x86: Meltdown/Spectre_v2 status

x86: Meltdown/Spectre_v2 status

[Thomas Gleixner]

Folks!

After 10 days of frenzy following the disclosure of the mess, I'm at a
point where I think that the current set which we have in Linus tree and
the pending patches in tip:x86/pti plus one not yet applied patch (RSB on
context switch) have reached a state where the main targets are covered
even on skylake:

  1) Meltdown is addressed
  2) Retpoline mostly covered if we have working compilers some day 
  3) RSB after vmexit and on context switch (pending)

plus the infrastructure and basic building blocks are in place.

That's what is going to be in 4.15 (unless Linus goes berserk on the pull
requests) and next week should be focussed on eventual fallout, fixes and
small corrections here and there. Also to spend some time on taming the
backlog of our inboxes a bit. There is also stuff happening outside of this
which needs our attention and care.

I want to say thanks to everyone involved and I want to apologize if I went
overboard or offended someone in the course of the discussions.

Surely we all know there is room for improvements, but we also have reached
a state where the remaining issues are not longer to be treated in full
emergency and panic mode. We're good now, but not perfect.

The further RSB vs. IBRS discussion has to be settled in the way we
normally work. We need full documentation, proper working micro code and
actual comparisons of the two approaches vs. performance, coverage of
attack vectors and code complexity/ugliness.

We all are exhausted and at our limits and I think we can agree that having
the most problematic stuff covered is the right point to calm down and put
the heads back on the chickens. Take a break and have a few drinks at least
over the weekend!

To be honest the last 10 days were more horrible than the whole PTI work
due to lack of documentation, 12 different opinions when asking 8 people
(why does this have a lawyer smell?) and an amazing amount of half baken
and hastily cobbled together crap.

Please lets stop this and return to normality now.

Thanks,

	Thomas

Re: x86: Meltdown/Spectre_v2 status

[Josh Poimboeuf]

On Fri, Jan 12, 2018 at 10:44:48PM +0100, Thomas Gleixner wrote:
> Folks!
> 
> After 10 days of frenzy following the disclosure of the mess, I'm at a
> point where I think that the current set which we have in Linus tree and
> the pending patches in tip:x86/pti plus one not yet applied patch (RSB on
> context switch) have reached a state where the main targets are covered
> even on skylake:
> 
>   1) Meltdown is addressed
>   2) Retpoline mostly covered if we have working compilers some day 
>   3) RSB after vmexit and on context switch (pending)
> 
> plus the infrastructure and basic building blocks are in place.
> 
> That's what is going to be in 4.15 (unless Linus goes berserk on the pull
> requests)

And for those who are curious (I was) it looks like the BPF variant 1
fix has already been merged into Linus' tree.

> and next week should be focussed on eventual fallout, fixes and
> small corrections here and there. Also to spend some time on taming the
> backlog of our inboxes a bit. There is also stuff happening outside of this
> which needs our attention and care.
> 
> I want to say thanks to everyone involved and I want to apologize if I went
> overboard or offended someone in the course of the discussions.
> 
> Surely we all know there is room for improvements, but we also have reached
> a state where the remaining issues are not longer to be treated in full
> emergency and panic mode. We're good now, but not perfect.
> 
> The further RSB vs. IBRS discussion has to be settled in the way we
> normally work. We need full documentation, proper working micro code and
> actual comparisons of the two approaches vs. performance, coverage of
> attack vectors and code complexity/ugliness.
> 
> We all are exhausted and at our limits and I think we can agree that having
> the most problematic stuff covered is the right point to calm down and put
> the heads back on the chickens. Take a break and have a few drinks at least
> over the weekend!
> 
> To be honest the last 10 days were more horrible than the whole PTI work
> due to lack of documentation, 12 different opinions when asking 8 people
> (why does this have a lawyer smell?) and an amazing amount of half baken
> and hastily cobbled together crap.
> 
> Please lets stop this and return to normality now.

Amen.

Thomas, amazing job distilling some sanity out of the pandemonium.

For future patch submissions, I would ask everyone to at least add
x86@kernel.org to To: or Cc: (along with lkml).  It's not only good
etiquette to help the x86 maintainers, but it also gives those us not
directly on Cc: a way to filter the patches into our inboxes.

-- 
Josh

Re: x86: Meltdown/Spectre_v2 status

[Woodhouse, David]

[-- Attachment #1.1: Type: text/plain, Size: 1533 bytes --]

On Fri, 2018-01-12 at 16:48 -0600, Josh Poimboeuf wrote:
> >   1) Meltdown is addressed
> >   2) Retpoline mostly covered if we have working compilers some day 
> >   3) RSB after vmexit and on context switch (pending)
> > 
> > plus the infrastructure and basic building blocks are in place.
> > 
> > That's what is going to be in 4.15 (unless Linus goes berserk on the pull
> > requests)

To be clear: This doesn't include IBPB and thus userspace processes
(and VM guests) are not protected from each other.

But the attacks there are extremely hard to pull off, and I think we
can live with that in the short term. IBPB does need to be next, but I
think we're entirely correct to proceed without it for now. I just want
to make sure we're clear about the status.

> And for those who are curious (I was) it looks like the BPF variant 1
> fix has already been merged into Linus' tree.

Great. I was going to check on that too.

> Thomas, amazing job distilling some sanity out of the pandemonium.

Indeed. Thank you, Thomas.

FWIW we've done a backport of the sysfs/vulnerability and retpoline
parts to 4.9, including cherry-picking a few earlier needed commits:
http://git.infradead.org/retpoline-stable.git/shortlog/refs/heads/linux-4.9.y

Josh, I'd very much appreciate your eyes on my objtool-related
backports — both your retpoline-specific patches, as well as the
.discard.* bits they depended on. Thanks.

Bringing ASM_CALL_CONSTRAINT in as-is seemed like the same thing to do
too.

[-- Attachment #1.2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5210 bytes --]

[-- Attachment #2.1: Type: text/plain, Size: 197 bytes --]




Amazon Web Services UK Limited. Registered in England and Wales with registration number 08650665 and which has its registered office at 60 Holborn Viaduct, London EC1A 2FD, United Kingdom.

[-- Attachment #2.2: Type: text/html, Size: 197 bytes --]

Re: x86: Meltdown/Spectre_v2 status

[Josh Poimboeuf]

On Sat, Jan 13, 2018 at 11:55:17AM +0000, Woodhouse, David wrote:
> FWIW we've done a backport of the sysfs/vulnerability and retpoline
> parts to 4.9, including cherry-picking a few earlier needed commits:
> http://git.infradead.org/retpoline-stable.git/shortlog/refs/heads/linux-4.9.y
> 
> Josh, I'd very much appreciate your eyes on my objtool-related
> backports — both your retpoline-specific patches, as well as the
> .discard.* bits they depended on. Thanks.
> 
> Bringing ASM_CALL_CONSTRAINT in as-is seemed like the same thing to do
> too.

The objtool-related backports look good.

-- 
Josh

Re: x86: Meltdown/Spectre_v2 status

[Christoph Hellwig]

On Fri, Jan 12, 2018 at 04:48:14PM -0600, Josh Poimboeuf wrote:
> Thomas, amazing job distilling some sanity out of the pandemonium.
> 
> For future patch submissions, I would ask everyone to at least add
> x86@kernel.org to To: or Cc: (along with lkml).  It's not only good
> etiquette to help the x86 maintainers, but it also gives those us not
> directly on Cc: a way to filter the patches into our inboxes.

It would be really good to get a real linux-x86 mailing list while
we're at it..