From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ak@linux.intel.com>
Received: from mga03.intel.com ([134.134.136.65])
	by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <ak@linux.intel.com>)
	id 1fAk05-0001Ix-Le
	for speck@linutronix.de; Tue, 24 Apr 2018 00:31:58 +0200
Date: Mon, 23 Apr 2018 15:31:54 -0700
From: Andi Kleen <ak@linux.intel.com>
Subject: [MODERATED] Re: [patch 07/11] [PATCH v2 07/10] Linux Patch #7
Message-ID: <20180423223154.GT6694@tassilo.jf.intel.com>
References: <20180422093545.GA32218@pd.tnic>
 <2c7fa188-cd84-1a10-56cb-358d3f859559@redhat.com>
 <20180422103456.GC32218@pd.tnic>
 <alpine.DEB.2.21.1804231626290.2077@nanos.tec.linutronix.de>
 <3d7880e7-6b67-b35a-a090-2854f7db54ff@redhat.com>
 <2184fc1b-dcbc-a40c-64da-4965c7c48faa@redhat.com>
 <20180423175151.GA21779@dhcp-10-159-147-220.vpn.oracle.com>
 <alpine.LFD.2.21.999.1804231057030.12763@i7.lan>
 <217e6c7c-29f9-d754-33ec-fcc541792aab@redhat.com>
 <alpine.DEB.2.21.1804240009560.5261@nanos.tec.linutronix.de>
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.21.1804240009560.5261@nanos.tec.linutronix.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

> Is it
>     opt-in or opt-out? 

It's opt-in, but with a caveat.

> Which processes should set it? 

Any JIT relying on language based security with untrusted code.

> What's the chance
>     that the applications get actually patched? i

With tieing it to seccomp many (most?) don't need to be patched
because they already use it. For example all the major Web Browsers
are already covered.

Some additional processes will need to be patched (e.g. JVM),
but to start that process requires defining a kernel API
first. So it's important that we define a kernel API.

> Anyway, if Intel thinks that this is desired, 

It is desired.

> then they can send patches on
> top of the big hammer (MD on/off globally) and provide the answers to #2
> and proper numbers.
> 
> It's fully orthogonal and does not change the plan of having the global MD
> on/off switch there ASAP and first.

They key point is what is the default. Defaulting MD to off by default
can cause large performance problems. So it's important to not turn
it off by default.  We should never ship a patch kit that does that.
It always should be a user decision.

But we still need to have options for the processes that actually
need it, that is why seccomp/prctl is required.

-Andi