From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x227qPXetMn3KVRtTBlDO+KgPa1g81u+jsIXWuYlNTnUVShOAPzWxmyU1tjYPmV41o3zzmy4X ARC-Seal: i=1; a=rsa-sha256; t=1517347399; cv=none; d=google.com; s=arc-20160816; b=MP1+0zpaNNUjKJwhRIrCWyCUZu8pVZcCfww/lnUsLKRRLKzcg+fy8srh9BBq2zkgtJ aod8pDckbTeIOItXyc5kENvQnLvC6LJ/fTFikkZhkJ1z3qOPdc3skfg2QGsg6732vA2d mSNVT7YwoOq70YCq4HfPgN1hspotqCvbIhF81OQpUu0F4Gaqs+RPFk1ly1uxIS0GrHkQ 38XnnXT7HHn3QxIgeFE9zbwHWyvsUwXZVesN73abf8ZdJ6hIudQ6l0GLJ94EpiDjYD4q cn3P2qrtzGN/3722Kd5K+3YN7YDd9A9jOn3vdtx4ZjxFphoz4HemusyZvH+kjacF16ht zsvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject :arc-authentication-results; bh=9zkZxDRrWTdScFwGGlH8kG3Lh2e2svEnLiyRONqtWaA=; b=yZwQ0w8F/Hai1amsmMarp2Rhq8FZL/eI36SJ2If/T62sm5TaNGZoaj6ktKhOFxfDD7 3wAwDHfGi1V7aY5nxTsRJ2BRw0yedcInO5isMdu/CNMNmwTcpHmMTcOHKwrOkYoFtsfL pXBHpv7bU1tFgklx3WipcVbhe0i9dE0eAIPxfnm7g2aSeQL5Uetaa9H8OZ5VzA0WQVwP iurN3CN2uZ5wUdrpzmbMLjhdFwA5QkJmUs3Q9Bvj+fQlRQPlQQzoDt/2wOEAN/KgRd0n dBmdZs3z8phmkK4qej8kcRXdM/HKSJ+ZfvPHyVC2MS27nIE+ihFyE8JydlMs5i0af5dS MH1A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of tim.c.chen@linux.intel.com designates 192.55.52.120 as permitted sender) smtp.mailfrom=tim.c.chen@linux.intel.com Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of tim.c.chen@linux.intel.com designates 192.55.52.120 as permitted sender) smtp.mailfrom=tim.c.chen@linux.intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,436,1511856000"; d="scan'208";a="14668059" Subject: Re: [PATCH] x86/speculation: Use Indirect Branch Prediction Barrier in context switch To: Josh Poimboeuf , David Woodhouse Cc: arjan@linux.intel.com, tglx@linutronix.de, karahmed@amazon.de, x86@kernel.org, linux-kernel@vger.kernel.org, bp@alien8.de, peterz@infradead.org, pbonzini@redhat.com, ak@linux.intel.com, torvalds@linux-foundation.org, gregkh@linux-foundation.org, mingo@kernel.org, luto@kernel.org, linux@dominikbrodowski.net References: <1517263487-3708-1-git-send-email-dwmw@amazon.co.uk> <20180130174850.bwypk4r5yn2344jb@treble> From: Tim Chen Message-ID: Date: Tue, 30 Jan 2018 13:23:17 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0 MIME-Version: 1.0 In-Reply-To: <20180130174850.bwypk4r5yn2344jb@treble> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1590966106432961445?= X-GMAIL-MSGID: =?utf-8?q?1591054066389676277?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On 01/30/2018 09:48 AM, Josh Poimboeuf wrote: > On Mon, Jan 29, 2018 at 10:04:47PM +0000, David Woodhouse wrote: >> From: Tim Chen >> >> Flush indirect branches when switching into a process that marked itself >> non dumpable. This protects high value processes like gpg better, >> without having too high performance overhead. > > I wonder what the point of this patch is. An audit of my laptop shows > only a single user of PR_SET_DUMPABLE: systemd-coredump. This is an opt in approach. For processes who need extra security, it set itself as non-dumpable. Then it can ensure that it doesn't see any poisoned BTB. > > [ And yes, I have gpg-agent running. Also, a grep of the gnupg source > doesn't show any evidence of it being used there. So the gpg thing > seems to be a myth. ] I'm less familiar with gpg-agent. Dave was the one who put in comments about gpg-agent in this patch so perhaps he can comment. > > But also, I much preferred the original version of the patch which only > skipped IBPB when 'prev' could ptrace 'next'. For the A->kernel thread->B scenario, you will need context of A to decide if you need IBPB when switching to B. You need to worry about whether the context of A has been released ... etc if you want to use ptrace. > > If performance is a concern, let's look at that in more detail. But I > don't see how the solution to a performance issue could possibly be > "leave (almost) all tasks vulnerable by default." > Thanks. Tim