On 11/20/2018 05:27 PM, Linus Torvalds wrote:
On Tue, Nov 20, 2018 at 4:33 PM Tim Chen tim.c.chen@linux.intel.com wrote:
Implements arch_update_spec_restriction() for x86. Use STIBP to restrict speculative execution when running a task set to non-dumpable, or clear the restriction if the task is set to dumpable.
I don't think this necessarily makes sense.
The new "auto" behavior is that we aim to restrict untrusted code (and the loader of such code uses prctrl to set that flag), then this whole "set STIBP for non-dumpable" makes little sense.
When STIBP is on, it will prevent not only untrusted code from attacking, but also trusted code from getting attacked. So non-dumpable task running with STIBP will protect itself from attacks from code running on sibling CPU.
From software guidance:
"Setting ... STIBP ... on a logical processor prevents the predicted targets of indirect branches on any logical processor of that core from being controlled by software that executes (or executed previously) on another logical processor of the same core."
The intention was to put TIF_SPEC_INDIR_BRANCH flag on non-dumpable task, so it runs with STIBP and prevent itself from getting attacked from code running in sibling CPU. And when we context switch to non-dumpable task, IBPB will be issued to prevent attack from anything running on the same cpu based on TIF_SPEC_INDIR_BRANCH.
A non-dumpable app by definition is *more* trusted, not less trusted.
So this model of "let's disable prediction for system processes" not only doesn't make sense, but it also unnecessarily penalizes those potentially very important system processes.
It is a trade off of extra protection for non-dumpable app with extra overhead. :(
Here it is the default behavior but that can be changed.
If we don't erect STIBP for non-dumpable tasks as default, we should still do IBPB before switching to them. So the STIBP behavior and IBPB behavior will then be untied for non-dumpable default.
Also, "dumpable" in general is pretty oddly defined to be used for this.
The same (privileged) process can be dumpable or not depending on how it was started (ie if it was started by a regular user and became trusted through suid, it's not dumpable, but if it was started from a root process it remains dumpable.
So I'm just not convinced "dumpability" is meaningful for STIBP.
Tim