From: Marc Zyngier <marc.zyngier@arm.com> To: Will Deacon <will.deacon@arm.com> Cc: Mark Rutland <mark.rutland@arm.com>, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kvmarm@lists.cs.columbia.edu, Kees Cook <keescook@chromium.org>, Catalin Marinas <catalin.marinas@arm.com>, Andy Lutomirski <luto@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Thomas Gleixner <tglx@linutronix.de> Subject: Re: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation Date: Thu, 24 May 2018 13:36:11 +0100 [thread overview] Message-ID: <bc285971-70fb-b3ec-43a1-8721b9067c42@arm.com> (raw) In-Reply-To: <20180524121944.GC8689@arm.com> On 24/05/18 13:19, Will Deacon wrote: > On Thu, May 24, 2018 at 01:16:38PM +0100, Marc Zyngier wrote: >> On 24/05/18 13:01, Mark Rutland wrote: >>> On Tue, May 22, 2018 at 04:06:43PM +0100, Marc Zyngier wrote: >>>> In order to allow userspace to be mitigated on demand, let's >>>> introduce a new thread flag that prevents the mitigation from >>>> being turned off when exiting to userspace, and doesn't turn >>>> it on on entry into the kernel (with the assumtion that the >>> >>> Nit: s/assumtion/assumption/ >>> >>>> mitigation is always enabled in the kernel itself). >>>> >>>> This will be used by a prctl interface introduced in a later >>>> patch. >>>> >>>> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> >>> >>> On the assumption that this flag cannot be flipped while a task is in >>> userspace: >> >> Well, that's the case unless you get into the seccomp thing, which does >> change TIF_SSBD on all threads of the task, without taking it to the >> kernel first. That nicely breaks the state machine, and you end-up >> running non-mitigated in the kernel. Oops. >> >> I have a couple of patches fixing that, using a second flag >> (TIF_SSBD_PENDING) that gets turned into the real thing on exit to >> userspace. It's pretty ugly though. > > ... which introduces the need for atomics on the entry path too :( Oh, I'm not saying it is nice. It would hit us on the exception return to userspace for all tasks (and not only the mitigated ones). I'd rather not have this at all. > I would /much/ rather kill the seccomp implicit enabling of the mitigation, > or at least have a way to opt-out per arch since it doesn't seem to be > technically justified imo. I agree. The semantics are really odd (the thread still runs unmitigated until it traps into the kernel), and I don't really get why seccomp tasks should get a special treatment compared to the rest of the userspace. But 4.17 is only something like 10 days away, so whatever we decide, we'd better decide it soon. M. -- Jazz is not dead. It just smells funny...
WARNING: multiple messages have this Message-ID (diff)
From: marc.zyngier@arm.com (Marc Zyngier) To: linux-arm-kernel@lists.infradead.org Subject: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation Date: Thu, 24 May 2018 13:36:11 +0100 [thread overview] Message-ID: <bc285971-70fb-b3ec-43a1-8721b9067c42@arm.com> (raw) In-Reply-To: <20180524121944.GC8689@arm.com> On 24/05/18 13:19, Will Deacon wrote: > On Thu, May 24, 2018 at 01:16:38PM +0100, Marc Zyngier wrote: >> On 24/05/18 13:01, Mark Rutland wrote: >>> On Tue, May 22, 2018 at 04:06:43PM +0100, Marc Zyngier wrote: >>>> In order to allow userspace to be mitigated on demand, let's >>>> introduce a new thread flag that prevents the mitigation from >>>> being turned off when exiting to userspace, and doesn't turn >>>> it on on entry into the kernel (with the assumtion that the >>> >>> Nit: s/assumtion/assumption/ >>> >>>> mitigation is always enabled in the kernel itself). >>>> >>>> This will be used by a prctl interface introduced in a later >>>> patch. >>>> >>>> Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> >>> >>> On the assumption that this flag cannot be flipped while a task is in >>> userspace: >> >> Well, that's the case unless you get into the seccomp thing, which does >> change TIF_SSBD on all threads of the task, without taking it to the >> kernel first. That nicely breaks the state machine, and you end-up >> running non-mitigated in the kernel. Oops. >> >> I have a couple of patches fixing that, using a second flag >> (TIF_SSBD_PENDING) that gets turned into the real thing on exit to >> userspace. It's pretty ugly though. > > ... which introduces the need for atomics on the entry path too :( Oh, I'm not saying it is nice. It would hit us on the exception return to userspace for all tasks (and not only the mitigated ones). I'd rather not have this at all. > I would /much/ rather kill the seccomp implicit enabling of the mitigation, > or at least have a way to opt-out per arch since it doesn't seem to be > technically justified imo. I agree. The semantics are really odd (the thread still runs unmitigated until it traps into the kernel), and I don't really get why seccomp tasks should get a special treatment compared to the rest of the userspace. But 4.17 is only something like 10 days away, so whatever we decide, we'd better decide it soon. M. -- Jazz is not dead. It just smells funny...
