Hi Peter,
On 2021-02-02 11:41, Sai Prakash Ranjan wrote:
Hi Peter,
On 2021-02-01 19:11, Peter Zijlstra wrote:
On Mon, Feb 01, 2021 at 01:11:04PM +0530, Sai Prakash Ranjan wrote:
Ok I suppose you mean CONFIG_SECURITY_LOCKDOWN_LSM? But I don't see
how this new config has to depend on that? This can work
independently
whether complete lockdown is enforced or not since it applies to only
hardware instruction tracing. Ideally this depends on several
hardware
tracing configs such as ETMs and others but we don't need them
because
we are already exposing PERF_PMU_CAP_ITRACE check in the events core.
If you don't have lockdown, root pretty much owns the kernel, or am I
missing something?
You are right in saying that without lockdown root would own kernel but
this config(EXCLUDE_KERNEL) will independently make sure that kernel
level pmu tracing is not allowed(we return -EACCES) even if LOCKDOWN
config is disabled. So I'm saying that we don't need to depend on
LOCKDOWN config, its good to have LOCKDOWN config enabled but perf
subsystem doesn't have to care about that.
be used for some speculative execution based attacks. Which other
kernel level PMUs can be used to get a full branch trace that is not
locked down? If there is one, then this should probably be applied to
it as well.
Just the regular counters. The information isn't as accurate, but
given
enough goes you can infer plenty.
Just like all the SMT size-channel attacks.
Sure, PT and friends make it even easier, but I don't see a
fundamental
distinction.
Right, we should then exclude all kernel level pmu tracing, is it fine?
if (IS_ENABLED(CONFIG_EXCLUDE_KERNEL_HW_ITRACE) &&
!attr.exclude_kernel))
return -EACCES;
Sorry for being pushy, but does the above make sense?
Thanks,
Sai
--
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member
of Code Aurora Forum, hosted by The Linux Foundation