From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (193.142.43.55:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 19 Nov 2019 21:03:30 -0000 Received: from us-smtp-1.mimecast.com ([207.211.31.81] helo=us-smtp-delivery-1.mimecast.com) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iXAen-0003Fq-NE for speck@linutronix.de; Tue, 19 Nov 2019 22:03:30 +0100 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B6267107B003 for ; Tue, 19 Nov 2019 21:03:20 +0000 (UTC) Received: from treble (ovpn-124-31.rdu2.redhat.com [10.10.124.31]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 628BD19C4F for ; Tue, 19 Nov 2019 21:03:20 +0000 (UTC) Date: Tue, 19 Nov 2019 15:03:18 -0600 From: Josh Poimboeuf Subject: [MODERATED] Re: LVI Message-ID: <20191119210318.2itaoogwxu2oezok@treble> References: <20191119174008.7dbymix2eo4mrv57@treble> <59d8550a-a217-7d30-9b44-e6a31cb4addf@citrix.com> <20191119182709.a3hu63nrnbffiped@treble> <20191119210007.zrweuamvb44x7evv@treble> MIME-Version: 1.0 In-Reply-To: <20191119210007.zrweuamvb44x7evv@treble> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable To: speck@linutronix.de List-ID: On Tue, Nov 19, 2019 at 03:00:07PM -0600, speck for Josh Poimboeuf wrote: > On Tue, Nov 19, 2019 at 06:39:34PM +0000, speck for Andrew Cooper wrote: > > On 19/11/2019 18:27, speck for Josh Poimboeuf wrote: > > >>> To protect the kernel, we'd presumably need to look for places where > > >>> users can trigger a faulting/assisting load. For example, > > >>> copy_from_user(). > > >>> > > >>> copy_from_user() has an LFENCE between the access_ok() check and the > > >>> actual copy to protect against Spectre v1. What if we move that LFEN= CE > > >>> to *after* the copy? I think that would protect against both Spectre= v1 > > >>> and LVI. > > >>> > > >>> Thoughts? > > >> The lfence before protects from speculating into copy_from_user() with= a > > >> bad pointer.=C2=A0 This protection is still necessary. > > > What's the harm of speculating the copy with a bad pointer if we can > > > confirm there are no gadgets between the copy and the LFENCE? > >=20 > > Because the other hyperthread can read the data directly out of the > > cache using L1TF/MDS/other as applicable. > >=20 > > True - this is applicable to any speculative OoB read on the first > > thread so isn't unique to copy_from_user(), but copy_from_user() is very > > easy for an attacker to control. >=20 > Ok, I guess had just assumed we didn't care about SMT at this point, we > should at least try to do a best effort there. >=20 > Does this match your thinking? >=20 > if (SMT && (BUG_L1TF || BUG_MDS || BUG_TAA)) > lfence(); > =09 > ... do the copy ... >=20 > if (BUG_LVI) > lfence(); Or, taking SMAP and Spectre v1 into account... if (!SMAP && SMT && (BUG_L1TF || BUG_MDS || BUG_TAA)) lfence(); =09 ... do the copy ... =20 if (!SMAP && (BUG_SPECTRE_V1 || BUG_LVI)) lfence(); --=20 Josh