From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22184C433DB for ; Tue, 19 Jan 2021 05:59:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DF5E322ADF for ; Tue, 19 Jan 2021 05:59:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731635AbhASF4S (ORCPT ); Tue, 19 Jan 2021 00:56:18 -0500 Received: from m42-8.mailgun.net ([69.72.42.8]:43442 "EHLO m42-8.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388458AbhASFUI (ORCPT ); Tue, 19 Jan 2021 00:20:08 -0500 X-Greylist: delayed 351 seconds by postgrey-1.27 at vger.kernel.org; Tue, 19 Jan 2021 00:19:53 EST DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1611033562; h=Message-ID: References: In-Reply-To: Subject: Cc: To: From: Date: Content-Transfer-Encoding: Content-Type: MIME-Version: Sender; bh=TsmWni2lFqo/KCTp9v2otaejvUeB6CXmbavuS8alcYo=; b=aJd8YwPQ07dp5pXrPp+peV4sduXBFqrTskVPVyOVfRlcn2g6anOE9MWIHV5VGHb6UdZvTkRN 2MTHzB5t4caxSaNR+lVwpQmvkftJThCUoX9vtlyZcBb4bvjRrG4dS6GPn4U4OJStbfLEIUB1 BT65b82c5qwRLU/837n2eACmegw= X-Mailgun-Sending-Ip: 69.72.42.8 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n01.prod.us-east-1.postgun.com with SMTP id 60066a51ba7f868506e7285d (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Tue, 19 Jan 2021 05:12:49 GMT Sender: saiprakash.ranjan=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 82D11C43463; Tue, 19 Jan 2021 05:12:48 +0000 (UTC) Received: from mail.codeaurora.org (localhost.localdomain [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: saiprakash.ranjan) by smtp.codeaurora.org (Postfix) with ESMTPSA id 84544C433C6; Tue, 19 Jan 2021 05:12:47 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 19 Jan 2021 10:42:47 +0530 From: Sai Prakash Ranjan To: Mattias Nissler Cc: Mathieu Poirier , Suzuki K Poulose , Mike Leach , coresight@lists.linaro.org, Stephen Boyd , Denis Nikitin , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Al Grant , leo.yan@linaro.org Subject: Re: [PATCH] coresight: etm4x: Add config to exclude kernel mode tracing In-Reply-To: References: <20201015124522.1876-1-saiprakash.ranjan@codeaurora.org> <20201015160257.GA1450102@xps15> Message-ID: <6a3a876e9877322cb46c246a86312fbe@codeaurora.org> X-Sender: saiprakash.ranjan@codeaurora.org User-Agent: Roundcube Webmail/1.3.9 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-01-18 20:17, Mattias Nissler wrote: > On Fri, Jan 15, 2021 at 6:46 AM Sai Prakash Ranjan > wrote: >> >> Hello Mathieu, Suzuki >> >> On 2020-10-15 21:32, Mathieu Poirier wrote: >> > On Thu, Oct 15, 2020 at 06:15:22PM +0530, Sai Prakash Ranjan wrote: >> >> On production systems with ETMs enabled, it is preferred to >> >> exclude kernel mode(NS EL1) tracing for security concerns and >> >> support only userspace(NS EL0) tracing. So provide an option >> >> via kconfig to exclude kernel mode tracing if it is required. >> >> This config is disabled by default and would not affect the >> >> current configuration which has both kernel and userspace >> >> tracing enabled by default. >> >> >> > >> > One requires root access (or be part of a special trace group) to be >> > able to use >> > the cs_etm PMU. With this kind of elevated access restricting tracing >> > at EL1 >> > provides little in terms of security. >> > >> >> Apart from the VM usecase discussed, I am told there are other >> security concerns here regarding need to exclude kernel mode tracing >> even for the privileged users/root. One such case being the ability >> to analyze cryptographic code execution since ETMs can record all >> branch instructions including timestamps in the kernel and there may >> be other cases as well which I may not be aware of and hence have >> added Denis and Mattias. Please let us know if you have any questions >> further regarding this not being a security concern. > > Well, the idea that root privileges != full control over the kernel > isn't new and at the very least since lockdown became part of mainline > [1] no longer an esoteric edge case. Regarding the use case Sai hints > at (namely protection of secrets in the kernel), Matthew Garret > actually has some more thoughts about confidentiality mode for > lockdown for secret protection [2]. And thus, unless someone can make > a compelling case that instruction-level tracing will not leak secrets > held by the kernel, I think an option for the kernel to prevent itself > from being traced (even by root) is valuable. > > Finally, to sketch a practical use case scenario: Consider a system > where disk contents are encrypted and the encryption key is set up by > the user when mounting the file system. From that point on the > encryption key resides in the kernel. It seems reasonable to expect > that the disk encryption key be protected from exfiltration even if > the system later suffers a root compromise (or even against insiders > that have root access), at least as long as the attacker doesn't > manage to compromise the kernel. > > [1] https://lwn.net/Articles/796866/ > [2] https://mjg59.dreamwidth.org/55105.html > Thanks for the detailed description, it is way better put than my crude explanation. Thanks, Sai -- QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation