Re: [PATCH] x86/bugs: protect against userspace-userspace spectreRSB

From: Josh Poimboeuf
Date: Wed Jul 25 2018 - 09:45:18 EST


On Tue, Jul 24, 2018 at 09:53:30PM +0200, Jiri Kosina wrote:
> From: Jiri Kosina <jkosina@xxxxxxx>
>
> The article "Spectre Returns! Speculation Attacks using the Return Stack
> Buffer" [1] describes two new (sub-)variants of spectrev2-like attack,
> making use solely of the RSB contents even on CPUs that don't fallback to
> BTB on RSB underflow (Skylake+).
>
> Mitigate userspace-userspace attacks by always unconditionally filling RSB on
> context switch when generic spectrev2 mitigation has been enabled.
>
> [1] https://arxiv.org/pdf/1807.07940.pdf
>
> Signed-off-by: Jiri Kosina <jkosina@xxxxxxx>

While I generally agree with this patch, isn't it odd that we would do
RSB filling on every context switch, but almost never do IBPB?

> + * - RSB underflow (and switch to BTB) on Skylake+
> + * - sepctreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 CPUs

"SpectreRSB"

> */
> - if ((!boot_cpu_has(X86_FEATURE_PTI) &&
> - !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {
> - setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
> - pr_info("Spectre v2 mitigation: Filling RSB on context switch\n");
> - }
> + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
> + pr_info("Spectre v2 / spectreRSB mitigation: Filling RSB on context switch\n");

"SpectreRSB" (capitalized)

--
Josh