LKML Archive on lore.kernel.org
 help / color / Atom feed
From: tip-bot for Thomas Gleixner <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: peterz@infradead.org, tglx@linutronix.de,
	linux-kernel@vger.kernel.org, arjan@linux.intel.com,
	thomas.lendacky@amd.com, jkosina@suse.cz, aarcange@redhat.com,
	jpoimboe@redhat.com, keescook@chromium.org, mingo@kernel.org,
	ak@linux.intel.com, david.c.stewart@intel.com,
	longman9394@gmail.com, gregkh@linuxfoundation.org,
	jcm@redhat.com, dave.hansen@intel.com, dwmw@amazon.co.uk,
	tim.c.chen@linux.intel.com, hpa@zytor.com,
	asit.k.mallick@intel.com, casey.schaufler@intel.com,
	luto@kernel.org, torvalds@linux-foundation.org
Subject: [tip:x86/pti] x86/speculation: Add seccomp Spectre v2 user space protection mode
Date: Wed, 28 Nov 2018 06:35:58 -0800
Message-ID: <tip-6b3e64c237c072797a9ec918654a60e3a46488e2@git.kernel.org> (raw)
In-Reply-To: <20181125185006.051663132@linutronix.de>

Commit-ID:  6b3e64c237c072797a9ec918654a60e3a46488e2
Gitweb:     https://git.kernel.org/tip/6b3e64c237c072797a9ec918654a60e3a46488e2
Author:     Thomas Gleixner <tglx@linutronix.de>
AuthorDate: Sun, 25 Nov 2018 19:33:55 +0100
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Wed, 28 Nov 2018 11:57:14 +0100

x86/speculation: Add seccomp Spectre v2 user space protection mode

If 'prctl' mode of user space protection from spectre v2 is selected
on the kernel command-line, STIBP and IBPB are applied on tasks which
restrict their indirect branch speculation via prctl.

SECCOMP enables the SSBD mitigation for sandboxed tasks already, so it
makes sense to prevent spectre v2 user space to user space attacks as
well.

The Intel mitigation guide documents how STIPB works:
    
   Setting bit 1 (STIBP) of the IA32_SPEC_CTRL MSR on a logical processor
   prevents the predicted targets of indirect branches on any logical
   processor of that core from being controlled by software that executes
   (or executed previously) on another logical processor of the same core.

Ergo setting STIBP protects the task itself from being attacked from a task
running on a different hyper-thread and protects the tasks running on
different hyper-threads from being attacked.

While the document suggests that the branch predictors are shielded between
the logical processors, the observed performance regressions suggest that
STIBP simply disables the branch predictor more or less completely. Of
course the document wording is vague, but the fact that there is also no
requirement for issuing IBPB when STIBP is used points clearly in that
direction. The kernel still issues IBPB even when STIBP is used until Intel
clarifies the whole mechanism.

IBPB is issued when the task switches out, so malicious sandbox code cannot
mistrain the branch predictor for the next user space task on the same
logical processor.

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Casey Schaufler <casey.schaufler@intel.com>
Cc: Asit Mallick <asit.k.mallick@intel.com>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Jon Masters <jcm@redhat.com>
Cc: Waiman Long <longman9394@gmail.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Dave Stewart <david.c.stewart@intel.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20181125185006.051663132@linutronix.de


---
 Documentation/admin-guide/kernel-parameters.txt |  9 ++++++++-
 arch/x86/include/asm/nospec-branch.h            |  1 +
 arch/x86/kernel/cpu/bugs.c                      | 17 ++++++++++++++++-
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index a9b98a4e8789..f405281bb202 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4241,9 +4241,16 @@
 				  per thread.  The mitigation control state
 				  is inherited on fork.
 
+			seccomp
+				- Same as "prctl" above, but all seccomp
+				  threads will enable the mitigation unless
+				  they explicitly opt out.
+
 			auto    - Kernel selects the mitigation depending on
 				  the available CPU features and vulnerability.
-				  Default is prctl.
+
+			Default mitigation:
+			If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl"
 
 			Not specifying this option is equivalent to
 			spectre_v2_user=auto.
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 2adbe7b047fa..032b6009baab 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -233,6 +233,7 @@ enum spectre_v2_user_mitigation {
 	SPECTRE_V2_USER_NONE,
 	SPECTRE_V2_USER_STRICT,
 	SPECTRE_V2_USER_PRCTL,
+	SPECTRE_V2_USER_SECCOMP,
 };
 
