Re: x86/retpoline: Fill RSB on context switch for affected CPUs
From: Maciej S. Szmigiero
Date: Fri Mar 09 2018 - 10:34:22 EST
On 09.03.2018 16:14, Andi Kleen wrote:
>> Shouldn't the RSB filling on context switch also be done on non-IBPB
>> CPUs to protect (retpolined) user space tasks from other user space
>> tasks?
>
> The comment is actually incorrect. There's no risk to hit user space
> addresses if we have KPTI and NX (which is fairly universal).
>
> It's mainly needed on Skylake era CPUs.
>
> Should fix the comment. I'll send a patch.
But what about userspace-to-userspace attacks? - the ones that IBPB on
context switches currently protects against (at least for high-value, or
as implemented currently, non-dumpable, processes)?
If understand the issue correctly, high-value user space processes can
be protected from other user space processes even on CPUs that lack
IBPB as long as they are recompiled with retpolines and there is no
danger of RSB entries from one process being used by another one after
a context switch.
For Skyklake this would not be enough, but there we'll (hopefully) have
the IBPB instead.
> -Andi
>
Maciej