Re: [PATCH v3 6/6] x86/bugs: Add RSB mitigation document

From: Ingo Molnar
Date: Wed Apr 02 2025 - 15:59:15 EST

Next message: Sean Christopherson: "Re: [GIT PULL] more printk for 6.15"
Previous message: Johannes Weiner: "Re: [PATCH] zswap/zsmalloc: prefer the the original page's node for compressed data"
In reply to: Josh Poimboeuf: "[PATCH v3 6/6] x86/bugs: Add RSB mitigation document"
Next in thread: Josh Poimboeuf: "Re: [PATCH v3 6/6] x86/bugs: Add RSB mitigation document"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Josh Poimboeuf <jpoimboe@xxxxxxxxxx> wrote:

> Create a document to summarize hard-earned knowledge about RSB-related
> mitigations, with references, and replace the overly verbose yet
> incomplete comments with a reference to the document.

Just a few nits:

> +RSB poisoning (Intel and AMD)
> +=============================
> +
> +SpectreRSB
> +~~~~~~~~~~
>
>+
>+RSB poisoning is a technique used by Spectre-RSB [#spectre-rsb]_ where
>+an attacker poisons an RSB entry to cause a victim's return instruction
>+to speculate to an attacker-controlled address. This can happen when
>+there are unbalanced CALLs/RETs after a context switch or VMEXIT.

s/Spectre-RSB
/SpectreRSB

Which is the name the title just a few lines above uses, and which
appears to be broadly the in-tree consensus spelling as well.

> +
> +AMD Retbleed / SRSO / Branch Type Confusion
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Nit: the underline is one character too long. :-)

> +On AMD, poisoned RSB entries can also be created by the AMD Retbleed
> +variant [#retbleed-paper]_ and/or Speculative Return Stack Overflow
> +[#amd-srso]_ (Inception [#inception-paper]_). These attacks are made
> +possible by Branch Type Confusion [#amd-btc]_. The kernel protects
> +itself by replacing every RET in the kernel with a branch to a single
> +safe RET.

s/Retbleed
/RETBleed

Seems to be the consensus spelling in-tree. (There's a few more cases
in this document as well.)

> + * WARNING! There are many subtleties to consider when changing *any*
> + * code related to RSB-related mitigations. Before doing so, carefully
> + * read the following document, and update if necessary:
> *
> + * Documentation/admin-guide/hw-vuln/rsb.rst
> *
> + * In an overly simplified nutshell:
> *
> + * - User->user RSB attacks are conditionally mitigated during
> + * context switch by cond_mitigation -> __write_ibpb().

s/during context switch
/during context switches

> *
> + * - User->kernel and guest->host attacks are mitigated by eIBRS or
> + * RSB filling.
> *
> + * Though, depending on config, note that other alternative
> + * mitigations may end up getting used instead, e.g., IBPB on
> + * entry/vmexit, call depth tracking, or return thunks.
> */

s/__write_ibpb()
/write_ibpb()

as per the discussion under patch #1.

Thanks,

Ingo

Next message: Sean Christopherson: "Re: [GIT PULL] more printk for 6.15"
Previous message: Johannes Weiner: "Re: [PATCH] zswap/zsmalloc: prefer the the original page's node for compressed data"
In reply to: Josh Poimboeuf: "[PATCH v3 6/6] x86/bugs: Add RSB mitigation document"
Next in thread: Josh Poimboeuf: "Re: [PATCH v3 6/6] x86/bugs: Add RSB mitigation document"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]