 /* The Speculative Store Bypass disable variants */
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index d0137d10f9a6..c9e304960534 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -256,12 +256,14 @@ enum spectre_v2_user_cmd {
 	SPECTRE_V2_USER_CMD_AUTO,
 	SPECTRE_V2_USER_CMD_FORCE,
 	SPECTRE_V2_USER_CMD_PRCTL,
+	SPECTRE_V2_USER_CMD_SECCOMP,
 };
 
 static const char * const spectre_v2_user_strings[] = {
 	[SPECTRE_V2_USER_NONE]		= "User space: Vulnerable",
 	[SPECTRE_V2_USER_STRICT]	= "User space: Mitigation: STIBP protection",
 	[SPECTRE_V2_USER_PRCTL]		= "User space: Mitigation: STIBP via prctl",
+	[SPECTRE_V2_USER_SECCOMP]	= "User space: Mitigation: STIBP via seccomp and prctl",
 };
 
 static const struct {
@@ -273,6 +275,7 @@ static const struct {
 	{ "off",	SPECTRE_V2_USER_CMD_NONE,	false },
 	{ "on",		SPECTRE_V2_USER_CMD_FORCE,	true  },
 	{ "prctl",	SPECTRE_V2_USER_CMD_PRCTL,	false },
+	{ "seccomp",	SPECTRE_V2_USER_CMD_SECCOMP,	false },
 };
 
 static void __init spec_v2_user_print_cond(const char *reason, bool secure)
@@ -332,10 +335,16 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
 	case SPECTRE_V2_USER_CMD_FORCE:
 		mode = SPECTRE_V2_USER_STRICT;
 		break;
-	case SPECTRE_V2_USER_CMD_AUTO:
 	case SPECTRE_V2_USER_CMD_PRCTL:
 		mode = SPECTRE_V2_USER_PRCTL;
 		break;
+	case SPECTRE_V2_USER_CMD_AUTO:
+	case SPECTRE_V2_USER_CMD_SECCOMP:
+		if (IS_ENABLED(CONFIG_SECCOMP))
+			mode = SPECTRE_V2_USER_SECCOMP;
+		else
+			mode = SPECTRE_V2_USER_PRCTL;
+		break;
 	}
 
 	/* Initialize Indirect Branch Prediction Barrier */
@@ -347,6 +356,7 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
 			static_branch_enable(&switch_mm_always_ibpb);
 			break;
 		case SPECTRE_V2_USER_PRCTL:
+		case SPECTRE_V2_USER_SECCOMP:
 			static_branch_enable(&switch_mm_cond_ibpb);
 			break;
 		default:
@@ -591,6 +601,7 @@ void arch_smt_update(void)
 		update_stibp_strict();
 		break;
 	case SPECTRE_V2_USER_PRCTL:
+	case SPECTRE_V2_USER_SECCOMP:
 		update_indir_branch_cond();
 		break;
 	}
@@ -833,6 +844,8 @@ void arch_seccomp_spec_mitigate(struct task_struct *task)
 {
 	if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
 		ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
+	if (spectre_v2_user == SPECTRE_V2_USER_SECCOMP)
+		ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
 }
 #endif
 
@@ -864,6 +877,7 @@ static int ib_prctl_get(struct task_struct *task)
 	case SPECTRE_V2_USER_NONE:
 		return PR_SPEC_ENABLE;
 	case SPECTRE_V2_USER_PRCTL:
+	case SPECTRE_V2_USER_SECCOMP:
 		if (task_spec_ib_force_disable(task))
 			return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
 		if (task_spec_ib_disable(task))
@@ -1063,6 +1077,7 @@ static char *stibp_state(void)
 	case SPECTRE_V2_USER_STRICT:
 		return ", STIBP: forced";
 	case SPECTRE_V2_USER_PRCTL:
+	case SPECTRE_V2_USER_SECCOMP:
 		if (static_key_enabled(&switch_to_cond_stibp))
 			return ", STIBP: conditional";
 	}

