All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jiri Kosina <jikos@kernel.org>
To: Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	"Woodhouse, David" <dwmw@amazon.co.uk>,
	Andi Kleen <ak@linux.intel.com>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	"Schaufler, Casey" <casey.schaufler@intel.com>
Cc: linux-kernel@vger.kernel.org, x86@kernel.org
Subject: [PATCH v7 0/3] Harden spectrev2 userspace-userspace protection
Date: Tue, 25 Sep 2018 14:37:25 +0200 (CEST)	[thread overview]
Message-ID: <nycvar.YFH.7.76.1809251431260.15880@cbobk.fhfr.pm> (raw)

Currently, linux kernel is basically not preventing userspace-userspace 
spectrev2 attack, because:

- IBPB is basically unused (issued only for tasks that marked themselves 
  explicitly non-dumpable, which is absolutely negligible minority of all 
  software out there), therefore cross-process branch buffer posioning 
  using spectrev2 is possible

- STIBP is completely unused, therefore cross-process branch buffer 
  poisoning using spectrev2 between processess running on two HT siblings 
  thread s is possible

This patchset changes IBPB semantics, so that it's now applied whenever 
context-switching between processess that can't use ptrace() to achieve 
the same. This admittedly comes with extra overhad on a context switch; 
systems that don't care about could disable the mitigation using 
nospectre_v2 boot option.
The IBPB implementaion is heavily based on original patches by Tim Chen.

In addition to that, we unconditionally turn STIBP on so that HT siblings 
always have separate branch buffers.

We've been carrying IBPB implementation with the same semantics in our 
(SUSE) trees since january disclosure; STIBP was more or less ignored up 
to today.

There is more work going on by Tim Chen, that will go on top, and enable 
prctl()-based more fine-grained per-process tuning of this mitigation.

v1->v2:
        include IBPB changes
v2->v3: 
        fix IBPB 'who can trace who' semantics
        wire up STIBP flipping to SMT hotplug
v3->v4:
	dropped ___ptrace_may_access(), as it's not needed
	fixed deadlock with LSM/audit/selinux (Andrea Arcangeli)
	statically patch out the ptrace check if !IBPB

v4->v5:
	fix MSR writing logic (Thomas Gleixner, Josh Poimboeuf)

v5->v6:
	propagate X86_FEATURE_RSB_CTXSW setting to sysfs
	propagate STIBP setting to sysfs (Thomas Gleixner)
	simplify arch_smt_update() (Thomas Gleixner)

v6->v7:
	PTRACE_MODE_NOACCESS_CHK -> PTRACE_MODE_SCHED and PTRACE_MODE_IBPB
		(Thomas Gleixner)
	drop unnecessary x86_spec_ctrl_base mutex in cpu_show_common()

Jiri Kosina (3):
      x86/speculation: apply IBPB more strictly to avoid cross-process data leak
      x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
      x86/speculation: Propagate information about RSB filling mitigation to sysfs

 arch/x86/kernel/cpu/bugs.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++------
 arch/x86/mm/tlb.c          | 31 ++++++++++++++++++++-----------
 include/linux/ptrace.h     |  4 ++++
 kernel/cpu.c               | 11 ++++++++++-
 kernel/ptrace.c            | 12 ++++++++----
 5 files changed, 96 insertions(+), 22 deletions(-)

-- 
Jiri Kosina
SUSE Labs


             reply	other threads:[~2018-09-25 12:37 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-25 12:37 Jiri Kosina [this message]
2018-09-25 12:38 ` [PATCH v7 1/3] x86/speculation: apply IBPB more strictly to avoid cross-process data leak Jiri Kosina
2018-09-26 12:30   ` [tip:x86/pti] x86/speculation: Apply " tip-bot for Jiri Kosina
2018-09-27 20:18   ` [PATCH v7 1/3] x86/speculation: apply " Stephen Smalley
2018-09-27 20:28     ` Thomas Gleixner
2018-09-25 12:38 ` [PATCH v7 2/3] x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation Jiri Kosina
2018-09-26 12:31   ` [tip:x86/pti] " tip-bot for Jiri Kosina
2018-09-25 12:39 ` [PATCH v7 3/3] x86/speculation: Propagate information about RSB filling mitigation to sysfs Jiri Kosina
2018-09-26 12:31   ` [tip:x86/pti] " tip-bot for Jiri Kosina

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=nycvar.YFH.7.76.1809251431260.15880@cbobk.fhfr.pm \
    --to=jikos@kernel.org \
    --cc=aarcange@redhat.com \
    --cc=ak@linux.intel.com \
    --cc=casey.schaufler@intel.com \
    --cc=dwmw@amazon.co.uk \
    --cc=jpoimboe@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=tim.c.chen@linux.intel.com \
    --cc=x86@kernel.org \
    --subject='Re: [PATCH v7 0/3] Harden spectrev2 userspace-userspace protection' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.