Re: Avoid speculative indirect calls in kernel

From: Andrew Cooper
Date: Thu Jan 04 2018 - 10:16:46 EST

Next message: Faiz Abbas: "Re: [PATCH v6 3/6] can: m_can: Add PM Runtime"
Previous message: Joe Perches: "Re: [PATCH 0/5] iio: use permission specific variants of DEVICE_ATTR"
In reply to: Woodhouse, David: "Re: Avoid speculative indirect calls in kernel"
Next in thread: Woodhouse, David: "Re: Avoid speculative indirect calls in kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 04/01/18 14:20, Paolo Bonzini wrote:
> On 04/01/2018 12:47, Woodhouse, David wrote:
>> On Thu, 2018-01-04 at 12:42 +0100, Pavel Machek wrote:
>>>> No, really. The full mitigation with the microcode update and IBRS
>>>> support is *slow*. Horribly slow.
>>> What is IBRS? Invalidate BRanch prediction bufferS?
>> That isn't the precise acronym, but yes.
> My stab at backronyming it was "indirect branch restricted speculation",
> and there's also IBPB which is "indirect branch prediction barrier".
>
>> The branch predictor flush that, without retpoline, we have to do on
>> every entry to the kernel. Requires new microcode, and the patches that
>> I believe Intel are *about* to post...
> Based on our experiments it was actually pretty good on Skylake, and bad
> to horrible on earlier machines. Still, microbenchmarks were in the
> same ballpark as PTI.
>
> BTW, the choices we have implemented in RHEL are basically:
>
> * do nothing
>
> * turn off indirect branch prediction in kernel mode (IBRS=1 in ring 0)
>
> * completely turn off indirect branch prediction (IBRS=1 always, which
> would also let future CPUs do their thing), which can be good for
> paranoia but also for performance in some worklods
>
> * never turn off indirect branch prediction, but use a branch prediction
> barrier on every mode switch (needed for current AMD microcode)

Where have you got this idea from?Â Using IBPB on every mode switch
would be an insane overhead to take, and isn't necessary.

Also, remember that PTI and these mitigations are for orthogonal issues.

Perhaps it is easiest to refer directly to the Xen SP2 mitigations and
my commentary of what is going on:
http://xenbits.xen.org/gitweb/?p=people/andrewcoop/xen.git;a=blob;f=xen/arch/x86/spec_ctrl.c;h=79aedf774a390293dfd564ce978500085344e305;hb=refs/heads/sp2-mitigations-v6.5#l192

With the GCC -mindirect-branch=thunk-external support, and microcode,
Xen will make a boot-time choice between using Retpoline, Lfence (which
is the better AMD option, and more performant than retpoline), or IBRS
on Skylake and newer processors where it is strictly necessary, as well
as using IBPB whenever available.

It also supports virtualising IBRS for guest usage when the kernel has
chosen not to use it; a configuration I haven't seen in any of the Linux
patch series thusfar.

~Andrew

Next message: Faiz Abbas: "Re: [PATCH v6 3/6] can: m_can: Add PM Runtime"
Previous message: Joe Perches: "Re: [PATCH 0/5] iio: use permission specific variants of DEVICE_ATTR"
In reply to: Woodhouse, David: "Re: Avoid speculative indirect calls in kernel"
Next in thread: Woodhouse, David: "Re: Avoid speculative indirect calls in kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]