[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 for-4.18?] x86: support data operand independent timing mode

  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Fri, 20 Oct 2023 15:16:02 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AOugBdFs7lqZ4RXxUK9odGA+X6jNXX+3XiGo1y1OGtc=; b=PyrZ+Of9+bk20TgQmZhcTv0KPZjLORY32YDzOoM82PCopeAqy6QecCXX/KyncPS/vyp9XKxc5dl3wtZgtDLhHZjA+SKH45nh3FTdSnDwN1TPjo9NeHR/iTmu0LTbeL3fABe6tZG8vj/uzNgiu7J3jfQVNotorRfVcm1wZyZigjHi9fRM3TctPQIfrY6C/XdaBQPu8QkC5WfPTOBXM6DN7BEO0epk56DUcEswncnjpLT2WQ3L4E5vGTjGvdYjer6AL19Vcu++CR7Cu5aTLujCWPtACyVtLWBBwveH+H3MGEXe2logoRRnP9xu8KD4vCa9aGVcOPsUTNNuMWTHcdf/SQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JsRxev9oE44W1FUxaJUsACa3dChIXJ2bIPtcRBNI51+E7Slgd1/Eh3EucDoPKKiChGwK3FiGqgttAizRZxq3y7LJOTNn9R3yVT1/hQFRr652qIxhpQCGmf2JQUB0/D0Ybt33Tx1mgPz9xWLxjKb8GDbEs5SkHjV9Q9yyDZT7VHzKh2IQ3/Yoq1YHfTKwdImJ/TMn2eJjANLpnGi2yd5zZKlXW8liAbElj4VW4+u/KGTzJhnGTS5IBylXZyYgvCRamXJ85JYH4WWbAhz8EiktqGrL4hK0aNXDKUf8wFMsCrfp0KvPkw65B+ZG7SbQgKFUutxi0in185me9NhaaTQyGQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>
  • Delivery-date: Fri, 20 Oct 2023 13:16:12 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 20.10.2023 12:53, Roger Pau Monné wrote:
> On Fri, Oct 20, 2023 at 07:53:51AM +0200, Jan Beulich wrote:
>> [1] specifies a long list of instructions which are intended to exhibit
>> timing behavior independent of the data they operate on. On certain
>> hardware this independence is optional, controlled by a bit in a new
>> MSR. Provide a command line option to control the mode Xen and its
>> guests are to operate in, with a build time control over the default.
>> Longer term we may want to allow guests to control this.
> 
> Couldn't we just expose DOITM in MSR_ARCH_CAPS (by setting the A flag
> in the feature enumeration) and handle accesses to
> MSR_UARCH_MISC_CTRL?
> 
> The complications would be with the leveling of the feature across a
> pool, as AFAICT the bit needs to be OR'ed rather than AND'ed across
> hosts.
> 
> It would also then need some special handling in order to allow
> reporting DOITM on hardware that doesn't have the feature (and writes
> to MSR_UARCH_MISC_CTRL won't be forwarded to hardware in that case).
> 
> From an implementation PoV we might want to treat this as SSBD, and
> allow Xen to run with the guest selection.
> 
> Anyway, likely much more than what you want to do

Right, I understand that's also the reason why a yet more minimalistic
variant exists in XenServe's patch queue.

>> Since Arm64 supposedly also has such a control, put command line option
>> and Kconfig control in common files.

This, implicitly, ...

>> [1] 
>> https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/data-operand-independent-timing-isa-guidance.html
>>
>> Requested-by: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>> Release-acked-by: Henry Wang <Henry.Wang@xxxxxxx>
> 
> Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> 
> The only concern I have is with the Kconfig and command line options
> being named DIT instead of DOIT, which would be what I would search
> for given the documentation from Intel.  Maybe that's for unification
> with Arm?

... relates to this: Supposedly DIT is the name used there.

Thanks for the ack.

>> @@ -187,6 +190,18 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS
>>  
>>  endmenu
>>  
>> +config DIT_DEFAULT
>> +    bool "Data Independent Timing default"
>> +    depends on HAS_DIT
>> +    help
>> +      Hardware often surfaces instructions the timing of which is dependent
>> +      on the data they process.  Some of these instructions may be used in
>> +      timing sensitive environments, e.g. cryptography.  When such
>> +      instructions exist, hardware may further surface a control allowing
>> +      to make the behavior of such instructions independent of the data
>> +      they act upon.  Choose the default here for when no "dit" command line
>> +      option is present.
> 
> I would word the last sentence as `Note the build time value can be
> changed at runtime using the "dit" command line option.`

Oh, yes, that's quite a bit better.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.