From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D598BC433E0 for ; Wed, 20 Jan 2021 18:50:06 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 83FF8206FA for ; Wed, 20 Jan 2021 18:50:06 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 83FF8206FA Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=02uTRK3JckvpAsAu8yIM/1F8RDDZTHLiEEZdZ/Xn6Xw=; b=KylZLm0s4rgZqzSagZ1E+o8W6 xv6I1sjqSdrPRFic1Pwru6PEQfUAI01fqFLaq1nTczbKglrKnawLbL27YgW7cMa4RG3KYqI07/Mry 9PW/cTUi8zWtzcIo/vu8TkBqAjXw1qVBws3v+nxolbou9hectY/V77eb/rZkyrW5lPryfgijqdBZj pi+Vz6oTwm/yglSWOb46D51R1UwQF0Z/Byv8c7UlnTk0+XooQ0R2EA9E69Z3C9ikndVLqhqON15QT jlm4iNUzkVMPbfytaGDiUQhY/BfzMx5gCMDXZ6sDlP11UJqOQe/ijmtRrNsgzceog1EL6RnMt7ZWe gi+h9mrbA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2IX9-0003kl-ON; Wed, 20 Jan 2021 18:48:47 +0000 Received: from mail-pf1-x42c.google.com ([2607:f8b0:4864:20::42c]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2IX6-0003jr-GQ for linux-arm-kernel@lists.infradead.org; Wed, 20 Jan 2021 18:48:45 +0000 Received: by mail-pf1-x42c.google.com with SMTP id t29so9947567pfg.11 for ; Wed, 20 Jan 2021 10:48:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=/5Cv4pHDEwpFya1ca/ZpRFyUHE65qa5G41oFQpNl5GM=; b=jdVSJVKMHHUgt8ZELkdJI4HkFNZQ6l+Q0tIo6UhH7DGbLLRcbPKjW/hUUhWO0vL2oe kUj4kbV0jJXfbI0ebRY83BT5r1o7FthIIkRHB0vj44nEKpGdQmZIU3Ee1bQRl+AAH7vI 5O1++uzkiWCST2JS0lLeFaRNNC21lxtdCKRP2mzI/m7Smugcka75qzj1s46llPrj3J87 SyoMVfxFz96KMbtiWCCJ1HHTJ5Dln8KOckWKDoyD1tUd1kJ6uy3iJit3n7+6WpbWSGpJ QHk2CIBqqW1zSGTBUvbb5UNpsd6CrMp83lr70O//4e2AOXUJNw8F1qmiEnnwZ7aYjmOg CQWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=/5Cv4pHDEwpFya1ca/ZpRFyUHE65qa5G41oFQpNl5GM=; b=dAnUMMKlnq3L7w7ykjZ6hXEElv0TgE6Dqu78v+B8OdI0PWLC+9uUshD2zO4RJk5ywG 47jqPIzBOfUHHM14yndNbuhj9CiuB94Im1Wl+1ChD8/hTTglBMS1CYC3Ejxnsx4X+8ZD 0B/VkEqlDqgag6z/AbvNuKV764HQibL0ZJZy+083qhgcMyY0i1g+HcEnqr9dvkBDmBPc KsfvLeXLZX2MPfc0CYjID9dGwJu3E9vpVsB7fRbggswrTIJ2N2g8oOf4sdIh6kpYRVOA XitX63lXgGQ+LhqpUlYQ6qCI8CWymfW+XdocoaIqGgWXLKh03AeWAx18x44sflMgbpM8 16fQ== X-Gm-Message-State: AOAM530axkUbbczKOVw3bcfNe5tfgZuUHKtf8rEjJICtMOIChNwYT5w3 wM6tXJ3dvBAxWeTOdt7kY/gstw== X-Google-Smtp-Source: ABdhPJyEQ2ymKJwR0ANDgbelj0tESM662YjzuAKu99FKpAtwQK1t8zooyZ5dMArZCGIWt8TxlBoR4g== X-Received: by 2002:a05:6a00:1393:b029:1b4:7938:ff1d with SMTP id t19-20020a056a001393b02901b47938ff1dmr10494530pfg.31.1611168522092; Wed, 20 Jan 2021 10:48:42 -0800 (PST) Received: from xps15 (S0106889e681aac74.cg.shawcable.net. [68.147.0.187]) by smtp.gmail.com with ESMTPSA id x23sm3195933pgk.14.2021.01.20.10.48.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Jan 2021 10:48:41 -0800 (PST) Date: Wed, 20 Jan 2021 11:48:39 -0700 From: Mathieu Poirier To: Al Grant Subject: Re: [PATCH] coresight: etm4x: Add config to exclude kernel mode tracing Message-ID: <20210120184839.GB708905@xps15> References: <20201015124522.1876-1-saiprakash.ranjan@codeaurora.org> <20201015160257.GA1450102@xps15> <20210118202354.GC464579@xps15> <32216e9fa5c9ffb9df1123792d40eafb@codeaurora.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210120_134844_628973_10B41811 X-CRM114-Status: GOOD ( 40.65 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sai Prakash Ranjan , Denis Nikitin , Suzuki Poulose , "linux-arm-msm@vger.kernel.org" , "coresight@lists.linaro.org" , "linux-kernel@vger.kernel.org" , Stephen Boyd , "leo.yan@linaro.org" , "mnissler@google.com" , "linux-arm-kernel@lists.infradead.org" , Mike Leach Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Jan 19, 2021 at 08:36:22AM +0000, Al Grant wrote: > Hi Sai, > > > From: saiprakash.ranjan=codeaurora.org@mg.codeaurora.org > > Hi Mathieu, > > > > On 2021-01-19 01:53, Mathieu Poirier wrote: > > > On