From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <tglx@linutronix.de>
Received: from p57927711.dip0.t-ipconnect.de ([87.146.119.17]
 helo=nanos.glx-home)	by Galois.linutronix.de with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)	(Exim 4.80)	(envelope-from
 <tglx@linutronix.de>)	id 1fFF5p-0004z4-Mm	for speck@linutronix.de; Sun, 06
 May 2018 10:32:29 +0200
Date: Sun, 6 May 2018 10:32:29 +0200 (CEST)
From: Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH 3/5] SSB extra 1
In-Reply-To: <alpine.DEB.2.21.1805042039240.1685@nanos.tec.linutronix.de>
Message-ID: <alpine.DEB.2.21.1805061005020.1685@nanos.tec.linutronix.de>
References: <cover.1525383411.git.dave.hansen@intel.com> =?utf-8?q?=3Cd4ffdf?=
 =?utf-8?q?50f25bca207b3942fc4a390d2273487517=2E1525383411=2Egit=2Edave=2E?=
 =?utf-8?q?hansen=40intel=2Ecom=3E?=
 <alpine.DEB.2.21.1805041528400.1675@nanos.tec.linutronix.de>
 <1bf0c44d-c972-2c2e-5d90-4f51b8f2c4c9@linux.intel.com>
 <alpine.DEB.2.21.1805041624280.1675@nanos.tec.linutronix.de>
 <20180504160408.GG75137@tassilo.jf.intel.com>
 <alpine.DEB.2.21.1805041808210.1675@nanos.tec.linutronix.de>
 <20180504162813.GH75137@tassilo.jf.intel.com>
 <alpine.DEB.2.21.1805041831590.1675@nanos.tec.linutronix.de>
 <30de6834-6580-4d88-f5f8-23d8fa8a4bad@linux.intel.com>
 <alpine.DEB.2.21.1805042039240.1685@nanos.tec.linutronix.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

On Fri, 4 May 2018, speck for Thomas Gleixner wrote:
>   Now lets look at EBPF. EBPF is also a nesting context.
> 
>   So, if EBPF runs in preemptible task context, then it sets a flag in the
>   task 'ebf_speculation_disabled' and sets TIF_RDS, which means that on
>   migration the normal switch_to() logic will take care of it. Obviously we
>   need a per task storage for the prctl selected state. I already did this
>   for the force disable thing. If EBF reenables then it uses the per task
>   prctl state.
> 
>   If EBPF runs in soft or hardirq context then it can uses the per cpu
>   refcount. The above rules apply.

Following up the discussion on IRC:

 - BPF runs also in NMI context, but that's not a real problem

 - BPF programms can 'call' other BPF programs

   There are two forms: Regular calls which return to the caller and tail
   calls. Tail calls make the speculation control more complicated because
   the resulting disable/enable invocations become imbalanced.

   So the counter does not work, but we can makee BPF speculation control
   to use a simple boolean flag which denotes that speculation has been
   disabled.

   The JIT or interpreter injects only the speculation_disable() call into
   the BPF programs which are not trusted, but no speculation_enable() call.

   speculation_enable() is called unconditionally at the BPF invocation
   wrapper after the BPF execution terminates.

   speculation_disable() notes the disabling per context (thread, softirq,
   hardirq, nmi) and speculation_enable() checks the disabled bit for the
   context and acts accordinlgy.

   That means for trusted programs which do not disable speculation
   speculation_enable() is a simple bit check and return.

   If in the call chain of a BPF program speculation is disabled then it
   stays disabled unti the program returns.

Thouhgts?

	tglx