Re: Avoid speculative indirect calls in kernel

From: Linus Torvalds
Date: Thu Jan 04 2018 - 13:33:12 EST

Next message: Borislav Petkov: "Re: [PATCH 6/7] x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature"
Previous message: Kees Cook: "Re: [kernel-hardening] [PATCH] arm: Always use REFCOUNT_FULL"
In reply to: Alan Cox: "Re: Avoid speculative indirect calls in kernel"
Next in thread: Jon Masters: "Re: Avoid speculative indirect calls in kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 4, 2018 at 3:26 AM, Pavel Machek <pavel@xxxxxx> wrote:
> On Wed 2018-01-03 15:51:35, Linus Torvalds wrote:
>>
>> A *competent* CPU engineer would fix this by making sure speculation
>> doesn't happen across protection domains. Maybe even a L1 I$ that is
>> keyed by CPL.
>
> Would that be enough?

No, you'd need to add the CPL to the branch target buffer itself, not the I$ L1.

And as somebody pointed out, that only helps the user space messing
with the kernel. It doesn't help the "one user context fools another
user context to mispredict". (Where the user contexts might be a
JIT'ed JS vs the rest of the web browser).

So you really would want to just make sure the full address is used to
index (or at least verify) the BTB lookup, and even then you'd then
need to invalidate the BTB on context switches so that one context
can't fill in data for another context.

Linus

Next message: Borislav Petkov: "Re: [PATCH 6/7] x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature"
Previous message: Kees Cook: "Re: [kernel-hardening] [PATCH] arm: Always use REFCOUNT_FULL"
In reply to: Alan Cox: "Re: Avoid speculative indirect calls in kernel"
Next in thread: Jon Masters: "Re: Avoid speculative indirect calls in kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]