Hi Peter,
On 2021-01-30 01:00, Peter Zijlstra wrote:
On Sat, Jan 30, 2021 at 12:35:10AM +0530, Sai Prakash Ranjan wrote:
Here the idea is to protect such important information from all users
including root users since root privileges does not have to mean full
control over the kernel [1] and root compromise does not have to be
the end of the world.
And yet, your thing lacks:
I guess you mean this lacks an explanation as to why this only applies
to ITRACE and not others? See below.
+config EXCLUDE_KERNEL_HW_ITRACE
+ bool "Exclude kernel mode hardware assisted instruction tracing"
+ depends on PERF_EVENTS
depends on SECURITY_LOCKDOWN
or whatever the appropriate symbol is.
Ok I suppose you mean CONFIG_SECURITY_LOCKDOWN_LSM? But I don't see
how this new config has to depend on that? This can work independently
whether complete lockdown is enforced or not since it applies to only
hardware instruction tracing. Ideally this depends on several hardware
tracing configs such as ETMs and others but we don't need them because
we are already exposing PERF_PMU_CAP_ITRACE check in the events core.
+ help
+ Exclude kernel mode instruction tracing by hardware tracing
+ family such as ARM Coresight ETM, Intel PT and so on.
+
+ This option allows to disable kernel mode instruction tracing
+ offered by hardware assisted tracing for all users(including root)
+ especially for production systems where only userspace tracing
might
+ be preferred for security reasons.
Also, colour me unconvinced, pretty much all kernel level PMU usage
can be employed to side-channel / infer crypto keys, why focus on
ITRACE over others?
Here ITRACE is not just instruction trace, it is meant for hardware
assisted
instruction trace such as Intel PT, Intel BTS, ARM coresight etc. These
provide
much more capabilities than normal instruction tracing whether its
kernel level
or userspace. More specifically, these provide more accurate branch
trace like
Intel PT LBR (Last Branch Record), Intel BTS(Branch Trace Store) which
can be
used to decode the program flow more accurately with timestamps in real
time
than other PMUs. Also there is cycle accurate tracing which can
theoretically
be used for some speculative execution based attacks. Which other kernel
level
PMUs can be used to get a full branch trace that is not locked down? If
there
is one, then this should probably be applied to it as well.
Thanks,
Sai
--
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member
of Code Aurora Forum, hosted by The Linux Foundation