From: Thomas Gleixner <tglx@linutronix.de>
To: Pavel Machek <pavel@ucw.cz>
Cc: corbet@lwn.net, LKML <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
x86@kernel.org, Peter Zijlstra <peterz@infradead.org>,
Jiri Kosina <jkosina@suse.cz>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>,
Greg KH <gregkh@linuxfoundation.org>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
David Woodhouse <dwmw2@infradead.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Joerg Roedel <joro@8bytes.org>, Tony Luck <tony.luck@intel.com>,
Salvatore Bonaccorso <carnil@debian.org>,
linux-doc@vger.kernel.org
Subject: Re: [patch] Fix up l1ft documentation was Re: Taking a break - time to look back
Date: Mon, 11 Mar 2019 23:31:08 +0100 (CET) [thread overview]
Message-ID: <alpine.DEB.2.21.1903112211180.1651@nanos.tec.linutronix.de> (raw)
In-Reply-To: <20190311131341.GA28223@amd>
Pavel,
On Mon, 11 Mar 2019, Pavel Machek wrote:
> On Mon 2019-03-11 14:05:07, Thomas Gleixner wrote:
> > Huch? Care to tell what's a lie instead of making bold statements?
>
> Take a care to look at the patch I submitted?
>
> Lie:
>
> # A system with an up to date kernel is protected against attacks from
> # malicious user space applications.
>
> 3GB system running 32bit kernel is not protected. Same is true for for
> really big 64bit systems.
I agree that this statement is incorrect.
Calling this a lie is a completly unjustified personal attack on those who
spent quite a lot of time on writing up documentation in the first
place. It's suggesting that this document was written with malicious intent
and the purpose of deceiving someone. Care to explain why you are assuming
this to be the case?
> If I do what dmesg suggests, this becomes untrue:
>
> # The Linux kernel contains a mitigation for this attack vector, PTE
> # inversion, which is permanently enabled and has no performance
> # impact.
>
> Limiting memory to 2GB _is_ going to have severe perfomance impact.
Sure. That still does not justify the "changelog" you provided.
> commit 9664b4dabdb132433a6843aefe05814953f1342f
> Author: Pavel <pavel@ucw.cz>
> Date: Thu Jan 3 00:48:40 2019 +0100
>
> Ok, I guess L1TF was a lot of fun, and there was not time for a good
> documentation.
It's interesting that quite some people were actually happy about that
document. Sorry, that we weren't able to live up to your high standards.
> There's admin guide that is written as an advertisment, and
What is the advertisement part again?
> unfortunately is slightly "inaccurate" at places (to the point of
> lying).
>
> Plus, I believe it should go to x86/ directory, as this is really
> Intel issue, and not anything ARM (or RISC-V) people need to know.
It's a document targeted at system administrators and it definitely should
not be burried somewhere in Documentation/x86. As there are more documents
being worked on for the other issues, I have a patch ready which moves that
stuff into a separate hardware vulnerabilites folder in the admin-guide.
FWIW, to the best of my knowledge the documentation about writing
changelogs is neither incorrect nor is it optional to adhere to it.
> @@ -1,10 +1,11 @@
> L1TF - L1 Terminal Fault
> ========================
>
> -L1 Terminal Fault is a hardware vulnerability which allows unprivileged
> -speculative access to data which is available in the Level 1 Data Cache
> -when the page table entry controlling the virtual address, which is used
> -for the access, has the Present bit cleared or other reserved bits set.
> +L1 Terminal Fault is a hardware vulnerability on most recent Intel x86
The 'Affected processors' section right below this is very clear about this
being an Intel only issue (for now). So what exactly is the point of this
change?
> +CPUs which allows unprivileged speculative access to data which is
> +available in the Level 1 Data Cache when the page table entry
> +controlling the virtual address, which is used for the access, has the
> +Present bit cleared or other reserved bits set.
>
> Affected processors
> -------------------
> @@ -76,12 +77,14 @@ Attack scenarios
> deterministic and more practical.
>
> The Linux kernel contains a mitigation for this attack vector, PTE
> - inversion, which is permanently enabled and has no performance
> - impact. The kernel ensures that the address bits of PTEs, which are not
> - marked present, never point to cacheable physical memory space.
> -
> - A system with an up to date kernel is protected against attacks from
> - malicious user space applications.
> + inversion, which is permanently enabled and has no measurable
> + performance impact in most configurations. The kernel ensures that
> + the address bits of PTEs, which are not marked present, never point
> + to cacheable physical memory space. On x86-32, this physical memory
On x86-32? That's incorrect, because there are a lot of x86-32 systems
which are not affected. Also it has nothing to do with the bit-width of the
hardware. A 32bit kernel booted on a 64bit capable CPU has the same issue.
For further correctness, this needs to mention that !PAE enabled kernels
cannot do PTE inversion at all.
> + needs to be limited to 2GiB to make mitigation effective.
The 2G limitation is not a general limitation. The limitation depends on
the number of physical address bits supported by the cache (not the number
of physical addresss bits exposed as pins) and is definitely not hardcoded
to 2G. Just because your machine emits the 2G number does not make it
universally correct. On a system with 36bit physical address space the
limit is 32G and on some CPUs that's actually wrong as well, see:
override_cache_bits().
Quoting yourself:
> 3GB system running 32bit kernel is not protected. Same is true for for
> really big 64bit systems.
Where is the explanation for the 'really big 64bit systems' issue for
correctness sake?
Thanks,
tglx
next prev parent reply other threads:[~2019-03-11 22:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-20 0:46 Taking a break - time to look back Thomas Gleixner
2018-12-20 5:26 ` Willy Tarreau
2019-01-02 23:51 ` [patch] Fix up l1ft documentation was " Pavel Machek
2019-03-11 10:21 ` Pavel Machek
2019-03-11 13:05 ` Thomas Gleixner
2019-03-11 13:13 ` Pavel Machek
2019-03-11 22:31 ` Thomas Gleixner [this message]
2019-03-12 11:57 ` Pavel Machek
2019-03-24 20:41 ` Thomas Gleixner
2019-08-28 22:18 ` Pavel Machek
2019-03-11 14:38 ` Jonathan Corbet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.21.1903112211180.1651@nanos.tec.linutronix.de \
--to=tglx@linutronix.de \
--cc=carnil@debian.org \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=dwmw2@infradead.org \
--cc=gregkh@linuxfoundation.org \
--cc=jkosina@suse.cz \
--cc=joro@8bytes.org \
--cc=jpoimboe@redhat.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=pavel@ucw.cz \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=thomas.lendacky@amd.com \
--cc=tony.luck@intel.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).