Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

[Pavel Machek <pavel@ucw.cz>]

[-- Attachment #1: Type: text/plain, Size: 1473 bytes --]

On Sat 2018-01-06 21:33:28, Avi Kivity wrote:
> Meltdown and Spectre mitigations focus on protecting the kernel from a
> hostile userspace. However, it's not a given that the kernel is the most
> important target in the system. It is common in server workloads that a
> single userspace application contains the valuable data on a system, and if
> it were hostile, the game would already be over, without the need to
> compromise the kernel.
> 
> 
> In these workloads, a single application performs most system calls, and so
> it pays the cost of protection, without benefiting from it directly (since
> it is the target, rather than the kernel).
> 
> 
> I propose to create a new capability, CAP_PAYLOAD, that allows the system
> administrator to designate an application as the main workload in that
> system. Other processes (like sshd or monitoring daemons) exist to support
> it, and so it makes sense to protect the rest of the system from their being
> compromised.

prctl(I_AM_PAYLOAD) may do the trick. CAP_PAYLOAD is bad idea.

prctl() should require some pretty heavy capabilities, similar to
iopl() / ioperm() syscalls on x86, maybe CAP_SYS_RAWIO. Maybe it can
depend on some other capability.

But merely having the capability should definitely not change system
behaviour.

									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]