From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mingo.kernel.org@gmail.com>
ARC-Seal: i=1; a=rsa-sha256; t=1516703016; cv=none;
        d=google.com; s=arc-20160816;
        b=Ft6wDfIESEAgAZKQ+QpqRyvqr9MyhA10Uz5/JQJH5EWcIj9cPNg6itjUVlmilhbQTT
         TZ14dSWBi0Lw0piSjO/TfK7B1n+WkRREkN6IqQEaGS2oWuul4oW3bSKIn98zg5Hnj7Pa
         eHCcpLNqREG+hegoWjPhTPBIezLFCGlEBoAeKOVHmajDS5yw3lH1Oh8VaIEtND7QjIlK
         KZxTiP9dJMYhDttqVB2BZRDsIs0CawjwZT0SjLa8v3+Gmkp79t+ZAlTmH/o8z1BRgPOe
         jDQpS++KROOanq8Wcz6OPS4A8JdfmcJRKEasxq1FwV1z86E4vS543uUd6Xfs7lzdZj0f
         8Kpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=user-agent:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:sender:dkim-signature:arc-authentication-results;
        bh=7B71ckLQmAvLLGYXbn5WpHP8vd1FliZ1o8R89py343A=;
        b=0S3riGvTY28Rm3F00wOT1qjmj3/vnqVhZ/a4AUjVWtV2bHjXRSZ/4LyWleD/82J9yE
         wag003b2rvi7nL+/+3XiysC6AhwWUVU6gYIs7CsNAzq4ozuFoxyo4lLB4/l5IpnH7SJM
         fKeGn1Osx0JMGmeiuXtvxFQI3erEGncRde0gI5e/ADPq3obqHKWJGwxOKni16N6C64ez
         TSmJXbnRptyetoN06l/JRk7qBHF8P2P38Jk0GwrJaYupsxDysMOpJsgXEixVsRxFY7HI
         qWKnhcxTl3ARZB4uuWm8Z+raGQweyUI4e5fPRonb7hNdFuU2Loe5vYmOYie9XKjCxBJJ
         oaXQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=rgCv1N6r;
       spf=pass (google.com: domain of mingo.kernel.org@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=mingo.kernel.org@gmail.com
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=rgCv1N6r;
       spf=pass (google.com: domain of mingo.kernel.org@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=mingo.kernel.org@gmail.com
X-Google-Smtp-Source: AH8x225aPBqeUETFTUCyiLtewLABjIRr6CF6bF6kQPliBXnTdE6ewjeB1inzpUSEtHaQyGprHzML4A==
Sender: Ingo Molnar <mingo.kernel.org@gmail.com>
Date: Tue, 23 Jan 2018 11:23:18 +0100
From: Ingo Molnar <mingo@kernel.org>
To: David Woodhouse <dwmw2@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	KarimAllah Ahmed <karahmed@amazon.de>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Andi Kleen <ak@linux.intel.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Andy Lutomirski <luto@kernel.org>,
	Arjan van de Ven <arjan@linux.intel.com>,
	Ashok Raj <ashok.raj@intel.com>,
	Asit Mallick <asit.k.mallick@intel.com>,
	Borislav Petkov <bp@suse.de>,
	Dan Williams <dan.j.williams@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
	Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>,
	Joerg Roedel <joro@8bytes.org>,
	Jun Nakajima <jun.nakajima@intel.com>,
	Laura Abbott <labbott@redhat.com>,
	Masami Hiramatsu <mhiramat@kernel.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	KVM list <kvm@vger.kernel.org>,
	the arch/x86 maintainers <x86@kernel.org>,
	Arjan Van De Ven <arjan.van.de.ven@intel.com>
Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict
 Indirect Branch Speculation
Message-ID: <20180123102318.airsvcl5uckguo2z@gmail.com>
References: <1516476182-5153-10-git-send-email-karahmed@amazon.de>
 <CA+55aFxUEPHc7JRQG3zmxEsfmfJOiJa1QqFBKCBNb5Tt5vfiSg@mail.gmail.com>
 <1516566497.9814.78.camel@infradead.org>
 <CA+55aFwOkH8RH12Dzs=hT3e7eS3Ckz9Ed6x_-9a0zs1cw9zbKA@mail.gmail.com>
 <1516572013.9814.109.camel@infradead.org>
 <CA+55aFwoxXmY0u84iPT-RP8DoG+Qb8t-mh2r8RLhKVAH3jm6qg@mail.gmail.com>
 <1516638426.9521.20.camel@infradead.org>
 <20180123072930.soz25cyky3u4hpgv@gmail.com>
 <20180123075358.nztpyxympwfkyi2a@gmail.com>
 <1516699832.9521.123.camel@infradead.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1516699832.9521.123.camel@infradead.org>
User-Agent: NeoMutt/20170609 (1.8.3)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: =?utf-8?q?1590140582166248265?=
X-GMAIL-MSGID: =?utf-8?q?1590378382086619836?=
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>


* David Woodhouse <dwmw2@infradead.org> wrote:

> > On SkyLake this would add an overhead of maybe 2-3 cycles per function call and 
> > obviously all this code and data would be very cache hot. Given that the average 
> > number of function calls per system call is around a dozen, this would be _much_ 
> > faster than any microcode/MSR based approach.
> 
> That's kind of neat, except you don't want it at the top of the
> function; you want it at the bottom.
> 
> If you could hijack the *return* site, then you could check for
> underflow and stuff the RSB right there. But in __fentry__ there's not
> a lot you can do other than complain that something bad is going to
> happen in the future. You know that a string of 16+ rets is going to
> happen, but you've got no gadget in *there* to deal with it when it
> does.

No, it can be done with the existing CALL instrumentation callback that 
CONFIG_DYNAMIC_FTRACE=y provides, by pushing a RET trampoline on the stack from 
the CALL trampoline - see my previous email.

> HJ did have patches to turn 'ret' into a form of retpoline, which I
> don't think ever even got performance-tested.

Return instrumentation is possible as well, but there are two major drawbacks:

 - GCC support for it is not as widely available and return instrumentation is 
   less tested in Linux kernel contexts

 - a major point of my suggestion is that CONFIG_DYNAMIC_FTRACE=y is already 
   enabled in distros here and today, so the runtime overhead to non-SkyLake CPUs 
   would be literally zero, while still allowing to fix the RSB vulnerability on 
   SkyLake.

Thanks,

	Ingo