master now has full ibrs and ibpb support - notes

Matthew Dillon dillon at backplane.com
Wed Jan 10 22:16:26 PST 2018


Hey everyone.  Ok, DFly master now has full ibrs and ibpb support.  If your
system has a microcode that supports it, or you load a new microcode that
supports it, master will default to IBRS mode 1 operation.

IBRS mode 1 operation will protect the kernel (even without the kernel
having RetPoline), and will also protect between user contexts, but will
not protect attacks within the same user context (such as a browser
Javascript attack against the browser itself).  For that I point people to
our chrome wiki page with instructions on how to do multi-layered
protection of the chrome browser.

https://www.dragonflybsd.org/docs/docs/handbook/RunSecureBrowser/

If you want to run IBRS in mode 2 you can, but it won't add a whole lot to
the mode 1 protections and it comes at a high cost.   Essentially IBRS mode
2 is designed for future chipsets and microcodes which will have a new IBRS
but which can just be set and forgotten.  The current mode 2 operation
still requires that the kernel issue a wrmsr for IBRS on every user->kernel
transition.

IBPB is primarily designed to solve certain hardware virtualization issues
and is not needed for user->kernel transitions when IBRS is enabled, so we
recommennd leaving IBPB mode turned off.  This also requires a microcode
update that supports it.  Eventually IBPB on future processors may wind up
being faster than IBRS as IBPB imposes a strict barrier and the cpu runs at
full speed before and after.  But right now the microcode IBPB
implementations have a 2uS (2000nS) latency associated with them, so IBRS
mode 1 is typically faster.

Most BIOS vendors do NOT yet have microcode updates.  Intel has microcode
updates but they haven't been integrated into our devcpu-data package yet
and it takes a small bit of effort to translate the intel-supplied
microcode to the .fw format that cpucontrol needs.  But I expect this will
change soon.

--

We do not have AMD support yet, because there are no publically available
AMD microcodes for Ryzen that I can find to test with which have these
features.  AMD is generally less vulnerable and will likely use IBRS=0
IBPB=1.  I do not know what the AMD IBPB is going to cost us, yet, though.

--

I have included a general loss-of-performance matrix below so people can
get an idea of the cost.  I have included MMU isolation overheads assuming
4% overhead for Haswell and 2% overhead for Skylake and Kabylake for MMU
isolation.  This loss matrix is based on a time make -j 8 nativekernel
NO_MODULES=TRUE, which is a good concurrent compile test.  A very general
case.  Obviously different workloads are going to have wildly different
performance loss figures, but this matrix will give you a pretty good idea
at what the cost is.

These tests are just with CPUs I have handy and by no means complete.

                        Performance Loss Matrix
               Using Highly concurrent compile test case
                     INCLUDING MMU ISOLATION
           HASWELL                 SKYLAKE                KABYLAKE-U
        IBPB=0  IBPB=1          IBPB=0  IBPB=1        IBPB=0  IBPB=1
IBRS=0     4%    16%              2%      19%            2%      19%
IBRS=1    16%    25%            4.4%     17%          4.0%     20%
IBRS=2    62%    64%             25%     34%           21%     31%

Keeping in mind that the default setting will be IBRS=1 IBPB=0.  As you can
see, older CPUs such as Haswell are the most impacted, while more recent
CPUs are far less impacted.

--

In DragonFlyBSD master, the machdep.spectre_mitigation sysctl can be used
(if the microcode supports it) to set the mode of operation at any time.

mode
0    IBRS=0  IBPB=0
1    IBRS=1  IBPB=0
2    IBRS=2  IBPB=0

4    IBRS=0  IBPB=1
5    IBRS=1  IBPB=1
6    IBRS=2  IBPB=1

And the machdep.meltdown_mitigation sysctl can turn on/off MMU isolation
(0=OFF, 1=ON), default will be on for Intel CPUs and off for AMD CPUs for
now.

-Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20180110/0d057ef9/attachment.html>


More information about the Users mailing list