From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2E5B78F3A for ; Mon, 13 Jul 2026 21:05:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783976744; cv=none; b=WmpF1C1vQeBoeHg7Qf7VDaiF/5cFWBvnUSDhF2pucmhKrEUKRSnoO9B/p7ZYeVTcI600d8+9LeKjW2Aywmh9wV+XAWzID4WbZj+inQRaWquUpj6KBR8W/obMYR5OpGhykS0a6vcPHlILbbK9no1kBtd7fLqNGkCII+OXsg1idPA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783976744; c=relaxed/simple; bh=ZGHAdC7rXXH51fzI8eUTwvaYsP9Yp0yi651IUdl7fd0=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=tNq6Tw762pUyn2A1sRmfb/BLOcRccRnLH0NQ3gwCSjvwhfVR2r1N/X9XqSFIS6I6hiEeGRn6jvaUyHkiSdplMztGBEkZU2Pput9dUCLh6AmPCzZ4incIUwY2m7Lqfq2iFKoyhVQ3Mzs2fpBLYRUxr91w4bC4ZzUXGUYxk/P01oc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=dancol.org; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=dancol.org header.i=@dancol.org header.b=XUk+YmJv; arc=none smtp.client-ip=209.85.215.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=dancol.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=dancol.org header.i=@dancol.org header.b="XUk+YmJv" Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-ca97d139d8dso163852a12.2 for ; Mon, 13 Jul 2026 14:05:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783976742; x=1784581542; h=content-type:mime-version:message-id:date:user-agent:references :in-reply-to:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=c7dO4+855NDGBLOtYg+g5EbkrB6jsqmlhFGAdJvf5Qo=; b=c7zi4eZBobBobn1VGqsEIGmdt2z9T4UBbslkkbhO3EG78HVwqr+SrSPipss9Uqqr8J GnQo096annCv28eKqe1D/CC9dlgRe+cKNyCVQ9asf9Tu8T9eg+CS2DsNOJIuO7J07BiD RYz649poOGXYAc3JaNvxbn60IumeI6LJDkbnzNaj3dRJAK6rLpL7Hw/3/jxy5of8Rnzk YOR6tm2v4iAfxrCvAGTBjJYGRv3OYn0HfJUHZSf8OvN6tlt112AZkhby7keGYf2eYFbm iFYZ47wYOhQj6grcgnUKzdI+MYd+8KRsMWQbMTVRCSGm1uQldJfRNliWXpQhRPAjleSV 1WKg== X-Forwarded-Encrypted: i=1; AHgh+RrtRFRVmMwyzd7iAv1odo46eUxBA/AA/463tU/bD2BkZCIKS0obgahan88rZK//yGG34o7dBzJO2sL21+k=@vger.kernel.org X-Gm-Message-State: AOJu0YwhOWhpzHFPEQVf59YDZ5t0ymNeoX96XBhc4qUsJkxK80Q/KFkd wdIjz+cGDzbUEMleLkdixyLwgOynmffLrJ/qyRoTJf6HvwaWz6roQHYB X-Gm-Gg: AfdE7cklP9iDEJEBa7k1UATeiKDWRxXy6cM2CDW7UTywvvZYoWNR20xg6gFcxj/C3MC BC3Rd7qJ8ymH0GyqeXJRbitCjcVjv6oIgqoO7XPai/ZxcUUhb+sYnm8vUoohM1aqD1DA9q5MLZY vu8DyOxbGDgNJ74iFqHW7NVO5296b8kfoMFNNLoHbKb9Cb/EqzJE8Tq/crtkqwdMh2Om6Id0L2w t+pDWV0NHF19xkmK7rl5GZ6G34H32aCPvNUefjS2lG+iNv/YT2z/tV3C5eU/Cm0n5GWoLpUxwLW cUHpoOxuKX2TOXQBahhgC0CCHMgUDR3wd09NCoDxZMHEr6XVDM2m5Gq3VzO990evcuvOeI7KOzm wHCyY5vs7BGW8KV6H88BjgBVtSIQ8t3pY6HFyFJiN+Gelg5JwNTW8C70ozSFSayCxWpQViqf4ik wvT728nbUfCAFboAuvu/xGDNaNzMC8h7mDOeqIvPvv//Xm0il+2AIqJ/u9NBBbYODlnaefDcoII YtQa/A3mmkIZQF7v6O9fmMt3m6U4g== X-Received: by 2002:a05:6a21:6b18:b0:3b2:a8cd:ef4a with SMTP id adf61e73a8af0-3c110768b5dmr10277166637.30.1783976741679; Mon, 13 Jul 2026 14:05:41 -0700 (PDT) Received: from dancol.org (dancol.org. [2600:3c01:e000:3d8::1]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-13b8deb2a21sm24822220c88.3.2026.07.13.14.05.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jul 2026 14:05:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; s=x; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From; bh=c7dO4+855NDGBLOtYg+g5EbkrB6jsqmlhFGAdJvf5Qo=; b=XUk+YmJv363B5aLMU+rUknUvyJ DaskylG5cYuDTzqw/u+bfm8iSOBAde4w81NZ9qfq8p5wdAgTnO+oYUHFn/1/vJgK71vZWPLaC2IsA hVv+SeKHyKA5P1Rmw5RD/qK64HkMaE0CAk3bUmlu61rmMvvtKT7ih2wDej+5+orgSHucuYV7oscAt 2HMoesra/LoJMZmz8I3wYxNTg78w6hPGzuGR2TcsHJs8cCrbUaQJA8eEazKoEUtifRDBiq7Pf3J0J rKjRpgR50YWGiHzdpMvq/bBY/AFusTUsMMELvmR/Z838+jpyqHFQ1NAV4A+xlHqSVe7Xr8foxzzgJ 35XXVO+g==; Received: from 2603-900b-c400-2854-78e1-05dc-8eec-2d4e.inf6.spectrum.com ([2603:900b:c400:2854:78e1:5dc:8eec:2d4e]:55276 helo=localhost) by dancol.