* Andy Lutomirski <l...@amacapital.net> wrote: > > > > On Feb 5, 2018, at 3:42 AM, Ingo Molnar <mi...@kernel.org> wrote: > > > > > > * Dan Williams <dan.j.willi...@intel.com> wrote: > > > >> + /* > >> + * Sanitize extra registers of values that a speculation attack > >> + * might want to exploit. In the CONFIG_FRAME_POINTER=y case, > >> + * the expectation is that %ebp will be clobbered before it > >> + * could be used. > >> + */ > >> + .macro CLEAR_EXTRA_REGS_NOSPEC > >> + xorq %r15, %r15 > >> + xorq %r14, %r14 > >> + xorq %r13, %r13 > >> + xorq %r12, %r12 > >> + xorl %ebx, %ebx > >> +#ifndef CONFIG_FRAME_POINTER > >> + xorl %ebp, %ebp > >> +#endif > >> + .endm > > > > Yeah, so this series look pretty good to me, but there's one small detail: > > I think > > RBP should be cleared unconditionally here, even in the > > CONFIG_FRAME_POINTERS=y > > case, because: > > ENCODE_FRAME_POINTER should take care of rbp, though.
AFAICS there's various entry paths where it's not used I think: for example the compat system calls in entry_64_compat.S don't seem to encode RBP in such a fashion (unless I missed some macro side effect). Basically I'd iterate these things the following way: - where there's justified, demonstrable doubt we should be clearing input values in a simple, robust fashion (as it seems to be in this particular case) - then we can micro-optimize again when we are convinced that it's safe Otherwise I'm worried about the speed with which we converge to Spectre correctness. Thanks, Ingo