From: Andrea Arcangeli <andrea@cpushare.com>
To: Andi Kleen <ak@suse.de>
Cc: linux-kernel@vger.kernel.org, Andrew Morton <akpm@osdl.org>
Subject: disable tsc with seccomp
Date: Sat, 5 Nov 2005 14:47:27 +0100 [thread overview]
Message-ID: <20051105134727.GF18861@opteron.random> (raw)
Hello,
This changeset is backing out an useful feature I implemented some month
ago:
http://kernel.org/hg/linux-2.6/?cs=2fd4e5f089df
Anything that can strengthen security is needed, the covert channels are
theoretically possible and this is a fact, you don't need hyperthreading
for that.
I tried to convince you a few times privately but I failed, and now that
you made mainline less secure, I have to raise the topic on l-k since
all other attemps to convince you privately already failed.
As I told you a few times, in real life any admin that doesn't notice a
task running at 100% cpu load for months means there are more serious
problems in that server, than the risk of covert channel. Because of
that, covert channels remains mostly a theoretical problem in servers.
But with the CPUShare usage of seccomp, running untrusted bycode for
months at 100% cpu load is the norm, so we must disable all high
precision timing information that we can disable.
Infact we should disable MISC_ENABLE too at runtime (if possible).
Furthermore i386 still has the tsc disable with seccomp, so the fact my
patch is still applied to i386 and has been backed out only of x86-64 is
a nosense. Either we back out both (and I strongly disagree with that),
or we keep both applied (this is what I'm suggesting). Current status
makes no sense to me.
If the end result of this discussion will be that both patches are
backed out, I'll rewrite them with a config option (turned off by
default). So the CPUShare users that wants to be safer, can enable it
when compiling the kernel (plus crossing fingers in the hope that
distros would also enable it before compiling their kernels). A config
option would make it acceptable even in the worst case I hope.
I think it would have been nicer from your part to at least make it a
config option instead of dropping it right away, especially after I
explicitly asked you not to drop it.
Thanks.
next reply other threads:[~2005-11-05 13:47 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-05 13:47 Andrea Arcangeli [this message]
2005-11-05 15:37 ` disable tsc with seccomp Andi Kleen
2005-11-05 16:07 ` Andrea Arcangeli
2005-11-05 16:12 ` Andi Kleen
2005-11-05 16:31 ` Andrea Arcangeli
2005-11-05 17:04 ` Andi Kleen
2005-11-06 1:55 ` Andrea Arcangeli
2005-11-21 16:43 ` Andrea Arcangeli
2005-11-21 17:05 ` Andi Kleen
2005-11-21 17:16 ` Andrea Arcangeli
2005-11-21 17:24 ` Andi Kleen
2005-11-21 17:38 ` Andrea Arcangeli
2005-11-21 18:40 ` Andrea Arcangeli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051105134727.GF18861@opteron.random \
--to=andrea@cpushare.com \
--cc=ak@suse.de \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox