[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH for-4.17?] x86: support data operand independent timing mode
- To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Fri, 30 Sep 2022 11:25:12 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=u4hVsaWZGVndS8Y965KFmTSBHmyhvKBwGtz1v68xNPI=; b=HM1/n8b7ERoUsdoc5PJKJchUpzGPxk2cZzU2cKPBgwKRC/Q4JixvT4iRnnKrZlOOuevSkq9l2jDDgfV6IipHE9f3X1Jfi+vRY/mH8sgGrCovHCY5X6ZJmq9gv5puBE4U8bIoPr0y9adUx6rhnBWae5UaIxui3l2ruKkD8aOQQ7IBOp8XoUSUWIEQOr45r/31v7GlnzmH7F3Qhw1c9N8amkKxWNL9gMk7npiSW1R/zI+h2x6Ke/+SQnHYZotfUFhv4mp8PsQ0pLqFPhImLwH3KW+gvhqfhkdwv8wOgheDntvl/ZMsJp0m84lE2A0imvCzuBRhDpoRPY0bPuJE/Fg/mg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OEFbQJUMhGBdYvcCteJ35gkzmXv8PrG6K/E5KXW02LHmGd0q0OCvphW63A1hSjFmnjEPFW7vBGgW+I0+WVvUbAcmbgeZXvWp4d5I1GVwR1ReAqrVMb0hE5SO5hoHQsTXC4e5NYdZXjswWn/I5eDt7EaU39xHV5R9zvM2ryFt3OOYRaEJ+f/VkmqIvrCzF9NU/EVUvkMok7Hq0fVpuc1G77XlK/+306hQfJfvmg+MNIT3DLlT5dOd3LTssJIP0r03j3j0oE5I4ugSmseoj2LIuCUC5zBIktEOEp1HWv4bvd3q23sk1d4GMndMPkXkmgT510VY+McRGSWhkkXyY26P+A==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: George Dunlap <George.Dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>
- Delivery-date: Fri, 30 Sep 2022 11:25:24 +0000
- Ironport-data: A9a23:URCcv6JRctZ/BbC/FE+RKJQlxSXFcZb7ZxGr2PjKsXjdYENS0GBTy 2QZDDuFbq6MYzSkedEgbN7loU0BupLWx9QxTAtlqX01Q3x08seUXt7xwmUcnc+xBpaaEB84t ZV2hv3odp1coqr0/0/1WlTZhSAgk/vOHtIQMcacUghpXwhoVSw9vhxqnu89k+ZAjMOwRgiAo rsemeWGULOe82MyYzl8B56r8ks15qyj42tA5DTSWNgQ1LPgvyhNZH4gDfnZw0vQGuF8AuO8T uDf+7C1lkuxE8AFU47Nfh7TKyXmc5aKVeS8oiM+t5uK23CukhcawKcjXMfwXG8M49m/c3Kd/ /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTGCFcpqHLWyKE/hlgMK05FbEY+71NEV1fz OJGBA8ITiK9renx5q3uH4GAhux7RCXqFKU2nyk6iAr/VLMhS52FRLjW79hF2jt2ntpJAfvVe 8seb3xocQjEZBpMfFwQDfrSns/x3iW5L2Ie9Q3T+fBfD2v7lWSd1JDENtbPd8PMbsJShkuC/ UrN/njjAwFcP9uaodaA2iL12L+QzXihMG4UPJO+z/wpvm+i/GIaMRZGaGCl4um7smfrDrqzL GRRoELCt5Ma9kamU938VB2Qu2Ofs1gXXN84O/037kSBx7TZ5y6dB3MYVXhRZdo+rsg0SDc2k FiTkLvBByFrsbCTYWKQ8PGTtzzaETMOMWYIaCsATA0Ey9ruuoc+ilTIVNkLOLGxps34H3f32 T/ihCQzgrQ7jMgV1r6691TKnzKtoJfSSgc/oA7QWwqNzg5/fp/jWIWu5nDS9/MGJ4GcJmRtp 1ABksmaqfsIVJiLnSnVGuEVRun1vbCCLSHWhkNpE9857TOx9nW/fIdWpjZjOENuNcVCcjjsC KPOhT5sCFZoFCPCRcdKj0iZV6zGEYCI+QzZa83p
- Ironport-hdrordr: A9a23:vKA4cKBWNE4nq8TlHegPsceALOsnbusQ8zAXPh9KJCC9I/bzqy nxpp8mPEfP+U0ssHFJo6HiBEEZKUmsuKKdkrNhR4tKOzOW9FdATbsSp7cKpgeNJ8SQzJ876U 4NSclD4ZjLfCBHZKXBkUaF+rQbsb+6GcmT7I+woUuFDzsaEp2IhD0JaDpzZ3cGIDWucqBJca Z0iPAmmxOQPVAsKuirDHgMWObO4/fRkoj9XBIADxk7rCGTkDKB8tfBYlml9yZbdwkK7aYp8G DDnQC8zL6kqeuHxhjV0HKWx4hKmeHm1sBICKW3+4gow3TX+0WVjbZaKvi/VQMO0aWSAZER4Z 7xSiIbToZOArXqDyeISFXWqlDdOX0VmgLfIBej8AfeSIrCNXwH4oN69PxkmlGy0TtegPhslK 1MxG6XrJxREFfJmzn8/cHBU1VwmlOzumdKq59bs5Vza/poVFZql/1owGpFVJMbWC7q4oEuF+ djSMna+fZNaFufK3TUpHNmztCgVmk6Wk7ueDlIhuWFlzxN2HxpxUoRw8IS2n8G6ZImUpFBo+ DJKL5hmr1CRtIfKah9GOACS82qDXGle2OFDEuCZVD8UK0XMXPErJD6pL0z+eGxYZQNiIA/nZ zQOWkowVLau3iefPFm8Kc7gSwlGl/NLAgF4vsul6RRq/n7WKfhNzGFRRQnj9agys9vcPHmZw ==
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHYyOqg1ICCMP96kUmBwLmrDRKGKa337MYA
- Thread-topic: [PATCH for-4.17?] x86: support data operand independent timing mode
On 15/09/2022 11:04, Jan Beulich wrote:
> [1] specifies a long list of instructions which are intended to exhibit
> timing behavior independent of the data they operate on. On certain
> hardware this independence is optional, controlled by a bit in a new
> MSR. Provide a command line option to control the mode Xen and its
> guests are to operate in, with a build time control over the default.
> Longer term we may want to allow guests to control this.
>
> Since Arm64 supposedly also has such a control, put command line option
> and Kconfig control in common files.
>
> [1]
> https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html
>
> Requested-by: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
This patch should not be taken; at least not in this form. The whole
DOITM infrastructure is currently under argument, for being impossible
to use appropriately.
I understand why Qubes want this blanket set, but it is a steep penalty
to pay; It's only code which is already written trying to be constant
time/cache which gains any security from this. On current parts, using
SSBD has the same behaviour, but this isn't expected to remain true in
the future.
Forcing it on behind the back of a VM is mutually exclusive with
enumerating it for VMs to use at some point in the future when we have
the capability to. i.e. specifically, you are not able to maintain the
ABI/API in this patch in the future.
If we do move forward with something like this (under the strict
understanding that the behaviour is going to change in the future), then
"DIT" is too short of an acronym to use. Amongst other things, it's not
"data independent timing"; it's "controls for forcing ..." which is
important because these are going to be vendor specific, if even needed
in the first place.
~Andrew
|
