master now has full ibrs and ibpb support - notes

my123 (@never_released) securetalk at sbmobilepilot.onmicrosoft.com
Wed Jan 10 22:22:00 PST 2018 

Hi,

https://packages.debian.org/sid/amd64-microcode has IBPB according to https://packages.qa.debian.org/a/amd64-microcode/news/20180110T100416Z.html .


From: Users [mailto:users-bounces at dragonflybsd.org] On Behalf Of Matthew Dillon
Sent: Thursday, January 11, 2018 6:16 AM
To: users at dragonflybsd.org
Subject: master now has full ibrs and ibpb support - notes

Hey everyone.  Ok, DFly master now has full ibrs and ibpb support.  If your system has a microcode that supports it, or you load a new microcode that supports it, master will default to IBRS mode 1 operation.

IBRS mode 1 operation will protect the kernel (even without the kernel having RetPoline), and will also protect between user contexts, but will not protect attacks within the same user context (such as a browser Javascript attack against the browser itself).  For that I point people to our chrome wiki page with instructions on how to do multi-layered protection of the chrome browser.

https://www.dragonflybsd.org/docs/docs/handbook/RunSecureBrowser/

If you want to run IBRS in mode 2 you can, but it won't add a whole lot to the mode 1 protections and it comes at a high cost.   Essentially IBRS mode 2 is designed for future chipsets and microcodes which will have a new IBRS but which can just be set and forgotten.  The current mode 2 operation still requires that the kernel issue a wrmsr for IBRS on every user->kernel transition.

IBPB is primarily designed to solve certain hardware virtualization issues and is not needed for user->kernel transitions when IBRS is enabled, so we recommennd leaving IBPB mode turned off.  This also requires a microcode update that supports it.  Eventually IBPB on future processors may wind up being faster than IBRS as IBPB imposes a strict barrier and the cpu runs at full speed before and after.  But right now the microcode IBPB implementations have a 2uS (2000nS) latency associated with them, so IBRS mode 1 is typically faster.

Most BIOS vendors do NOT yet have microcode updates.  Intel has microcode updates but they haven't been integrated into our devcpu-data package yet and it takes a small bit of effort to translate the intel-supplied microcode to the .fw format that cpucontrol needs.  But I expect this will change soon.

--

We do not have AMD support yet, because there are no publically available AMD microcodes for Ryzen that I can find to test with which have these features.  AMD is generally less vulnerable and will likely use IBRS=0 IBPB=1.  I do not know what the AMD IBPB is going to cost us, yet, though.

--

I have included a general loss-of-performance matrix below so people can get an idea of the cost.  I have included MMU isolation overheads assuming 4% overhead for Haswell and 2% overhead for Skylake and Kabylake for MMU isolation.  This loss matrix is based on a time make -j 8 nativekernel NO_MODULES=TRUE, which is a good concurrent compile test.  A very general case.  Obviously different workloads are going to have wildly different performance loss figures, but this matrix will give you a pretty good idea at what the cost is.

These tests are just with CPUs I have handy and by no means complete.

                        Performance Loss Matrix
               Using Highly concurrent compile test case
                     INCLUDING MMU ISOLATION
           HASWELL                 SKYLAKE                KABYLAKE-U
        IBPB=0  IBPB=1          IBPB=0  IBPB=1        IBPB=0  IBPB=1
IBRS=0     4%    16%              2%      19%            2%      19%
IBRS=1    16%    25%            4.4%     17%          4.0%     20%
IBRS=2    62%    64%             25%     34%           21%     31%

Keeping in mind that the default setting will be IBRS=1 IBPB=0.  As you can see, older CPUs such as Haswell are the most impacted, while more recent CPUs are far less impacted.

--

In DragonFlyBSD master, the machdep.spectre_mitigation sysctl can be used (if the microcode supports it) to set the mode of operation at any time.

mode
0    IBRS=0  IBPB=0
1    IBRS=1  IBPB=0
2    IBRS=2  IBPB=0

4    IBRS=0  IBPB=1
5    IBRS=1  IBPB=1
6    IBRS=2  IBPB=1

And the machdep.meltdown_mitigation sysctl can turn on/off MMU isolation (0=OFF, 1=ON), default will be on for Intel CPUs and off for AMD CPUs for now.

-Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20180111/71edc350/attachment-0002.html>

More information about the Users mailing list