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wjNqN-00000000VeY-30g9; Mon, 13 Jul 2026 17:05:40 -0400 From: Daniel Colascione To: Keith Busch Cc: Jens Axboe , Christoph Hellwig , Sagi Grimberg , linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] nvme: make sending wall-clock time to NVMe opt-in In-Reply-To: References: <20260713203443.322748-1-dancol@dancol.org> User-Agent: mu4e 1.14.1; emacs 31.0.50 Date: Mon, 13 Jul 2026 17:05:38 -0400 Message-ID: <87qzl6k3bx.fsf@dancol.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain Keith Busch writes: > On Mon, Jul 13, 2026 at 04:34:43PM -0400, Daniel Colascione wrote: >> Some NVMe devices maintain a persistent log, the PEL, of events like >> power-on and thermal excursions. The NVMe Set Features (Timestamp) >> command allows an operating system to inform the NVMe of the current >> wall-clock time. Wall-clock timestamp updates are logged to the PEL >> alongside other events. By correlating PEL records, an attacker can >> infer a user's usage patterns and even guess at time zone changes. > > How does an attacker come to acquire PEL records if the system isn't > already compromised? The PEL can be read without any authentication whatsoever, so even an otherwise completely measured secure-boot system with FDE could leak the log to an evil maid. A sophisticated evil maid could execute some kind of adaptive attack, but the PEL is right there and easy to read even for an unsophisticated one-shot adversary. Another thing to emphasize is that the log persists *through* cryptographic sanitize, so you can "wipe" a drive using the strongest available NVMe command, hand it to someone else, and still unwittingly leak real-world usage patterns. It's a side channel I'd rather not have, especially if I'm not getting any value from the timestamp. >> The nvme_core.timestamps_enabled_default module parameter supplies the >> default value of the per-controller flag. Default it to false as the >> privacy-preserving choice. Users who want to provide controllers with >> real-world time can set the module parameter to true or enable >> the per-controller sysfs flag, perhaps via udev. >> >> As an alternative, we could also get the timestamp updates out of the >> kernel entirely and have interested users run nvme(1) to >> update timestamps. > > The use cases for the timestamp feature are outside the specification. > But I know of at least one implementation that uses it to determine how > long it has been powered off so it can better apply correction to media > drift. Yeah yeah, depending on the host for something so critical is > pretty fragile, but it apparently worked out well enough. This proposal > would break them. We could make the timestamp-updating opt-out instead of opt-in or require users of this hardware to change the module parameter. Also, IIUC, nothing in the spec requires a host to use this command. I mostly care about having *some* knob to turn this off. Right now, it's unconditional. I'm happy with either opt-in or opt-out, although I have a weak preference for the former.