RE: [PATCH V2] x86/speculation: Support Enhanced IBRS on future CPUs
From: Prakhya, Sai Praneeth
Date: Tue Jul 31 2018 - 00:03:06 EST
> There is no reason not to use indentation and quotation marks in a changelog.
> Squeezing it into square brackets does not really improve readability.
>
> From the specification [1]:
>
> "With enhanced IBRS, the predicted targets of indirect branches executed
> cannot be controlled by software that was executed in a less privileged
> ....
> to entering a sleep state such as MWAIT or HLT."
>
> Hmm?
Yes, this looks good. I have changed commit message in V3 accordingly.
> > x86_spec_ctrl_set_guest() before entering guest and
> > x86_spec_ctrl_restore_host() after leaving guest. So, the guest view
> > of SPEC_CTRL MSR is restored before entering guest and the host view
> > of SPEC_CTRL MSR is restored before entering host and hence IBRS will
> > be set after VMEXIT.
>
> What you are trying to say here is:
>
> If Enhanced IBRS is selected as mitigation mechanism the IBRS bit is set once at
> boot time and never cleared. This also has to be ensured after a VMEXIT
> because the guest might have cleared the bit. This is already covered by the
> existing x86_spec_ctrl_set_guest() and
> x86_spec_ctrl_restore_host() speculation control functions.
>
> Hmm?
Yes, that's correct. It's simple and concise. I have updated commit message as suggested.
>
> > Intel's white paper on Retpoline [2] says that "Retpoline is known to
> > be an effective branch target injection (Spectre variant 2) mitigation
> > on Intel processors belonging to family 6 (enumerated by the CPUID
> > instruction) that do not have support for enhanced IBRS. On processors
> > that support enhanced IBRS, it should be used for mitigation instead
> > of retpoline."
> >
> > This means, Intel recommends using Enhanced IBRS over Retpoline where
> > available and it also means that retpoline provides less mitigation on
> > processors with enhanced IBRS compared to those without.
>
> The cited part of the white paper does not say that its a broader mitigation than
> what Retpoline covers. It merely recommends to use enhanced IBRS without
> providing a reason.
>
> But chapter 4.3 contains the real reason for using Emhanced IBRS: The
> processors which support it also support CET and CET does not work well with
> Retpoline.
>
> Please provide facts and not interpretations.
Sorry! got it.
> If you have additional knowledge
> about a broader mitigation scope, then clearly say so:
>
Hmm.. no.. not really. I just learned it from Dave.
> > Hence, on processors that support Enhanced IBRS, this patch makes
> > Enhanced IBRS as
>
> Please search Documentation/process/submitting-patches.rst for 'This patch' ....
>
Yes, got it. Will refrain myself from using 'This patch' further.
> The reason why 'Enhanced IBRS is the recommended mitigation on processors
> which support it is that these processors also support CET which provides a
> defense against ROP attacks. Retpoline is very similar to ROP techniques and
> might trigger false positives in the CET defense.
>
> Enhanced IBRS still requires IBPB for full mitigation.
>
> See? You might have noticed that aside of restructuring and enhancing the
> information I also got rid of all 'we' instances. Using 'we' is a form of
> impersonation which IMO blurs the technicality of a changelog.
Makes sense. Will stop using 'we' further.
>
>
> > [1]
> > https://software.intel.com/sites/default/files/managed/c5/63/336996-Sp
> > eculative-Execution-Side-Channel-Mitigations.pdf
> > [2]
> > https://software.intel.com/sites/default/files/managed/1d/46/Retpoline
> > -A-Branch-Target-Injection-Mitigation.pdf
>
> These links are not really useful as sooner than later they are going to be invalid.
> We recently started to put copies of such documents into the kernel.org bugzilla
> and I'm pretty sure we have at least one of them already in one of the
> speculation mess related BZs. Could you please track that down and make sure
> that both files are available there in the latest version. Then provide links to the
> BZ entry which are more likely to survive than content on a corporate website.
>
Sure! Makes sense.
I have updated Bugzilla link that has these documents and also updated commit message in V3.
> > @@ -219,6 +219,7 @@
> > #define X86_FEATURE_IBPB ( 7*32+26) /* Indirect Branch
> Prediction Barrier */
> > #define X86_FEATURE_STIBP ( 7*32+27) /* Single Thread Indirect
> Branch Predictors */
> > #define X86_FEATURE_ZEN ( 7*32+28) /* "" CPU is AMD
> family 0x17 (Zen) */
> > +#define X86_FEATURE_IBRS_ENHANCED ( 7*32+29) /*
> "ibrs_enhanced" Use Enhanced IBRS in kernel */
>
> That "ibrs_enhanced" part is not needed.
Just wanted to confirm with you before removing it,
Presently, on platforms that support features like arch_capabilities, stibp, ibrs and ibpb
/proc/cpuinfo does show them. Do you think we should really skip showing
Enhanced IBRS capability?
> And 'Use' is also wrong. The feature
> merily reflects the availability of Enhanced IBRS and not its usage.
>
Makes sense. Updated comment in V3.
> > + /*
> > + * As we don't use IBRS in kernel, nobody should have set
> > + * SPEC_CTRL_IBRS until now. Shout loud if somebody did enable
> > + * SPEC_CTRL_IBRS before us.
> > + */
>
> This comment does not make sense. What prevents the BIOS/bootloader or the
> hypervisor from setting it?
>
Makes sense. Removed it from V3.
> > + WARN_ON_ONCE(x86_spec_ctrl_base & SPEC_CTRL_IBRS);
> > +
> > + /* Ensure SPEC_CTRL_IBRS is set after VMEXIT from a guest */
> > + x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
>
> And what exactly writes the MSR?
>
While booting, x86_spec_ctrl_setup_ap() does that and after VMEXIT
x86_spec_ctrl_restore_host().
As x86_spec_ctrl_setup_ap() does wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base),
I thought writing here would be redundant.
Did I answer your question or did I get it wrong?
Regards,
Sai