From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932538AbeARWte (ORCPT ); Thu, 18 Jan 2018 17:49:34 -0500 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:38651 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932131AbeARWt0 (ORCPT ); Thu, 18 Jan 2018 17:49:26 -0500 Date: Thu, 18 Jan 2018 23:49:24 +0100 From: Pavel Machek To: Avi Kivity Cc: "linux-kernel@vger.kernel.org" Subject: Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs Message-ID: <20180118224924.GF17196@amd> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="m1UC1K4AOz1Ywdkx" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --m1UC1K4AOz1Ywdkx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat 2018-01-06 21:33:28, Avi Kivity wrote: > Meltdown and Spectre mitigations focus on protecting the kernel from a > hostile userspace. However, it's not a given that the kernel is the most > important target in the system. It is common in server workloads that a > single userspace application contains the valuable data on a system, and = if > it were hostile, the game would already be over, without the need to > compromise the kernel. >=20 >=20 > In these workloads, a single application performs most system calls, and = so > it pays the cost of protection, without benefiting from it directly (since > it is the target, rather than the kernel). >=20 >=20 > I propose to create a new capability, CAP_PAYLOAD, that allows the system > administrator to designate an application as the main workload in that > system. Other processes (like sshd or monitoring daemons) exist to support > it, and so it makes sense to protect the rest of the system from their be= ing > compromised. prctl(I_AM_PAYLOAD) may do the trick. CAP_PAYLOAD is bad idea. prctl() should require some pretty heavy capabilities, similar to iopl() / ioperm() syscalls on x86, maybe CAP_SYS_RAWIO. Maybe it can depend on some other capability. But merely having the capability should definitely not change system behaviour. Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --m1UC1K4AOz1Ywdkx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlphJHQACgkQMOfwapXb+vKFjACghBiwRI5ZSJsaI7NSiRIE4g+A BoYAn1R1JpEWGwcjFJxbQVVWhTfJnyZN =HhHH -----END PGP SIGNATURE----- --m1UC1K4AOz1Ywdkx--