Re: [PATCH v5 2/2] x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
From: Tim Chen
Date: Wed Sep 12 2018 - 18:56:56 EST
On 09/12/2018 02:45 PM, Jiri Kosina wrote:
> On Wed, 12 Sep 2018, Tim Chen wrote:
>
>> I'm working on a patch for choosing the Spectre v2 app to app
>> mitigation option.
>>
>> Something like the following:
>>
>> enum spectre_v2_app2app_mitigation {
>> SPECTRE_V2_APP2APP_NONE,
>> SPECTRE_V2_APP2APP_LITE,
>> SPECTRE_V2_APP2APP_IBPB,
>> SPECTRE_V2_APP2APP_STIBP,
>> SPECTRE_V2_APP2APP_STRICT,
>> };
>>
>> static const char *spectre_v2_app2app_strings[] = {
>> [SPECTRE_V2_APP2APP_NONE] = "App-App Vulnerable",
>> [SPECTRE_V2_APP2APP_LITE] = "App-App Mitigation: Protect only non-dumpable process",
>> [SPECTRE_V2_APP2APP_IBPB] = "App-App Mitigation: Protect app against attack from same cpu",
>> [SPECTRE_V2_APP2APP_STIBP] = "App-App Mitigation: Protect app against attack from sibling cpu",
>> [SPECTRE_V2_APP2APP_STRICT] = "App-App Mitigation: Full app to app attack protection",
>> };
>>
>> So the APP2APP_LITE protection's intention is to turn on STIBP and IBPB for non-dumpable
>> process. But in my first version I may limit it to IBPB as choosing
>> STIBP based on process characteristics will require some frobbing of
>> the flags as what we've done in SSBD. That will require more careful
>> work and tests.
>>
>> The STRICT option will turn STIBP on always and IBPB always on
>> non-ptraceable context switches.
>>
>> Is this something reasonable?
>
> It's probably 100% correct, but it's also 100% super-complex at the same
> time if you ask me.
>
> Try to imagine you're a very advanced senior sysadmin, who has heard that
> spectre and meltdown existed of course, but figured out that updating to
> latest kernel/distro vendor update fixes all the security issues (and it
> actually indeed did).
>
> Now, all of a sudden, this new option pops up, and the poor sysadmin has
> to make a decision again.
>
> "Do you care only about security across non-dumpable process
> boundaries?"
>
> "Scheduled to same CPU at the time of attack? Can you guarantee that this
> is (not) happening?"
>
> "If the processess can actually ptrace/debug each other, are you okay with
> them attacking each other?"
>
> "Shared HT siblings return target buffer, do you want it or
> not?"
>
> These are the questions that even an excellent sysadmin might not have
> qualified answers to so far. Now, all of a sudden, he/her has to make
> these decisions?
>
> I don't think that's how it should work. It all should be digestible by
> "linux end-users" (where users are also super-advanced sysadmins) easily.
>
> We currently have "I do care about spectrev2 / I don't care about
> spectrev2" boot-time switch, and I don't see us going any deeper / more
> fine-grained without sacrificing clarity and sanity.
>
> Or do you see a way how to do that nicely?
>
How about just these options:
static const char *spectre_v2_app2app_strings[] = {
[SPECTRE_V2_APP2APP_NONE] = "App-App Vulnerable",
[SPECTRE_V2_APP2APP_LITE] = "App-App Mitigation: Protect only non-dumpable process",
[SPECTRE_V2_APP2APP_STRICT] = "App-App Mitigation: Full app to app attack protection",
};
Tim