On 11/21/2018 05:52 AM, Thomas Gleixner wrote:
On Tue, 20 Nov 2018, Tim Chen wrote:
According to software guidance:
"Setting ... STIBP ... on a logical processor prevents the predicted targets of indirect branches on any logical processor of that core from being controlled by software that executes (or executed previously) on another logical processor of the same core."
https://software.intel.com/security-software-guidance/insights/deep-dive-sin...
Hence setting STIBP on a sandboxed task will prevent the task from attacking other sibling threads or getting attacked.
That's not sufficient, because you need an IBPB when the sandboxed task is switched out.
Right. Which means this change is also needed:
Tim
diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c index 616694c..de31438 100644 --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -202,7 +202,8 @@ static bool ibpb_needed(struct task_struct *tsk, u64 last_ctx_id) */
if (static_branch_unlikely(&spectre_v2_app_lite)) - return test_tsk_thread_flag(tsk, TIF_SPEC_INDIR_BRANCH); + return test_tsk_thread_flag(tsk, TIF_SPEC_INDIR_BRANCH) || + test_tsk_thread_flag(current, TIF_SPEC_INDIR_BRANCH); else return ptrace_may_access_sched(tsk, PTRACE_MODE_SPEC_IBPB); }