next prev parent reply other threads:[~2018-05-24 12:36 UTC|newest] Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-05-22 15:06 [PATCH 00/14] arm64 SSBD (aka Spectre-v4) mitigation Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-22 15:06 ` [PATCH 01/14] arm/arm64: smccc: Add SMCCC-specific return codes Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-24 10:55 ` Mark Rutland 2018-05-24 10:55 ` Mark Rutland 2018-05-22 15:06 ` [PATCH 02/14] arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1 Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-23 9:23 ` Julien Grall 2018-05-23 9:23 ` Julien Grall 2018-05-24 10:52 ` Mark Rutland 2018-05-24 10:52 ` Mark Rutland 2018-05-24 12:10 ` Robin Murphy 2018-05-24 12:10 ` Robin Murphy 2018-05-24 11:00 ` Mark Rutland 2018-05-24 11:00 ` Mark Rutland 2018-05-24 11:23 ` Mark Rutland 2018-05-24 11:23 ` Mark Rutland 2018-05-24 11:28 ` Marc Zyngier 2018-05-24 11:28 ` Marc Zyngier 2018-05-22 15:06 ` [PATCH 03/14] arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2 Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-23 10:03 ` Julien Grall 2018-05-23 10:03 ` Julien Grall 2018-05-24 11:14 ` Mark Rutland 2018-05-24 11:14 ` Mark Rutland 2018-05-22 15:06 ` [PATCH 04/14] arm64: Add ARCH_WORKAROUND_2 probing Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-23 10:06 ` Julien Grall 2018-05-23 10:06 ` Julien Grall 2018-05-24 9:58 ` Suzuki K Poulose 2018-05-24 9:58 ` Suzuki K Poulose 2018-05-24 11:39 ` Will Deacon 2018-05-24 11:39 ` Will Deacon 2018-05-24 13:34 ` Suzuki K Poulose 2018-05-24 13:34 ` Suzuki K Poulose 2018-05-24 11:27 ` Mark Rutland 2018-05-24 11:27 ` Mark Rutland 2018-05-22 15:06 ` [PATCH 05/14] arm64: Add 'ssbd' command-line option Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-22 15:29 ` Randy Dunlap 2018-05-22 15:29 ` Randy Dunlap 2018-05-22 15:29 ` Randy Dunlap 2018-05-23 10:08 ` Julien Grall 2018-05-23 10:08 ` Julien Grall 2018-05-24 11:40 ` Mark Rutland 2018-05-24 11:40 ` Mark Rutland 2018-05-24 11:52 ` Marc Zyngier 2018-05-24 11:52 ` Marc Zyngier 2018-05-22 15:06 ` [PATCH 06/14] arm64: ssbd: Add global mitigation state accessor Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-23 10:11 ` Julien Grall 2018-05-23 10:11 ` Julien Grall 2018-05-24 11:41 ` Mark Rutland 2018-05-24 11:41 ` Mark Rutland 2018-05-22 15:06 ` [PATCH 07/14] arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-23 10:13 ` Julien Grall 2018-05-23 10:13 ` Julien Grall 2018-05-24 11:43 ` Mark Rutland 2018-05-24 11:43 ` Mark Rutland 2018-05-22 15:06 ` [PATCH 08/14] arm64: ssbd: Disable mitigation on CPU resume if required by user Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-23 10:52 ` Julien Grall 2018-05-23 10:52 ` Julien Grall 2018-05-24 11:55 ` Mark Rutland 2018-05-24 11:55 ` Mark Rutland 2018-05-22 15:06 ` [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-24 12:01 ` Mark Rutland 2018-05-24 12:01 ` Mark Rutland 2018-05-24 12:16 ` Marc Zyngier 2018-05-24 12:16 ` Marc Zyngier 2018-05-24 12:19 ` Will Deacon 2018-05-24 12:19 ` Will Deacon 2018-05-24 12:36 ` Marc Zyngier [this message] 2018-05-24 12:36 ` Marc Zyngier 2018-05-22 15:06 ` [PATCH 10/14] arm64: ssbd: Add prctl interface for per-thread mitigation Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-22 15:48 ` Dominik Brodowski 2018-05-22 15:48 ` Dominik Brodowski 2018-05-22 16:30 ` Marc Zyngier 2018-05-22 16:30 ` Marc Zyngier 2018-05-22 16:30 ` Marc Zyngier 2018-05-24 12:10 ` Mark Rutland 2018-05-24 12:10 ` Mark Rutland 2018-05-24 12:24 ` Will Deacon 2018-05-24 12:24 ` Will Deacon 2018-05-22 15:06 ` [PATCH 11/14] arm64: KVM: Add HYP per-cpu accessors Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-24 12:11 ` Mark Rutland 2018-05-24 12:11 ` Mark Rutland 2018-05-22 15:06 ` [PATCH 12/14] arm64: KVM: Add ARCH_WORKAROUND_2 support for guests Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-24 12:15 ` Mark Rutland 2018-05-24 12:15 ` Mark Rutland 2018-05-22 15:06 ` [PATCH 13/14] arm64: KVM: Handle guest's ARCH_WORKAROUND_2 requests Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-24 12:22 ` Mark Rutland 2018-05-24 12:22 ` Mark Rutland 2018-05-22 15:06 ` [PATCH 14/14] arm64: KVM: Add ARCH_WORKAROUND_2 discovery through ARCH_FEATURES_FUNC_ID Marc Zyngier 2018-05-22 15:06 ` Marc Zyngier 2018-05-24 12:25 ` Mark Rutland 2018-05-24 12:25 ` Mark Rutland 2018-07-20 9:47 [PATCH 00/14] arm64: 4.17 backport of the SSBD mitigation patches Marc Zyngier 2018-07-20 9:47 ` [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation Marc Zyngier
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bc285971-70fb-b3ec-43a1-8721b9067c42@arm.com \ --to=marc.zyngier@arm.com \ --cc=catalin.marinas@arm.com \ --cc=gregkh@linuxfoundation.org \ --cc=keescook@chromium.org \ --cc=kvmarm@lists.cs.columbia.edu \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@kernel.org \ --cc=mark.rutland@arm.com \ --cc=tglx@linutronix.de \ --cc=will.deacon@arm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.