Fri, Jan 15, 2021 at 11:16:24AM +0530, Sai Prakash Ranjan wrote: > > >> Hello Mathieu, Suzuki > > >> > > >> On 2020-10-15 21:32, Mathieu Poirier wrote: > > >> > On Thu, Oct 15, 2020 at 06:15:22PM +0530, Sai Prakash Ranjan wrote: > > >> > > On production systems with ETMs enabled, it is preferred to > > >> > > exclude kernel mode(NS EL1) tracing for security concerns and > > >> > > support only userspace(NS EL0) tracing. So provide an option via > > >> > > kconfig to exclude kernel mode tracing if it is required. > > >> > > This config is disabled by default and would not affect the > > >> > > current configuration which has both kernel and userspace tracing > > >> > > enabled by default. > > >> > > > > >> > > > >> > One requires root access (or be part of a special trace group) to > > >> > be able to use the cs_etm PMU. With this kind of elevated access > > >> > restricting tracing at EL1 provides little in terms of security. > > >> > > > >> > > >> Apart from the VM usecase discussed, I am told there are other > > >> security concerns here regarding need to exclude kernel mode tracing > > >> even for the privileged users/root. One such case being the ability > > >> to analyze cryptographic code execution since ETMs can record all > > >> branch instructions including timestamps in the kernel and there may > > >> be other cases as well which I may not be aware of and hence have > > >> added Denis and Mattias. Please let us know if you have any questions > > >> further regarding this not being a security concern. > > > > > > Even if we were to apply this patch there are many ways to compromise > > > a system or get the kernel to reveal important information using the > > > perf subsystem. I would perfer to tackle the problem at that level > > > rather than concentrating on coresight. > > > > > > > Sorry but I did not understand your point. We are talking about the capabilities > > of coresight etm tracing which has the instruction level tracing and a lot more. > > Perf subsystem is just the framework used for it. > > In other words, its not the perf subsystem which does instruction level tracing, > > its the coresight etm. Why the perf subsystem should be modified to lockdown > > kernel mode? If we were to let perf handle all the trace filtering for different > > exception levels, then why do we need the register settings in coresight etm > > driver to filter out NS EL* tracing? And more importantly, how do you suppose > > we handle sysfs mode of coresight tracing with perf subsystem? > > You both have good points. Mathieu is right that this is not a CoreSight > issue specifically, it is a matter of kernel security policy, and other hardware > tracing mechanisms ought to be within its scope. There should be a general > "anti kernel exfiltration" config that applies to all mechanisms within > its scope, and we'd definitely expect that to include Intel PT as well as ETM. > > A kernel config that forced exclude_kernel on all perf events would deal with > ETM and PT in one place, but miss the sysfs interface to ETM. > > On the other hand, doing it in the ETM drivers would cover the perf and sysfs > interfaces to ETM, but would miss Intel PT. > > So I think what is needed is a general config option that is both implemented > in perf (excluding all kernel tracing events) and by any drivers that provide > an alternative interface to hardware tracing events. > I also think this is the right solution. Thanks, Mathieu > Al > > > > > > Thanks, > > Sai > > > > -- > > QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member > > of Code Aurora Forum, hosted by The Linux Foundation _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel