From: Jiri Kosina <jikos@kernel.org>
To: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
"Woodhouse, David" <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
Tim Chen <tim.c.chen@linux.intel.com>,
"Schaufler, Casey" <casey.schaufler@intel.com>
Cc: linux-kernel@vger.kernel.org, x86@kernel.org
Subject: [PATCH v6 0/3] Harden spectrev2 userspace-userspace protection
Date: Wed, 12 Sep 2018 11:05:20 +0200 (CEST) [thread overview]
Message-ID: <nycvar.YFH.7.76.1809121055070.15880@cbobk.fhfr.pm> (raw)
In-Reply-To: <nycvar.YFH.7.76.1809101119280.15880@cbobk.fhfr.pm>
Currently, linux kernel is basically not preventing userspace-userspace
spectrev2 attack, because:
- IBPB is basically unused (issued only for tasks that marked themselves
explicitly non-dumpable, which is absolutely negligible minority of all
software out there), therefore cross-process branch buffer posioning
using spectrev2 is possible
- STIBP is completely unused, therefore cross-process branch buffer
poisoning using spectrev2 between processess running on two HT siblings
thread s is possible
This patchset changes IBPB semantics, so that it's now applied whenever
context-switching between processess that can't use ptrace() to achieve
the same. This admittedly comes with extra overhad on a context switch;
systems that don't care about could disable the mitigation using
nospectre_v2 boot option.
The IBPB implementaion is heavily based on original patches by Tim Chen.
In addition to that, we unconditionally turn STIBP on so that HT siblings
always have separate branch buffers.
We've been carrying IBPB implementation with the same semantics in our
(SUSE) trees since january disclosure; STIBP was more or less ignored up
to today.
v1->v2:
include IBPB changes
v2->v3:
fix IBPB 'who can trace who' semantics
wire up STIBP flipping to SMT hotplug
v3->v4:
dropped ___ptrace_may_access(), as it's not needed
fixed deadlock with LSM/audit/selinux (Andrea Arcangeli)
statically patch out the ptrace check if !IBPB
v4->v5:
fix MSR writing logic (Thomas Gleixner, Josh Poimboeuf)
v5->v6:
propagate X86_FEATURE_RSB_CTXSW setting to sysfs
propagate STIBP setting to sysfs (Thomas Gleixner)
simplify arch_smt_update() (Thomas Gleixner)
Jiri Kosina (3):
x86/speculation: apply IBPB more strictly to avoid cross-process data leak
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
x86/speculation: Propagate information about RSB filling mitigation to sysfs
arch/x86/kernel/cpu/bugs.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++------
arch/x86/mm/tlb.c | 31 ++++++++++++++++++++-----------
include/linux/ptrace.h | 4 ++++
kernel/cpu.c | 11 ++++++++++-
kernel/ptrace.c | 12 ++++++++----
5 files changed, 96 insertions(+), 22 deletions(-)
--
Jiri Kosina
SUSE Labs
next prev parent reply other threads:[~2018-09-12 9:05 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-10 9:22 [PATCH v5 0/2] Harden spectrev2 userspace-userspace protection Jiri Kosina
2018-09-10 9:23 ` [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to avoid cross-process data leak Jiri Kosina
2018-09-10 18:26 ` Schaufler, Casey
2018-09-10 19:14 ` Jiri Kosina
2018-09-10 19:26 ` Schaufler, Casey
2018-09-10 19:36 ` Jiri Kosina
2018-09-10 20:27 ` Schaufler, Casey
2018-09-10 20:42 ` Jiri Kosina
2018-09-10 21:29 ` Schaufler, Casey
2018-09-10 21:36 ` Jiri Kosina
2018-09-11 21:15 ` Thomas Gleixner
2018-09-11 22:25 ` Schaufler, Casey
2018-09-12 12:01 ` Thomas Gleixner
2018-10-21 19:38 ` Pavel Machek
2018-10-21 23:32 ` Jiri Kosina
2018-09-10 9:24 ` [PATCH v5 2/2] x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation Jiri Kosina
2018-09-10 10:04 ` Thomas Gleixner
2018-09-10 11:01 ` Jiri Kosina
2018-09-10 11:46 ` Jiri Kosina
2018-09-11 17:32 ` Tim Chen
2018-09-11 21:16 ` Thomas Gleixner
2018-09-11 21:46 ` Thomas Gleixner
2018-09-12 17:16 ` Tom Lendacky
2018-09-12 21:26 ` Tim Chen
2018-09-12 21:45 ` Jiri Kosina
2018-09-12 22:56 ` Tim Chen
2018-09-13 14:53 ` Tom Lendacky
2018-09-12 9:05 ` Jiri Kosina [this message]
2018-09-12 9:06 ` [PATCH v6 1/3] x86/speculation: apply IBPB more strictly to avoid cross-process data leak Jiri Kosina
2018-09-13 0:04 ` Schaufler, Casey
2018-09-14 11:00 ` Jiri Kosina
2018-09-14 11:05 ` Thomas Gleixner
2018-09-12 9:07 ` [PATCH v6 2/3] x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation Jiri Kosina
2018-09-12 19:14 ` Thomas Gleixner
2018-09-12 19:16 ` Jiri Kosina
2018-09-12 9:08 ` [PATCH v6 3/3] x86/speculation: Propagate information about RSB filling mitigation to sysfs Jiri Kosina
2018-09-17 16:09 ` [PATCH v6 0/3] Harden spectrev2 userspace-userspace protection Schaufler, Casey
2018-09-19 15:48 ` Peter Zijlstra
2018-09-22 7:38 ` Jiri Kosina
2018-09-22 9:53 ` Thomas Gleixner
2018-09-22 10:18 ` Peter Zijlstra
2018-09-22 10:20 ` Thomas Gleixner
2018-09-22 13:30 ` Thomas Gleixner
2018-09-22 14:31 ` Peter Zijlstra
2018-09-24 8:43 ` Jiri Kosina
2018-09-24 12:38 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YFH.7.76.1809121055070.15880@cbobk.fhfr.pm \
--to=jikos@kernel.org \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=casey.schaufler@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=tim.c.chen@linux.intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).