From: Thomas Gleixner <tglx@linutronix.de>
To: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Jiri Kosina <jikos@kernel.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Casey Schaufler <casey.schaufler@intel.com>,
Asit Mallick <asit.k.mallick@intel.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Jon Masters <jcm@redhat.com>, Waiman Long <longman9394@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
x86@kernel.org, Kees Cook <keescook@chromium.org>
Subject: Re: [Patch v4 17/18] x86/speculation: Update SPEC_CTRL MSRs of remote CPUs
Date: Tue, 6 Nov 2018 08:46:35 +0100 (CET) [thread overview]
Message-ID: <alpine.DEB.2.21.1811060139090.1659@nanos.tec.linutronix.de> (raw)
In-Reply-To: <81398b26-e1c3-aac3-b44a-2a0982ae74e0@linux.intel.com>
Tim,
On Mon, 5 Nov 2018, Tim Chen wrote:
> > Aside of the condition being pointless in that case, that issues an IPI
> > whether the task is running or not. So this allows a task to issue tons of
> > async IPIs disturbing others by toggling the control.
>
> I'm not crazy about sending IPIs too. Hence the original implementation
> using TIF_UPDATE_SPEC_CTRL flag.
which has it's own problems of bloating the context switch code.
> I've thought a bit about the options you suggested and was unclear
> on a few things.
>
> > 1) Restrict the PRCTL control so it is only possible to modify it at the
> > point where the application is still single threaded.
>
> My understanding is PRCTL applied on the task only. Should it be extended
> to other task threads? In that case, it seems like we didn't do that for SSBD?
Right, we did not.
This was discussed back then already and we agreed on avoiding the
complexity for this and only allow task scope. Though the child tasks will
inherit the TIF flag.
> > 2) Add _TIF_UPDATE_SPEC_CTRL to the SYSCALL_EXIT_WORK_FLAGS and handle it
> > in the slow work path.
>
> There can be tasks that don't do any syscalls, and it seems like we can
> have MSRs getting out of sync?
Setting the TIF flag directly in a remote task is wrong. It needs to be
handled when the _TIF_UPDATE_SPEC_CTRL is evaluated, i.e. the information
needs to be stored process wide e.g. in task->mm.
But yes, if the remote task runs in user space forever, it won't
help. Though the point is that dumpable is usually set when the process
starts, so it's probably mostly a theoretical issue.
> > I'm less and less convinced that piggybacking this on dumpable is a good
> > idea.
>
> There are daemons like sshd that are non-dumpable. So I think protecting
> them is desired. Otherwise all those daemons will need to be updated to
> use PRCTL. In the original implementation, IBPB is issued for
> non-dumpable task. It will be nice to retain that.
A lot of things are nice to have, but you really have to carefully weigh
the tradeoff between the conveniance and the complexity plus the fast path
bloat it creates.
IBPB is a different thing as it writes into a different MSR and there is no
requirement to have the MSR access coordinated with the SSB handling in
switch_to().
As dumpable is evaluated in switch_mm() already it might be worthwhile to
evaluate whether the STIBP propagation can be tied to that. That does not
solve the problem of tasks running in user space forever, but we don't care
about that for IBPB either and as I said above it's mostly a theoretical
problem.
Thanks,
tglx
next prev parent reply other threads:[~2018-11-06 7:46 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-30 18:49 [Patch v4 00/18] Provide process property based options to enable Spectre v2 userspace-userspace protection* Tim Chen
2018-10-30 18:49 ` [Patch v4 01/18] x86/speculation: Clean up spectre_v2_parse_cmdline() Tim Chen
2018-10-30 18:49 ` [Patch v4 02/18] x86/speculation: Remove unnecessary ret variable in cpu_show_common() Tim Chen
2018-10-30 18:49 ` [Patch v4 03/18] x86/speculation: Reorganize cpu_show_common() Tim Chen
2018-11-03 18:07 ` Thomas Gleixner
2018-11-05 19:12 ` Tim Chen
2018-11-05 19:17 ` Thomas Gleixner
2018-10-30 18:49 ` [Patch v4 04/18] x86/speculation: Add X86_FEATURE_USE_IBRS_ENHANCED Tim Chen
2018-10-30 18:49 ` [Patch v4 05/18] x86/speculation: Disable STIBP when enhanced IBRS is in use Tim Chen
2018-10-30 18:49 ` [Patch v4 06/18] smt: Create cpu_smt_enabled static key for SMT specific code Tim Chen
2018-10-30 18:49 ` [Patch v4 07/18] x86/smt: Convert cpu_smt_control check to cpu_smt_enabled static key Tim Chen
2018-11-03 18:29 ` Thomas Gleixner
2018-11-08 1:43 ` Tim Chen
2018-11-08 11:18 ` Thomas Gleixner
2018-10-30 18:49 ` [Patch v4 08/18] sched: Deprecate sched_smt_present and use " Tim Chen
2018-11-03 18:20 ` Thomas Gleixner
2018-11-09 22:08 ` Tim Chen
2018-10-30 18:49 ` [Patch v4 09/18] x86/speculation: Rename SSBD update functions Tim Chen
2018-10-30 18:49 ` [Patch v4 10/18] x86/speculation: Reorganize speculation control MSRs update Tim Chen
2018-10-30 18:49 ` [Patch v4 11/18] x86/speculation: Update comment on TIF_SSBD Tim Chen
2018-10-30 18:49 ` [Patch v4 12/18] x86: Group thread info flags by functionality Tim Chen
2018-10-30 18:49 ` [Patch v4 13/18] security: Update security level of a process when modifying its dumpability Tim Chen
2018-10-30 20:57 ` Schaufler, Casey
2018-10-30 21:30 ` Tim Chen
2018-10-30 21:53 ` Schaufler, Casey
2018-10-30 18:49 ` [Patch v4 14/18] x86/speculation: Turn on or off STIBP according to a task's TIF_STIBP Tim Chen
2018-10-30 18:49 ` [Patch v4 15/18] x86/speculation: Add Spectre v2 app to app protection modes Tim Chen
2018-10-30 18:49 ` [Patch v4 16/18] x86/speculation: Enable STIBP to protect security sensitive tasks Tim Chen
2018-10-30 21:07 ` Schaufler, Casey
2018-10-30 21:34 ` Tim Chen
2018-10-30 22:02 ` Schaufler, Casey
2018-10-30 18:49 ` [Patch v4 17/18] x86/speculation: Update SPEC_CTRL MSRs of remote CPUs Tim Chen
2018-11-04 19:49 ` Thomas Gleixner
2018-11-05 22:02 ` Tim Chen
2018-11-05 23:04 ` Thomas Gleixner
2018-11-05 23:59 ` Tim Chen
2018-11-06 7:46 ` Thomas Gleixner [this message]
2018-11-07 0:18 ` Tim Chen
2018-11-07 18:33 ` Waiman Long
2018-11-07 23:15 ` Tim Chen
2018-11-07 23:03 ` Thomas Gleixner
2018-11-08 0:22 ` Tim Chen
2018-10-30 18:49 ` [Patch v4 18/18] x86/speculation: Create PRCTL interface to restrict indirect branch speculation Tim Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.21.1811060139090.1659@nanos.tec.linutronix.de \
--to=tglx@linutronix.de \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=asit.k.mallick@intel.com \
--cc=casey.schaufler@intel.com \
--cc=dave.hansen@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=jcm@redhat.com \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=longman9394@gmail.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=thomas.lendacky@amd.com \
--cc=tim.c.chen@linux.intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).