Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation

From: Dave Hansen
Date: Thu Jan 25 2018 - 17:20:56 EST

Next message: Taras Kondratiuk: "Re: [PATCH v2 01/15] Documentation: add newcx initramfs format description"
Previous message: Eric Wheeler: "Re: [PATCH 1/2] mm,vmscan: Kill global shrinker lock."
In reply to: Mason: "Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation"
Next in thread: Liran Alon: "Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/23/2018 03:13 AM, Liran Alon wrote:
> Therefore, breaking KASLR. In order to handle this, every exit from
> kernel-mode to user-mode should stuff RSB. In addition, this stuffing
> of RSB may need to be done from a fixed address to avoid leaking the
> address of the RSB stuffing itself.

With PTI alone in place, I don't see how userspace could do anything
with this information. Even if userspace started to speculate to a
kernel address, there is nothing at the kernel address to execute: no
TLB entry, no PTE to load, nothing.

You probably have a valid point about host->guest, though.

Next message: Taras Kondratiuk: "Re: [PATCH v2 01/15] Documentation: add newcx initramfs format description"
Previous message: Eric Wheeler: "Re: [PATCH 1/2] mm,vmscan: Kill global shrinker lock."
In reply to: Mason: "Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation"
Next in thread: Liran Alon: "Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]