  parent reply index

Thread overview: 112+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-25 18:33 [patch V2 00/28] x86/speculation: Remedy the STIBP/IBPB overhead Thomas Gleixner
2018-11-25 18:33 ` [patch V2 01/28] x86/speculation: Update the TIF_SSBD comment Thomas Gleixner
2018-11-28 14:20   ` [tip:x86/pti] " tip-bot for Tim Chen
2018-11-29 14:27   ` [patch V2 01/28] " Konrad Rzeszutek Wilk
2018-11-25 18:33 ` [patch V2 02/28] x86/speculation: Clean up spectre_v2_parse_cmdline() Thomas Gleixner
2018-11-28 14:20   ` [tip:x86/pti] " tip-bot for Tim Chen
2018-11-29 14:28   ` [patch V2 02/28] " Konrad Rzeszutek Wilk
2018-11-25 18:33 ` [patch V2 03/28] x86/speculation: Remove unnecessary ret variable in cpu_show_common() Thomas Gleixner
2018-11-28 14:21   ` [tip:x86/pti] " tip-bot for Tim Chen
2018-11-29 14:28   ` [patch V2 03/28] " Konrad Rzeszutek Wilk
2018-11-25 18:33 ` [patch V2 04/28] x86/speculation: Reorganize cpu_show_common() Thomas Gleixner
2018-11-26 15:08   ` Borislav Petkov
2018-11-28 14:22   ` [tip:x86/pti] x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() tip-bot for Tim Chen
2018-11-29 14:29   ` [patch V2 04/28] x86/speculation: Reorganize cpu_show_common() Konrad Rzeszutek Wilk
2018-11-25 18:33 ` [patch V2 05/28] x86/speculation: Disable STIBP when enhanced IBRS is in use Thomas Gleixner
2018-11-28 14:22   ` [tip:x86/pti] " tip-bot for Tim Chen
2018-11-29 14:35   ` [patch V2 05/28] " Konrad Rzeszutek Wilk
2018-11-25 18:33 ` [patch V2 06/28] x86/speculation: Rename SSBD update functions Thomas Gleixner
2018-11-26 15:24   ` Borislav Petkov
2018-11-28 14:23   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-29 14:37   ` [patch V2 06/28] " Konrad Rzeszutek Wilk
2018-11-25 18:33 ` [patch V2 07/28] x86/speculation: Reorganize speculation control MSRs update Thomas Gleixner
2018-11-26 15:47   ` Borislav Petkov
2018-11-28 14:23   ` [tip:x86/pti] " tip-bot for Tim Chen
2018-11-29 14:41   ` [patch V2 07/28] " Konrad Rzeszutek Wilk
2018-11-25 18:33 ` [patch V2 08/28] sched/smt: Make sched_smt_present track topology Thomas Gleixner
2018-11-28 14:24   ` [tip:x86/pti] " tip-bot for Peter Zijlstra (Intel)
2018-11-29 14:42   ` [patch V2 08/28] " Konrad Rzeszutek Wilk
2018-11-29 14:50     ` Konrad Rzeszutek Wilk
2018-11-29 15:48       ` Peter Zijlstra
2018-11-25 18:33 ` [patch V2 09/28] x86/Kconfig: Select SCHED_SMT if SMP enabled Thomas Gleixner
2018-11-28 14:24   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-29 14:44   ` [patch V2 09/28] " Konrad Rzeszutek Wilk
2018-11-25 18:33 ` [patch V2 10/28] sched/smt: Expose sched_smt_present static key Thomas Gleixner
2018-11-28 14:25   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-29 14:44   ` [patch V2 10/28] " Konrad Rzeszutek Wilk
2018-11-25 18:33 ` [patch V2 11/28] x86/speculation: Rework SMT state change Thomas Gleixner
2018-11-28 14:26   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 12/28] x86/l1tf: Show actual SMT state Thomas Gleixner
2018-11-28 14:26   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 13/28] x86/speculation: Reorder the spec_v2 code Thomas Gleixner
2018-11-26 22:21   ` Borislav Petkov
2018-11-28 14:27   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 14/28] x86/speculation: Mark string arrays const correctly Thomas Gleixner
2018-11-28 14:27   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 15/28] x86/speculataion: Mark command line parser data __initdata Thomas Gleixner
2018-11-28 14:28   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 16/28] x86/speculation: Unify conditional spectre v2 print functions Thomas Gleixner
2018-11-28 14:29   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 17/28] x86/speculation: Add command line control for indirect branch speculation Thomas Gleixner
2018-11-28 14:29   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 18/28] x86/speculation: Prepare for per task indirect branch speculation control Thomas Gleixner
2018-11-27 17:25   ` Lendacky, Thomas
2018-11-27 19:51     ` Tim Chen
2018-11-28  9:39       ` Thomas Gleixner
