Re: [PATCH v4 1/2] x86/speculation: apply IBPB more strictly to avoid cross-process data leak
From: Josh Poimboeuf
Date: Fri Sep 07 2018 - 09:39:15 EST
On Thu, Sep 06, 2018 at 10:32:38AM +0200, Jiri Kosina wrote:
> From: Jiri Kosina <jkosina@xxxxxxx>
>
> Currently, we are issuing IBPB only in cases when switching into a non-dumpable
> process, the rationale being to protect such 'important and security sensitive'
> processess (such as GPG) from data leak into a different userspace process via
> spectre v2.
>
> This is however completely insufficient to provide proper userspace-to-userpace
> spectrev2 protection, as any process can poison branch buffers before being
> scheduled out, and the newly scheduled process immediately becomes spectrev2
"becomes a"
> victim.
>
> In order to minimize the performance impact (for usecases that do require
> spectrev2 protection), issue the barrier only in cases when switching between
> processess where the victim can't be ptraced by the potential attacker (as in
"processes"
> such cases, the attacker doesn't have to bother with branch buffers at all).
>
> Fixes: 18bf3c3ea8 ("x86/speculation: Use Indirect Branch Prediction Barrier in context switch")
> Originally-by: Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx>
> Signed-off-by: Jiri Kosina <jkosina@xxxxxxx>
Reviewed-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
--
Josh