From: Marc Zyngier <marc.zyngier@arm.com>
To: Will Deacon <will.deacon@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, kvmarm@lists.cs.columbia.edu,
Kees Cook <keescook@chromium.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Andy Lutomirski <luto@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation
Date: Thu, 24 May 2018 13:36:11 +0100 [thread overview]
Message-ID: <bc285971-70fb-b3ec-43a1-8721b9067c42@arm.com> (raw)
In-Reply-To: <20180524121944.GC8689@arm.com>
On 24/05/18 13:19, Will Deacon wrote:
> On Thu, May 24, 2018 at 01:16:38PM +0100, Marc Zyngier wrote:
>> On 24/05/18 13:01, Mark Rutland wrote:
>>> On Tue, May 22, 2018 at 04:06:43PM +0100, Marc Zyngier wrote:
>>>> In order to allow userspace to be mitigated on demand, let's
>>>> introduce a new thread flag that prevents the mitigation from
>>>> being turned off when exiting to userspace, and doesn't turn
>>>> it on on entry into the kernel (with the assumtion that the
>>>
>>> Nit: s/assumtion/assumption/
>>>
>>>> mitigation is always enabled in the kernel itself).
>>>>
>>>> This will be used by a prctl interface introduced in a later
>>>> patch.
>>>>
>>>> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
>>>
>>> On the assumption that this flag cannot be flipped while a task is in
>>> userspace:
>>
>> Well, that's the case unless you get into the seccomp thing, which does
>> change TIF_SSBD on all threads of the task, without taking it to the
>> kernel first. That nicely breaks the state machine, and you end-up
>> running non-mitigated in the kernel. Oops.
>>
>> I have a couple of patches fixing that, using a second flag
>> (TIF_SSBD_PENDING) that gets turned into the real thing on exit to
>> userspace. It's pretty ugly though.
>
> ... which introduces the need for atomics on the entry path too :(
Oh, I'm not saying it is nice. It would hit us on the exception return
to userspace for all tasks (and not only the mitigated ones). I'd rather
not have this at all.
> I would /much/ rather kill the seccomp implicit enabling of the mitigation,
> or at least have a way to opt-out per arch since it doesn't seem to be
> technically justified imo.
I agree. The semantics are really odd (the thread still runs unmitigated
until it traps into the kernel), and I don't really get why seccomp
tasks should get a special treatment compared to the rest of the userspace.
But 4.17 is only something like 10 days away, so whatever we decide,
we'd better decide it soon.
M.
--
Jazz is not dead. It just smells funny...
WARNING: multiple messages have this Message-ID (diff)
From: marc.zyngier@arm.com (Marc Zyngier)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation
Date: Thu, 24 May 2018 13:36:11 +0100 [thread overview]
Message-ID: <bc285971-70fb-b3ec-43a1-8721b9067c42@arm.com> (raw)
In-Reply-To: <20180524121944.GC8689@arm.com>
On 24/05/18 13:19, Will Deacon wrote:
> On Thu, May 24, 2018 at 01:16:38PM +0100, Marc Zyngier wrote:
>> On 24/05/18 13:01, Mark Rutland wrote:
>>> On Tue, May 22, 2018 at 04:06:43PM +0100, Marc Zyngier wrote:
>>>> In order to allow userspace to be mitigated on demand, let's
>>>> introduce a new thread flag that prevents the mitigation from
>>>> being turned off when exiting to userspace, and doesn't turn
>>>> it on on entry into the kernel (with the assumtion that the
>>>
>>> Nit: s/assumtion/assumption/
>>>
>>>> mitigation is always enabled in the kernel itself).
>>>>
>>>> This will be used by a prctl interface introduced in a later
>>>> patch.
>>>>
>>>> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
>>>
>>> On the assumption that this flag cannot be flipped while a task is in
>>> userspace:
>>
>> Well, that's the case unless you get into the seccomp thing, which does
>> change TIF_SSBD on all threads of the task, without taking it to the
>> kernel first. That nicely breaks the state machine, and you end-up
>> running non-mitigated in the kernel. Oops.
>>
>> I have a couple of patches fixing that, using a second flag
>> (TIF_SSBD_PENDING) that gets turned into the real thing on exit to
>> userspace. It's pretty ugly though.
>
> ... which introduces the need for atomics on the entry path too :(
Oh, I'm not saying it is nice. It would hit us on the exception return
to userspace for all tasks (and not only the mitigated ones). I'd rather
not have this at all.
> I would /much/ rather kill the seccomp implicit enabling of the mitigation,
> or at least have a way to opt-out per arch since it doesn't seem to be
> technically justified imo.
I agree. The semantics are really odd (the thread still runs unmitigated
until it traps into the kernel), and I don't really get why seccomp
tasks should get a special treatment compared to the rest of the userspace.
But 4.17 is only something like 10 days away, so whatever we decide,
we'd better decide it soon.
M.
