Re: [PATCH] x86/bugs: Allow STIBP with IBRS

From: KP Singh
Date: Mon Feb 20 2023 - 14:17:27 EST

Next message: Russell King (Oracle): "Re: [REGRESSION] Re: [patch V3 09/33] genirq/msi: Add range checking to msi_insert_desc()"
Previous message: Pavel Machek: "Re: [PATCH 5.10 00/57] 5.10.169-rc1 review"
In reply to: Josh Poimboeuf: "Re: [PATCH] x86/bugs: Allow STIBP with IBRS"
Next in thread: Josh Poimboeuf: "Re: [PATCH] x86/bugs: Allow STIBP with IBRS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 20, 2023 at 11:09 AM Josh Poimboeuf <jpoimboe@xxxxxxxxxx> wrote:
>
> On Mon, Feb 20, 2023 at 07:34:59PM +0100, Borislav Petkov wrote:
> > Drop stable@ again.
> >
> > On Mon, Feb 20, 2023 at 10:27:17AM -0800, Josh Poimboeuf wrote:
> > > IBRS is only enabled in kernel space. Since it's not enabled in user
> > > space, user space isn't protected from indirect branch prediction
> > > attacks from a sibling CPU thread.
> > >
> > > Allow STIBP to be enabled to protect against such attacks.
> > >
> > > Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS")
> >
> > Yah, look at that one:
> >
> > commit 7c693f54c873691a4b7da05c7e0f74e67745d144
> > Author: Pawan Gupta <pawan.kumar.gupta@xxxxxxxxxxxxxxx>
> > Date: Tue Jun 14 23:15:55 2022 +0200
> >
> > x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS
> >
> > Extend spectre_v2= boot option with Kernel IBRS.
> >
> > [jpoimboe: no STIBP with IBRS]
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > I'm assuming this was supposed to mean no STIBP in *kernel mode* when
> > IBRS is selected?
>
> No it was supposed to be "no STIBP with *eIBRS*".
>
> > In user mode, STIBP should be selectable as we disable IBRS there.
> >
> > Close?
> >
> > If so, pls document it too while at it:
> >
> > Documentation/admin-guide/hw-vuln/spectre.rst
> >
> > because we will be wondering next time again.
> >
> > Like we wonder each time this madness is being touched. ;-(
>
> As far as I can tell, that document was never updated to describe
> spectre_v2=ibrs in the first place. That would be a whole 'nother patch
> which I'm not volunteering for. Nice try ;-)

This should at least be documented in the code.

Now it seems like it is not okay to work with people on the list and
just send revisions bypassing them. This is not something we do in the
kernel area I come from (an x86 favorite ;)). Please feel free to go
with Josh's version (or its future revisions). If you want me to
re-spin with some comments, happy to. If not, please do at least give
me Reported-by here.

>
> --
> Josh

Next message: Russell King (Oracle): "Re: [REGRESSION] Re: [patch V3 09/33] genirq/msi: Add range checking to msi_insert_desc()"
Previous message: Pavel Machek: "Re: [PATCH 5.10 00/57] 5.10.169-rc1 review"
In reply to: Josh Poimboeuf: "Re: [PATCH] x86/bugs: Allow STIBP with IBRS"
Next in thread: Josh Poimboeuf: "Re: [PATCH] x86/bugs: Allow STIBP with IBRS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]