On Mon, Feb 20, 2023 at 10:22 AM Borislav Petkov bp@alien8.de wrote:
On Mon, Feb 20, 2023 at 10:01:57AM -0800, KP Singh wrote:
Well, we disable IBRS userspace (this is KENREL_IBRS), because it is slow. Now if a user space process wants to protect itself from cross thread training, it should be able to do it, either by turning STIBP always on or using a prctl to enable. With the current logic, it's unable to do so.
Ofcourse it can:
[SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl",we did this at the time so that a userspace process can control it via prctl().
No it cannot with IBRS which is really just KERNEL_IBRS enabled, we bail out if spectre_v2_in_inbrs_mode and ignore any selections:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch...
The whole confusion spews from the fact that while the user thinks they are enabling spectre_v2=ibrs, they only really get KERNEL_IBRS and IBRS is dropped in userspace. This in itself seems like a decision the kernel implicitly took on behalf of the user. Now it also took their ability to enable spectre_v2_user in this case, which is what this patch is fixing.
So, maybe you should explain what you're trying to accomplish in detail and where it fails...
-- Regards/Gruss, Boris.