From: Peter Zijlstra <peterz@infradead.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Paul Mackerras <paulus@samba.org>, Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: Tightening up rdpmc permissions?
Date: Mon, 29 Sep 2014 18:48:36 +0200 [thread overview]
Message-ID: <20140929164836.GP5430@worktop> (raw)
In-Reply-To: <CALCETrU3nNvG6+-7iScYT8LDRFnq8kYnpK0cdW1bgW5O4EGrUg@mail.gmail.com>
On Mon, Sep 29, 2014 at 09:39:16AM -0700, Andy Lutomirski wrote:
> I was surprised to notice that, by default, every task has permission
> to use rdpmc.
Right, we figured the paranoid would poke at
/sys/bus/event_source/devices/cpu/rdpmc.
> seccomp cannot work around this.
I know nothing much about seccomp.
> This leaks information, although the information leaked is of dubious
> and variable value to an attacker. It also renders the PR_TSC_SEGV
> mechanism mostly useless.
I'm not seeing how, there's no saying what will run on those counters,
let alone if its correlated to the TSC. But yes I appreciate the
argument.
> Would it make sense to restrict rdpmc to tasks that are in mms that
> have a perf_event mapping?
We could,
> After all, unless I misunderstand
> something, user code can't reliably use rdpmc unless they've mapped a
> perf_event object to check the rdpmc bit and figure out what ecx value
> to use.
correct,
> I think that this could be implemented with very little overhead,
> especially if combined with the existing CR4_TSD code and if that code
> were taught to avoid reading cr4.
but there's a definite cost to having to write cr4 on every context
switch. It would be better if we could put it under TIF_NOTSC or
something similar and only be effective when something like seccomp or
other thingy is present and enabled. We should definitely avoid a double
cr4 write in case of both rdpmc and tsc switch.
next prev parent reply other threads:[~2014-09-29 16:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-29 16:39 Tightening up rdpmc permissions? Andy Lutomirski
2014-09-29 16:48 ` Peter Zijlstra [this message]
2014-09-29 17:36 ` Valdis.Kletnieks
2014-09-29 18:42 ` Andy Lutomirski
2014-10-08 23:47 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140929164836.GP5430@worktop \
--to=peterz@infradead.org \
--cc=acme@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.