--
Jazz is not dead. It just smells funny...
next prev parent reply other threads:[~2018-05-24 12:36 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-22 15:06 [PATCH 00/14] arm64 SSBD (aka Spectre-v4) mitigation Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-22 15:06 ` [PATCH 01/14] arm/arm64: smccc: Add SMCCC-specific return codes Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-24 10:55 ` Mark Rutland
2018-05-24 10:55 ` Mark Rutland
2018-05-22 15:06 ` [PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-23 9:23 ` Julien Grall
2018-05-23 9:23 ` Julien Grall
2018-05-24 10:52 ` Mark Rutland
2018-05-24 10:52 ` Mark Rutland
2018-05-24 12:10 ` Robin Murphy
2018-05-24 12:10 ` Robin Murphy
2018-05-24 11:00 ` Mark Rutland
2018-05-24 11:00 ` Mark Rutland
2018-05-24 11:23 ` Mark Rutland
2018-05-24 11:23 ` Mark Rutland
2018-05-24 11:28 ` Marc Zyngier
2018-05-24 11:28 ` Marc Zyngier
2018-05-22 15:06 ` [PATCH 03/14] arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2 Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-23 10:03 ` Julien Grall
2018-05-23 10:03 ` Julien Grall
2018-05-24 11:14 ` Mark Rutland
2018-05-24 11:14 ` Mark Rutland
2018-05-22 15:06 ` [PATCH 04/14] arm64: Add ARCH_WORKAROUND_2 probing Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-23 10:06 ` Julien Grall
2018-05-23 10:06 ` Julien Grall
2018-05-24 9:58 ` Suzuki K Poulose
2018-05-24 9:58 ` Suzuki K Poulose
2018-05-24 11:39 ` Will Deacon
2018-05-24 11:39 ` Will Deacon
2018-05-24 13:34 ` Suzuki K Poulose
2018-05-24 13:34 ` Suzuki K Poulose
2018-05-24 11:27 ` Mark Rutland
2018-05-24 11:27 ` Mark Rutland
2018-05-22 15:06 ` [PATCH 05/14] arm64: Add 'ssbd' command-line option Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-22 15:29 ` Randy Dunlap
2018-05-22 15:29 ` Randy Dunlap
2018-05-22 15:29 ` Randy Dunlap
2018-05-23 10:08 ` Julien Grall
2018-05-23 10:08 ` Julien Grall
2018-05-24 11:40 ` Mark Rutland
2018-05-24 11:40 ` Mark Rutland
2018-05-24 11:52 ` Marc Zyngier
2018-05-24 11:52 ` Marc Zyngier
2018-05-22 15:06 ` [PATCH 06/14] arm64: ssbd: Add global mitigation state accessor Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-23 10:11 ` Julien Grall
2018-05-23 10:11 ` Julien Grall
2018-05-24 11:41 ` Mark Rutland
2018-05-24 11:41 ` Mark Rutland
2018-05-22 15:06 ` [PATCH 07/14] arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-23 10:13 ` Julien Grall
2018-05-23 10:13 ` Julien Grall
2018-05-24 11:43 ` Mark Rutland
2018-05-24 11:43 ` Mark Rutland
2018-05-22 15:06 ` [PATCH 08/14] arm64: ssbd: Disable mitigation on CPU resume if required by user Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-23 10:52 ` Julien Grall
2018-05-23 10:52 ` Julien Grall
2018-05-24 11:55 ` Mark Rutland
2018-05-24 11:55 ` Mark Rutland
2018-05-22 15:06 ` [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-24 12:01 ` Mark Rutland
2018-05-24 12:01 ` Mark Rutland
2018-05-24 12:16 ` Marc Zyngier
2018-05-24 12:16 ` Marc Zyngier
2018-05-24 12:19 ` Will Deacon
2018-05-24 12:19 ` Will Deacon
2018-05-24 12:36 ` Marc Zyngier [this message]
2018-05-24 12:36 ` Marc Zyngier
2018-05-22 15:06 ` [PATCH 10/14] arm64: ssbd: Add prctl interface for per-thread mitigation Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-22 15:48 ` Dominik Brodowski
2018-05-22 15:48 ` Dominik Brodowski
2018-05-22 16:30 ` Marc Zyngier
2018-05-22 16:30 ` Marc Zyngier
2018-05-22 16:30 ` Marc Zyngier
2018-05-24 12:10 ` Mark Rutland
2018-05-24 12:10 ` Mark Rutland
2018-05-24 12:24 ` Will Deacon
2018-05-24 12:24 ` Will Deacon
2018-05-22 15:06 ` [PATCH 11/14] arm64: KVM: Add HYP per-cpu accessors Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-24 12:11 ` Mark Rutland
2018-05-24 12:11 ` Mark Rutland
2018-05-22 15:06 ` [PATCH 12/14] arm64: KVM: Add ARCH_WORKAROUND_2 support for guests Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-24 12:15 ` Mark Rutland
2018-05-24 12:15 ` Mark Rutland
2018-05-22 15:06 ` [PATCH 13/14] arm64: KVM: Handle guest's ARCH_WORKAROUND_2 requests Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-24 12:22 ` Mark Rutland
2018-05-24 12:22 ` Mark Rutland
2018-05-22 15:06 ` [PATCH 14/14] arm64: KVM: Add ARCH_WORKAROUND_2 discovery through ARCH_FEATURES_FUNC_ID Marc Zyngier
2018-05-22 15:06 ` Marc Zyngier
2018-05-24 12:25 ` Mark Rutland
2018-05-24 12:25 ` Mark Rutland
2018-07-20 9:47 [PATCH 00/14] arm64: 4.17 backport of the SSBD mitigation patches Marc Zyngier
2018-07-20 9:47 ` [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc285971-70fb-b3ec-43a1-8721b9067c42@arm.com \
--to=marc.zyngier@arm.com \
--cc=catalin.marinas@arm.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.