From: Thomas Gleixner <tglx@linutronix.de>
To: Balbir Singh <sblbir@amazon.com>, linux-kernel@vger.kernel.org
Cc: jpoimboe@redhat.com, tony.luck@intel.com, keescook@chromium.org,
benh@kernel.crashing.org, x86@kernel.org, dave.hansen@intel.com,
thomas.lendacky@amd.com, Balbir Singh <sblbir@amazon.com>
Subject: Re: [PATCH v6 6/6] Documentation: Add L1D flushing Documentation
Date: Wed, 13 May 2020 15:33:29 +0200 [thread overview]
Message-ID: <87r1vo2c46.fsf@nanos.tec.linutronix.de> (raw)
In-Reply-To: <20200510014803.12190-7-sblbir@amazon.com>
Balbir Singh <sblbir@amazon.com> writes:
> +With an increasing number of vulnerabilities being reported around data
> +leaks from L1D, a new user space mechanism to flush the L1D cache on
> +context switch is added to the kernel. This should help address
is added to the kernel? This is documentation of an existing feature...
> +Mitigation
> +----------
> +When PR_SET_L1D_FLUSH is enabled for a task, on switching tasks (when
> +the address space changes), a flush of the L1D cache is performed for
> +the task when it leaves the CPU. If the underlying CPU supports L1D
> +flushing in hardware, the hardware mechanism is used, otherwise a software
> +fallback, similar to the mechanism used by L1TF is used.
This lacks documentation of the limitations, especially that this does
not help against cross Hyperthread attacks.
I've massaged the whole thing a bit. See below.
Thanks,
tglx
8<-----------------
--- a/Documentation/admin-guide/hw-vuln/index.rst
+++ b/Documentation/admin-guide/hw-vuln/index.rst
@@ -14,3 +14,4 @@ are configurable at compile, boot or run
mds
tsx_async_abort
multihit.rst
+ l1d_flush
--- /dev/null
+++ b/Documentation/admin-guide/hw-vuln/l1d_flush.rst
@@ -0,0 +1,53 @@
+L1D Flushing for the paranoid
+=============================
+
+With an increasing number of vulnerabilities being reported around data
+leaks from the Level 1 Data cache (L1D) the kernel provides an opt-in
+mechanism to flush the L1D cache on context switch.
+
+This mechanism can be used to address e.g. CVE-2020-0550. For paranoid
+applications the mechanism keeps them safe from any yet to be discovered
+vulnerabilities, related to leaks from the L1D cache.
+
+
+Related CVEs
+------------
+At the present moment, the following CVEs can be addressed by this
+mechanism
+
+ ============= ======================== ==================
+ CVE-2020-0550 Improper Data Forwarding OS related aspects
+ ============= ======================== ==================
+
+Usage Guidelines
+----------------
+Applications can call ``prctl(2)`` with one of these two arguments
+
+1. PR_SET_L1D_FLUSH - flush the L1D cache on context switch (out)
+2. PR_GET_L1D_FLUSH - get the current state of the L1D cache flush, returns 1
+ if set and 0 if not set.
+
+**NOTE**: The feature is disabled by default, applications need to
+specifically opt into the feature to enable it.
+
+Mitigation
+----------
+
+When PR_SET_L1D_FLUSH is enabled for a task a flush of the L1D cache is
+performed when the task is scheduled out and the incoming task belongs to a
+different process and therefore to a different address space.
+
+If the underlying CPU supports L1D flushing in hardware, the hardware
+mechanism is used, otherwise a software fallback, similar to the L1TF
+mitigation, is invoked.
+
+Limitations
+-----------
+
+The mechanism does not mitigate L1D data leaks between tasks belonging to
+different processes which are concurrently executing on sibling threads of
+a physical CPU core when SMT is enabled on the system.
+
+This can be addressed by controlled placement of processes on physical CPU
+cores or by disabling SMT. See the relevant chapter in the L1TF mitigation
+document: :ref:`Documentation/admin-guide/hw-vuln/l1tf.rst <smt_control>`.
next prev parent reply other threads:[~2020-05-13 13:33 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-10 1:47 [PATCH v6 0/6] Optionally flush L1D on context switch Balbir Singh
2020-05-10 1:47 ` [PATCH v6 1/6] arch/x86/kvm: Refactor l1d flush lifecycle management Balbir Singh
2020-05-13 13:35 ` Thomas Gleixner
2020-05-14 8:23 ` Singh, Balbir
2020-05-13 13:53 ` Thomas Gleixner
2020-05-14 8:25 ` Singh, Balbir
2020-05-22 9:32 ` [tip: x86/mm] x86/kvm: Refactor L1D flush page management tip-bot2 for Balbir Singh
2020-05-10 1:47 ` [PATCH v6 2/6] arch/x86/kvm: Refactor tlbflush and l1d flush Balbir Singh
2020-05-22 9:32 ` [tip: x86/mm] x86/kvm: Refactor L1D flush operations tip-bot2 for Balbir Singh
2020-05-10 1:48 ` [PATCH v6 3/6] arch/x86/mm: Refactor cond_ibpb() to support other use cases Balbir Singh
2020-05-13 14:16 ` Thomas Gleixner
2020-05-22 9:32 ` [tip: x86/mm] x86/mm: " tip-bot2 for Balbir Singh
2020-09-16 13:11 ` [tip: x86/pti] " tip-bot2 for Balbir Singh
2020-05-10 1:48 ` [PATCH v6 4/6] arch/x86/kvm: Refactor L1D flushing Balbir Singh
2020-05-22 9:32 ` [tip: x86/mm] x86/kvm: " tip-bot2 for Balbir Singh
2020-05-10 1:48 ` [PATCH v6 5/6] Optionally flush L1D on context switch Balbir Singh
2020-05-13 15:04 ` Thomas Gleixner
2020-05-14 8:23 ` Singh, Balbir
2020-05-13 15:27 ` Thomas Gleixner
2020-05-14 21:28 ` Singh, Balbir
2020-05-13 16:16 ` Thomas Gleixner
2020-05-14 7:43 ` Singh, Balbir
2020-05-14 11:33 ` Thomas Gleixner
2020-05-10 1:48 ` [PATCH v6 6/6] Documentation: Add L1D flushing Documentation Balbir Singh
2020-05-13 13:33 ` Thomas Gleixner [this message]
2020-05-14 1:12 ` Singh, Balbir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r1vo2c46.fsf@nanos.tec.linutronix.de \
--to=tglx@linutronix.de \
--cc=benh@kernel.crashing.org \
--cc=dave.hansen@intel.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sblbir@amazon.com \
--cc=thomas.lendacky@amd.com \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).