Re: Improve retpoline for Skylake
From: Thomas Gleixner
Date: Mon Jan 15 2018 - 05:03:29 EST
On Mon, 15 Jan 2018, Jon Masters wrote:
> On 01/12/2018 05:03 PM, Henrique de Moraes Holschuh wrote:
> > On Fri, 12 Jan 2018, Andi Kleen wrote:
> >>> Skylake still loses if it takes an SMI, right?
> >>
> >> SMMs are usually rare, especially on servers, and are usually
> >> not very predictible, and even if you have
> >
> > FWIW, a data point: SMIs can be generated on demand by userspace on
> > thinkpad laptops, but they will be triggered from within a kernel
> > context. I very much doubt this is a rare pattern...
>
> Sure. Just touch some "legacy" hardware that the vendor emulates in a
> nasty SMI handler. It's definitely not acceptable to assume that SMIs
> can't be generated under the control of some malicious user code.
We all know that there are holes, but can we finally sit down and do a
proper analysis whether they are practically exploitable or not.
A laptop is single user, i.e. the most likely attack vector is java
script. So please elaborate how you abuse that from JS.
If the laptop is compromised in a way that malicious code is executed on it
outside JS, then the SMI hole is the least of your worries, really.
> Our numbers on Skylake weren't bad, and there seem to be all kinds of
> corner cases, so again, it seems as if IBRS is the safest choice.
Talk is cheap. Show numbers comparing the full retpoline/RBS mitigation
compared to IBRS.
Thanks,
tglx