From patchwork Mon Oct 24 22:57:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pawan Gupta X-Patchwork-Id: 622 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp725535wru; Mon, 24 Oct 2022 17:34:20 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7g45z2m9joB0IV1fMYKHyuDJuOJB8EYVishNK+kFvncsjWSAyUOzd79kaWpI7YbjDp5hBO X-Received: by 2002:a17:906:ee8e:b0:730:3646:d178 with SMTP id wt14-20020a170906ee8e00b007303646d178mr30415223ejb.426.1666658060591; Mon, 24 Oct 2022 17:34:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666658060; cv=none; d=google.com; s=arc-20160816; b=0CcQ1AZ15opgIDzHguC/+DtJYyHUg8fzG1qSePYImDPA88t6vbKKi8GhUSWplWF3Jj jn8vcBdi68aP5NGQ3b9UoUi9GWRoR/vWOuNIoJ8yamR1i0bRGsPlVRt9aa3NfrzFtgvD bJMkyFIMM8xJ+e4KE4pAFX2UoxG2w0yDqleybIHZ4jI4z9K2bLkbpC5G524jJUikiLO5 7dsMLmxEl11E93Y447tan3sQWzUlSTQldyeUmqIK7pFFy6ItCCOwB/6GvTp4s4vmcSA7 mgooQKW/Toyb7V/aa2IvQTJXEAebJtbh7g100ixFf01kU/kjKi7Ib1TbT6Y5O7E9kmY7 SbVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=zoKGiUvkYB4zOzXNO7fRF02dU96WAXoiMKIBfy+bRME=; b=rqk4q2nhpp/h6ajH8cDZNlIxIhmAtGUxvETpX4iCu/9GWQnKR0081N8tiPGxXfQyDu f7u3M6UuP2YYh7YLJP2JsgAx3EEZL/r510WQzYY07xY2R8nq+MByMrSkvmxGS5ZmBK+z Ypt05xNILpk1R53FyhdSPB6ChSqKtrOclnqBn0doJwl2YQbxtaZZbbezhqqqJlXSl+DV xlS44Tpio1BTJ8CjTtXIX9GkOeXPfwcbsimBK5Et/GRH6HInHEK9lwZ8FT7XeeTG1Pkp VCgSnUEehLAp7AVDoPMLb4u2OQ61WZI/8sAy/TB8c2Da1p/m5RNgXhsvMW0xbi5YpyJj raPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=IphW3CK6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hr42-20020a1709073faa00b007832bdf1856si1189410ejc.740.2022.10.24.17.33.56; Mon, 24 Oct 2022 17:34:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=IphW3CK6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229588AbiJYAdf (ORCPT + 99 others); Mon, 24 Oct 2022 20:33:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230381AbiJYAdJ (ORCPT ); Mon, 24 Oct 2022 20:33:09 -0400 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3060820347; Mon, 24 Oct 2022 15:57:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1666652281; x=1698188281; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=/QFYcqzzhog465CEp7hJCINJC63rwNPJ/l0XxVVSM6g=; b=IphW3CK6tjTAbqJpyvEU5yD+tVjeukfE0aGA9BR5AnSK/KieuDcM1yT8 5ebACnvzZEQ4A4odoBErIgAmiIuTzSLVj6oF28kClfGeOrIX39sYggBeZ tIP/09DEy6WgTrX29qzOIEi1GXRNgnP2x9u0ypx24JpCdddvoyhEfz9SJ MQ/Nc30R4B4Vz/x6Jfw8o1DtKcZvFGmLhrO7GmJNXdIVs8ugOpUy2ZZ+j pHTSvedNCrVFEYZ3yLIi2hXt/0dmT4SxE3L5dLyHxerecemflRhzJDEk5 yjyDN6y4zwx7NzCftQUKAmVhb6f2IJfmpSfw9HgPmj9Y8ca7OrLfHtxOR w==; X-IronPort-AV: E=McAfee;i="6500,9779,10510"; a="308633271" X-IronPort-AV: E=Sophos;i="5.95,210,1661842800"; d="scan'208";a="308633271" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 15:57:56 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10510"; a="609363400" X-IronPort-AV: E=Sophos;i="5.95,210,1661842800"; d="scan'208";a="609363400" Received: from pkearns-mobl1.amr.corp.intel.com (HELO guptapa-desk.intel.com) ([10.252.131.64]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Oct 2022 15:57:55 -0700 From: Pawan Gupta To: scott.d.constable@intel.com, daniel.sneddon@linux.intel.com, Jakub Kicinski , dave.hansen@intel.com, Johannes Berg , Paolo Abeni , antonio.gomez.iglesias@linux.intel.com, "David S. Miller" , Eric Dumazet Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org, gregkh@linuxfoundation.org, netdev@vger.kernel.org Subject: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel Date: Mon, 24 Oct 2022 15:57:45 -0700 Message-Id: X-Mailer: git-send-email 2.37.3 MIME-Version: 1.0 X-Spam-Status: No, score=-2.5 required=5.0 tests=AC_FROM_MANY_DOTS,BAYES_00, DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747617642331496467?= X-GMAIL-MSGID: =?utf-8?q?1747617642331496467?= Hi, There is a theoretical possibility of using minstrel_ht_get_expected_throughput() as a disclosure gadget for Branch History Injection (BHI)/Intra-mode Branch Target Injection (IMBTI) [1]. Requesting feedback on the couple of patches that mitigates this. First patch adds a generic speculation barrier. Second patch uses the speculation barrier to mitigate BHI/IMBTI. The other goal of this series is to start a discussion on whether such hard to exploit, but theoretical possible attacks deems to be mitigated. In general Branch Target Injection class of attacks involves an adversary controlling an indirect branch target to misspeculate to a disclosure gadget. For a successful attack an adversary also needs to control the register contents used by the disclosure gadget. Assuming preconditions are met, a disclosure gadget would transiently do below: 1. Loads an attacker chosen data from memory. 2. Based on the data, modifies cache state that is observable by an attacker. Although both these operations are architecturally invisible, the cache state changes could be used to infer the data. Disclosure gadget is mitigated by adding a speculation barrier. Thanks, Pawan [1] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html Pawan Gupta (2): nospec: Add a generic barrier_nospec() minstrel_ht: Mitigate BTI gadget minstrel_ht_get_expected_throughput() include/linux/nospec.h | 4 ++++ net/mac80211/rc80211_minstrel_ht.c | 9 +++++++++ 2 files changed, 13 insertions(+)