >> +#include <linux/security.h>
> >>
> >> #include <asm/spec-ctrl.h>
> >> #include <asm/cmdline.h>
> >> @@ -770,6 +772,37 @@ static int ssb_prctl_set(struct task_struct *task,
> >> unsigned long ctrl)
> >> return 0;
> >> }
> >>
> >> +static void set_task_stibp(struct task_struct *tsk, bool stibp_on)
> >> +{
> >> + bool update = false;
> >> +
> >> + if (!static_branch_unlikely(&spectre_v2_app_lite))
> >> + return;
> >> +
> >> + if (stibp_on)
> >> + update = !test_and_set_tsk_thread_flag(tsk, TIF_STIBP);
> >> + else
> >> + update = test_and_clear_tsk_thread_flag(tsk, TIF_STIBP);
> >> +
> >> + if (!update)
> >> + return;
> >> +
> >> + if (tsk == current)
> >> + speculation_ctrl_update_current();
> >> +}
> >> +
> >> +void arch_set_security(struct task_struct *tsk, unsigned int value)
> >
> > In this context "security" isn't descriptive. arch_set_stibp_defenses()
> > would be better.
>
> A more generic name decoupled from STIBP will be preferable. There
> can other kind of security defenses to be erected in
> the future.
>
> Perhaps arch_set_mitigation?
Better. On the other hand, adding function call layers just in case leads
to cascades of functions that do nothing but call other functions, and that
makes code hard to understand. I would leave generalization for the 2nd
person who wants to add mitigations.
>
> Thanks.
>
> Tim
>
> >
> > Since "value" should only ever have one of two values, and those
> > map directly to "true" or "false" this should be a bool, making the
> > code trivial:
> >
> > void arch_set_stibp_defenses(struct task_struct *task, bool stibp)
> > {
> > set_task_stibp(task, stibp);
> > }
> >
> > Or perhaps arch_set_security() should go away, and the calling
> > code would call set_task_stibp() directly. Unless there is some compelling
> > reason for the abstractions.
> >
> >> +{
> >> + if (value > SECURITY_HIGH)
> >> + return;
> >> +
> >> + /* Update STIBP defenses */
> >> + if (value == SECURITY_HIGH)
> >> + set_task_stibp(tsk, true);
> >> + else
> >> + set_task_stibp(tsk, false);
> >> +}
> >> +
> >> int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
> >> unsigned long ctrl)
> >> {
> >> --
> >> 2.9.4
> >
next prev parent reply other threads:[~2018-10-30 22:02 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-30 18:49 [Patch v4 00/18] Provide process property based options to enable Spectre v2 userspace-userspace protection* Tim Chen
2018-10-30 18:49 ` [Patch v4 01/18] x86/speculation: Clean up spectre_v2_parse_cmdline() Tim Chen
2018-10-30 18:49 ` [Patch v4 02/18] x86/speculation: Remove unnecessary ret variable in cpu_show_common() Tim Chen
2018-10-30 18:49 ` [Patch v4 03/18] x86/speculation: Reorganize cpu_show_common() Tim Chen
2018-11-03 18:07 ` Thomas Gleixner
2018-11-05 19:12 ` Tim Chen
2018-11-05 19:17 ` Thomas Gleixner
2018-10-30 18:49 ` [Patch v4 04/18] x86/speculation: Add X86_FEATURE_USE_IBRS_ENHANCED Tim Chen
2018-10-30 18:49 ` [Patch v4 05/18] x86/speculation: Disable STIBP when enhanced IBRS is in use Tim Chen
2018-10-30 18:49 ` [Patch v4 06/18] smt: Create cpu_smt_enabled static key for SMT specific code Tim Chen
2018-10-30 18:49 ` [Patch v4 07/18] x86/smt: Convert cpu_smt_control check to cpu_smt_enabled static key Tim Chen
2018-11-03 18:29 ` Thomas Gleixner
2018-11-08 1:43 ` Tim Chen
2018-11-08 11:18 ` Thomas Gleixner
2018-10-30 18:49 ` [Patch v4 08/18] sched: Deprecate sched_smt_present and use " Tim Chen
2018-11-03 18:20 ` Thomas Gleixner
2018-11-09 22:08 ` Tim Chen
2018-10-30 18:49 ` [Patch v4 09/18] x86/speculation: Rename SSBD update functions Tim Chen
2018-10-30 18:49 ` [Patch v4 10/18] x86/speculation: Reorganize speculation control MSRs update Tim Chen
2018-10-30 18:49 ` [Patch v4 11/18] x86/speculation: Update comment on TIF_SSBD Tim Chen
2018-10-30 18:49 ` [Patch v4 12/18] x86: Group thread info flags by functionality Tim Chen
2018-10-30 18:49 ` [Patch v4 13/18] security: Update security level of a process when modifying its dumpability Tim Chen
2018-10-30 20:57 ` Schaufler, Casey
2018-10-30 21:30 ` Tim Chen
2018-10-30 21:53 ` Schaufler, Casey
2018-10-30 18:49 ` [Patch v4 14/18] x86/speculation: Turn on or off STIBP according to a task's TIF_STIBP Tim Chen
2018-10-30 18:49 ` [Patch v4 15/18] x86/speculation: Add Spectre v2 app to app protection modes Tim Chen
2018-10-30 18:49 ` [Patch v4 16/18] x86/speculation: Enable STIBP to protect security sensitive tasks Tim Chen
2018-10-30 21:07 ` Schaufler, Casey
2018-10-30 21:34 ` Tim Chen
2018-10-30 22:02 ` Schaufler, Casey [this message]
2018-10-30 18:49 ` [Patch v4 17/18] x86/speculation: Update SPEC_CTRL MSRs of remote CPUs Tim Chen
2018-11-04 19:49 ` Thomas Gleixner
2018-11-05 22:02 ` Tim Chen
2018-11-05 23:04 ` Thomas Gleixner
2018-11-05 23:59 ` Tim Chen
2018-11-06 7:46 ` Thomas Gleixner
2018-11-07 0:18 ` Tim Chen
2018-11-07 18:33 ` Waiman Long
2018-11-07 23:15 ` Tim Chen
2018-11-07 23:03 ` Thomas Gleixner
2018-11-08 0:22 ` Tim Chen
2018-10-30 18:49 ` [Patch v4 18/18] x86/speculation: Create PRCTL interface to restrict indirect branch speculation Tim Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=99FC4B6EFCEFD44486C35F4C281DC6732148DD1C@ORSMSX110.amr.corp.intel.com \
--to=casey.schaufler@intel.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=asit.k.mallick@intel.com \
--cc=dave.hansen@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=jcm@redhat.com \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=longman9394@gmail.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tim.c.chen@linux.intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.