Re: [PATCH 08/24] x86,sme: Annotate indirect call

[David Woodhouse]

On Tue, 2018-01-23 at 16:25 +0100, Peter Zijlstra wrote:
> This is boot code, we run this _way_ before userspace comes along to
> poison our branch predictor.

Hm, objtool knows about sections, doesn't it? Why it is whining about
indirect jumps in inittext anyway?

In fact, why are we even *doing* retpolines in inittext? Not that we
are; since we flipped the ALTERNATIVE logic around, at that point we
still have the 'oldinstr' which is a bare jmp anyway. We might as well
do this:

--- a/include/linux/init.h
+++ b/include/linux/init.h
@@ -37,10 +37,15 @@
 * as gcc otherwise puts the data into the bss section and not into the init
 * section.
 */
+#if defined(RETPOLINE) && !defined(MODULE)
+#define __noretpoline __attribute__((indirect_branch("keep")))
+#else
+#define __noretpoline
+#endif
Â
Â/* These are for everybody (although not all archs will actually
ÂÂÂÂdiscard it in modules) */
-#define __initÂÂÂÂÂÂÂÂÂ__section(.init.text) __cold __inittrace __latent_entropy
+#define __initÂÂÂÂÂÂÂÂÂ__section(.init.text) __cold __inittrace __latent_entropy __noretpoline
Â#define __initdataÂÂÂÂÂ__section(.init.data)
Â#define __initconstÂÂÂÂ__section(.init.rodata)
Â#define __exitdataÂÂÂÂÂ__section(.exit.data)


I had that once and dropped it because of concerns about VM guests
being "vulnerable" at boot time. But really, do they even have any
interesting data to purloin at that point? And shouldn't the hypervisor
be protecting them with STIBP if they have nasty HT siblings?Â

(And if hypervisors do start doing that, it might be nice for a guest
to have a way to say "you can stop now; I'm safe")

Attachment: smime.p7s
Description: S/MIME cryptographic signature