2018-11-27 20:39     ` Thomas Gleixner
2018-11-27 20:42       ` Thomas Gleixner
2018-11-27 21:52         ` Lendacky, Thomas
2018-11-28 14:30   ` [tip:x86/pti] " tip-bot for Tim Chen
2018-11-25 18:33 ` [patch V2 19/28] x86/process: Consolidate and simplify switch_to_xtra() code Thomas Gleixner
2018-11-26 18:30   ` Borislav Petkov
2018-11-28 14:30   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 20/28] x86/speculation: Avoid __switch_to_xtra() calls Thomas Gleixner
2018-11-28 14:31   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 21/28] x86/speculation: Prepare for conditional IBPB in switch_mm() Thomas Gleixner
2018-11-25 19:11   ` Thomas Gleixner
2018-11-25 20:53   ` Andi Kleen
2018-11-25 22:20     ` Thomas Gleixner
2018-11-25 23:04       ` Andy Lutomirski
2018-11-26  7:10         ` Thomas Gleixner
2018-11-26 13:36           ` Ingo Molnar
2018-11-26  3:07       ` Andi Kleen
2018-11-26  6:50         ` Thomas Gleixner
2018-11-28 14:31   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 22/28] ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS Thomas Gleixner
2018-11-28 14:32   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 23/28] x86/speculation: Split out TIF update Thomas Gleixner
2018-11-28 14:33   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 24/28] x86/speculation: Prepare arch_smt_update() for PRCTL mode Thomas Gleixner
2018-11-27 20:18   ` Lendacky, Thomas
2018-11-27 20:30     ` Thomas Gleixner
2018-11-27 21:20       ` Lendacky, Thomas
2018-11-28 14:34   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 25/28] x86/speculation: Add prctl() control for indirect branch speculation Thomas Gleixner
2018-11-28 14:34   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 26/28] x86/speculation: Enable prctl mode for spectre_v2_user Thomas Gleixner
2018-11-26  7:56   ` Dominik Brodowski
2018-11-28 14:35   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-25 18:33 ` [patch V2 27/28] x86/speculation: Add seccomp Spectre v2 user space protection mode Thomas Gleixner
2018-11-25 19:35   ` Randy Dunlap
2018-11-25 20:40   ` Linus Torvalds
2018-11-25 20:52     ` Jiri Kosina
2018-11-25 22:28     ` Thomas Gleixner
2018-11-26 13:30       ` Ingo Molnar
2018-11-26 20:48       ` Andrea Arcangeli
2018-11-26 20:58         ` Thomas Gleixner
2018-11-26 21:52           ` Lendacky, Thomas
2018-11-27  0:37             ` Tim Chen
2018-12-04  1:38     ` Tim Chen
2018-12-04  8:39       ` Jiri Kosina
2018-12-04  9:43         ` Arjan van de Ven
2018-12-04  9:46         ` Arjan van de Ven
2018-12-04 17:20       ` Linus Torvalds
2018-12-04 18:58         ` Tim Chen
2018-11-28 14:35   ` tip-bot for Thomas Gleixner [this message]
2018-12-04 18:45   ` Dave Hansen
2018-11-25 18:33 ` [patch V2 28/28] x86/speculation: Provide IBPB always command line options Thomas Gleixner
2018-11-28 14:36   ` [tip:x86/pti] " tip-bot for Thomas Gleixner
2018-11-26 13:37 ` [patch V2 00/28] x86/speculation: Remedy the STIBP/IBPB overhead Ingo Molnar
2018-11-28 14:24 ` Thomas Gleixner
2018-11-29 19:02   ` Tim Chen
2018-12-10 23:43 ` Pavel Machek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=tip-6b3e64c237c072797a9ec918654a60e3a46488e2@git.kernel.org \
    --to=tipbot@zytor.com \
    --cc=aarcange@redhat.com \
    --cc=ak@linux.intel.com \
    --cc=arjan@linux.intel.com \
    --cc=asit.k.mallick@intel.com \
    --cc=casey.schaufler@intel.com \
    --cc=dave.hansen@intel.com \
    --cc=david.c.stewart@intel.com \
    --cc=dwmw@amazon.co.uk \
    --cc=gregkh@linuxfoundation.org \
    --cc=hpa@zytor.com \
    --cc=jcm@redhat.com \
    --cc=jkosina@suse.cz \
    --cc=jpoimboe@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=longman9394@gmail.com \
    --cc=luto@kernel.org \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=tim.c.chen@linux.intel.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git
	git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git
	git clone --mirror https://lore.kernel.org/lkml/10 lkml/git/10.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git