[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Setting constant-time mode CPU flag

  • To: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 14 Sep 2022 09:32:20 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6VhwirDIUo3r33hIMDz5bvGs4vRBoNpPcNecpcQv3z0=; b=B2vrQeJdHfCxiKIS8dVkbUcRww34Xfoff3jllqWiwiTDzIaGapeH9H2yXLFyY9Y5kdZYhvdcFEjrNtMKkfnjZzzbV1Y8IvYDOPQmhp1LTYEa8SouaBhYT55WBmfdtPZTyzH4vv3sjRob7S2uZW4PYolIFfK44khX/BcxaPBIvLA1l71oNIvMTHLCAAO3Zm/f0naj1afU9NJNnfS+NaaVSNPHEGn3mdDLEyiVc796VMczsgTSSZ7GoDH8bZ6wrTfUbzgJIovPXzKiqvr0mQpdqbfzVrMC2R1QZxU7Er11+ft6PhSV09pRZs7lCmgek0cEbcdtsKQwWOi7zMUfwppZUA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gWp7YDWzP/r7hapucOFYW0w5mbztWyxofd3w5UHg2srVAcCTc0A7gjyDOFB8ULEtOO5nsSiUHtVZKwd6cPqVKEpnlkwMBN0jQLg3l3LizirgL+FVvMAuDrRSpQiTgaRAjwqymxsYF04qX12TEvqLnQvH+SNS0zWpAqi1Idbd62oUDpz4NmsjgEtzALGKU283MKPUFxHtTg0vhh7ok83HuQ0UnmRn5m+aAnbbW+8Ldc3jQpn88Dg4keBuXDnZ5Oi7BAMpxx4s8edUd8jxVsw44yexZLaYpTX8kbhmxxR3DLoJY2S8NzkMY6hC5vWlOlf8q5Y7OzdlZYJjOJSf8MiUjA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Simon Gaiser <simon@xxxxxxxxxxxxxxxxxxxxxx>, Xen developer discussion <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Delivery-date: Wed, 14 Sep 2022 07:32:52 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 14.09.2022 09:11, Demi Marie Obenour wrote:
> On Wed, Sep 14, 2022 at 08:44:25AM +0200, Jan Beulich wrote:
>> On 14.09.2022 08:40, Demi Marie Obenour wrote:
>>> On Wed, Sep 14, 2022 at 08:36:02AM +0200, Jan Beulich wrote:
>>>> On 13.09.2022 19:22, Demi Marie Obenour wrote:
>>>>> On Tue, Sep 13, 2022 at 04:47:24PM +0200, Jan Beulich wrote:
>>>>>> On 13.09.2022 16:22, Demi Marie Obenour wrote:
>>>>>>> On Tue, Sep 06, 2022 at 10:01:00AM +0000, Andrew Cooper wrote:
>>>>>>>> On 06/09/2022 10:52, Jan Beulich wrote:
>>>>>>>>> On 02.09.2022 04:05, Demi Marie Obenour wrote:
>>>>>>>>>> On Intel chips (Ice Lake and later) and ARM64, a bit needs to be set 
>>>>>>>>>> in
>>>>>>>>>> a CPU register to enforce constant-time execution.  Linux plans to 
>>>>>>>>>> set
>>>>>>>>>> this bit by default; Xen should do the same.  See
>>>>>>>>>> https://lore.kernel.org/lkml/YwgCrqutxmX0W72r@xxxxxxxxx/T/ for 
>>>>>>>>>> details.
>>>>>>>>>> I recommend setting the bit unconditionally and ignoring guest 
>>>>>>>>>> attempts
>>>>>>>>>> to change it.
>>>>>>>>> I don't think we ought to set it by default; I can see reasons why 
>>>>>>>>> kernels
>>>>>>>>> may want to set it by default (providing a way to turn it off). In Xen
>>>>>>>>> what I think we need is exposure of the bit to be guest-controllable.
>>>>>>>>
>>>>>>>> We absolutely should not have it set by default.  It's a substantial
>>>>>>>> overhead for something that is only applicable to code which otherwise
>>>>>>>> crafted to be constant-time.
>>>>>>>
>>>>>>> Either Xen needs to set the bit by default, or guests need to both know
>>>>>>> the bit needs to be set and be able set it.  Otherwise code that *is*
>>>>>>> intended to be constant-time has no way to protect itself.
>>>>>>>
>>>>>>>> As for why Xen doesn't enumerate/virtualise it, that's because
>>>>>>>> virtualising MSR_ARCH_CAPS for guests is still not working yet, so the
>>>>>>>> feature can't be enumerated yet even if we did support context 
>>>>>>>> switching it.
>>>>>>>
>>>>>>> Intel and ARM64 guarantee that CPUs that do not enumerate this flag
>>>>>>> behave as if it is set unconditionally.
>>>>>>
>>>>>> I'm not qualified to talk about the Arm side, but may I ask what you've
>>>>>> derived this statement from for Intel? The doc page referenced by the
>>>>>> link you did provide (still in context above) specifically further links
>>>>>> to a page listing instruction with data operand independent timing. All
>>>>>> other instructions, as I conclude, have variable timing unless the bit
>>>>>> in ARCH_CAPS enumerates DOITM and then the new MSR bit (of the same name)
>>>>>> is set.
>>>>>
>>>>> My understanding is that only instructions in the constant-time subset
>>>>> are ever guaranteed to be constant time.
>>>>
>>>> Hmm, yes, I did overlook respective wording in the doc.
>>>>
>>>>>  On architectures where DOITM
>>>>> is not enumerated, this guarantee is unconditional.
>>>>
>>>> I have to admit I'm suspicious of this "guarantee".
>>>
>>> Do you mean that previous CPUs had a vulnerability that has no fix?
>>
>> I'm not sure I'd call it a vulnerability, but at least if going back far
>> enough in history I think you'll find insns on the list which don't have
>> invariant timing. Like with other documentation on e.g. speculation
>> issues I take it that Intel simply doesn't consider sufficiently old
>> CPUs relevant anymore for such new documents.
> 
> Any examples?

The one I easily recall in truly ancient, so maybe of only limited
significance: MUL on 486 and older.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.