The patch titled
Add SECCOMP_DISABLE_TSC config option
has been added to the -mm tree. Its filename is
add-seccomp_disable_tsc-config-option.patch
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
------------------------------------------------------
Subject: Add SECCOMP_DISABLE_TSC config option
From: Andrea Arcangeli <andrea@xxxxxxxxxxxx>
Make the TSC disable purely paranoid feature optional, so by default seccomp
returns absolutely zerocost.
Signed-off-by: Andrea Arcangeli <andrea@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
arch/i386/Kconfig | 12 ++++++++++++
arch/i386/kernel/process.c | 2 ++
arch/x86_64/Kconfig | 12 ++++++++++++
arch/x86_64/kernel/process.c | 31 +++++++++++++++++++++++++++++++
4 files changed, 57 insertions(+)
diff -puN arch/i386/Kconfig~add-seccomp_disable_tsc-config-option arch/i386/Kconfig
--- a/arch/i386/Kconfig~add-seccomp_disable_tsc-config-option
+++ a/arch/i386/Kconfig
@@ -737,6 +737,18 @@ config SECCOMP
If unsure, say Y. Only embedded should say N here.
+config SECCOMP_DISABLE_TSC
+ bool "Disable the TSC for seccomp tasks"
+ depends on SECCOMP
+ default n
+ help
+ This feature mathematically prevents covert channels
+ for tasks running under SECCOMP. This can generate
+ a minuscule overhead in the scheduler.
+
+ If you care most about performance say N. Say Y only if you're
+ paranoid about covert channels.
+
config VGA_NOPROBE
bool "Don't probe VGA at boot" if EMBEDDED
default n
diff -puN arch/i386/kernel/process.c~add-seccomp_disable_tsc-config-option arch/i386/kernel/process.c
--- a/arch/i386/kernel/process.c~add-seccomp_disable_tsc-config-option
+++ a/arch/i386/kernel/process.c
@@ -572,6 +572,7 @@ handle_io_bitmap(struct thread_struct *n
static inline void disable_tsc(struct task_struct *prev_p,
struct task_struct *next_p)
{
+#ifdef CONFIG_SECCOMP_DISABLE_TSC
struct thread_info *prev, *next;
/*
@@ -590,6 +591,7 @@ static inline void disable_tsc(struct ta
has_secure_computing(next))
write_cr4(read_cr4() | X86_CR4_TSD);
}
+#endif
}
/*
diff -puN arch/x86_64/Kconfig~add-seccomp_disable_tsc-config-option arch/x86_64/Kconfig
--- a/arch/x86_64/Kconfig~add-seccomp_disable_tsc-config-option
+++ a/arch/x86_64/Kconfig
@@ -526,6 +526,18 @@ config SECCOMP
If unsure, say Y. Only embedded should say N here.
+config SECCOMP_DISABLE_TSC
+ bool "Disable the TSC for seccomp tasks"
+ depends on SECCOMP
+ default n
+ help
+ This feature mathematically prevents covert channels
+ for tasks running under SECCOMP. This can generate
+ a minuscule overhead in the scheduler.
+
+ If you care most about performance say N. Say Y only if you're
+ paranoid about covert channels.
+
source kernel/Kconfig.hz
config REORDER
diff -puN arch/x86_64/kernel/process.c~add-seccomp_disable_tsc-config-option arch/x86_64/kernel/process.c
--- a/arch/x86_64/kernel/process.c~add-seccomp_disable_tsc-config-option
+++ a/arch/x86_64/kernel/process.c
@@ -494,6 +494,35 @@ out:
}
/*
+ * This function selects if the context switch from prev to next
+ * has to tweak the TSC disable bit in the cr4.
+ */
+static inline void disable_tsc(struct task_struct *prev_p,
+ struct task_struct *next_p)
+{
+#ifdef CONFIG_SECCOMP_DISABLE_TSC
+ struct thread_info *prev, *next;
+
+ /*
+ * gcc should eliminate the ->thread_info dereference if
+ * has_secure_computing returns 0 at compile time (SECCOMP=n).
+ */
+ prev = prev_p->thread_info;
+ next = next_p->thread_info;
+
+ if (has_secure_computing(prev) || has_secure_computing(next)) {
+ /* slow path here */
+ if (has_secure_computing(prev) &&
+ !has_secure_computing(next)) {
+ write_cr4(read_cr4() & ~X86_CR4_TSD);
+ } else if (!has_secure_computing(prev) &&
+ has_secure_computing(next))
+ write_cr4((read_cr4() | X86_CR4_TSD) & ~X86_CR4_PCE);
+ }
+#endif
+}
+
+/*
* This special macro can be used to load a debugging register
*/
#define loaddebug(thread,r) set_debugreg(thread->debugreg ## r, r)
@@ -622,6 +651,8 @@ __switch_to(struct task_struct *prev_p,
}
}
+ disable_tsc(prev_p, next_p);
+
/* If the task has used fpu the last 5 timeslices, just do a full
* restore of the math state immediately to avoid the trap; the
* chances of needing FPU soon are obviously high now
_
Patches currently in -mm which might be from andrea@xxxxxxxxxxxx are
add-seccomp_disable_tsc-config-option.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
