Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code

From: Andrea Arcangeli
Date: Wed Jan 10 2018 - 07:07:31 EST

Next message: David Woodhouse: "Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code"
Previous message: Robin Murphy: "Re: [PATCH 27/33] dma-direct: use node local allocations for coherent memory"
In reply to: Andrea Arcangeli: "Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code"
Next in thread: David Woodhouse: "Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 10, 2018 at 01:01:58PM +0100, Andrea Arcangeli wrote:
> On Wed, Jan 10, 2018 at 11:58:54AM +0000, David Woodhouse wrote:
> > On Wed, 2018-01-10 at 12:54 +0100, Andrea Arcangeli wrote:
> > > On Wed, Jan 10, 2018 at 09:27:59AM +0000, David Woodhouse wrote:
> > > > I don't know why you're calling that 'IBRS=2'; are you getting
> > > confused
> > > > by Andrea's distro horridness?
> > >
> > > Eh, yes he's got confused. ibrs_enabled 2 simply means to leave IBRS
> > > set in SPEC_CTLR 100% of the time, except in guest mode.
> >
> > On all current hardware, if you only set IBRS when you exit a guest,
> > then you are not protecting yourself from userspace at all. IBRS acts
> > as a *barrier* in all current hardware.
>
> Kernel memory is 100% protected if you set only IBRS at vmexit.
>
> Once IBRS is set, there's no way any userland (nor host nor guest) can
> attack the kernel memory through spectre variant#2.
>
> What is not protected is host userland from guest userland which is
> point 3 in the email I posted earlier and I already provided all
> details there on how to fix that purely theoretical issue not part of
> the PoC with the provided debugfs tunables, so I won't repeat here.

Also I read in another email you thought IBRS is a barrier or
something, it's not, it's purely temporarily preventing the CPU to
speculate through IBP BTB whatever, it will do the least possible
amount of work without altering the internal state that can still be
poisoned by the attacker but it's no problem because kernel mode won't
make any use of that "poison". IBRS won't flush anything, the poison
stays there, it's not barrier, and IBPB is the only barrier that
flushes the content.

IBPB is expensive but after IBPB you return running at core full speed
but you can't be influenced by any poison somebody put in the CPU to
influence your runtime. IBRS as opposed is not expensive to execute
(relatively speaking) but then the CPU runs slower as it can't use
those parts of the CPU that may have been poisoned by the attacker.

So you can also flush the whole content of IBP/BTB at vmexit with IBPB
instead of setting SPECT_CTRL to IBRS. Same thing at kernel entry. If
you do that and you don't care about SMT/HT effect it's equivalent to
setting IBRS at vmexit/kernelentry and in fact it'll also protect host
userland from guest userland.

Hope this clarifies what those IBRS IBPB features achieve.

Thanks,
Andrea

Next message: David Woodhouse: "Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code"
Previous message: Robin Murphy: "Re: [PATCH 27/33] dma-direct: use node local allocations for coherent memory"
In reply to: Andrea Arcangeli: "Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code"
Next in thread: David Woodhouse: "Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]