| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Jun 2018 11:06:55 +0300
From: Alexey Budankov <alexey.budankov@...ux.intel.com>
To: Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>,
Andi Kleen <ak@...ux.intel.com>
Cc: Peter Zijlstra <peterz@...radead.org>,
Tvrtko Ursulin <tursulin@...ulin.net>,
linux-kernel@...r.kernel.org,
Tvrtko Ursulin <tvrtko.ursulin@...el.com>,
Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...hat.com>,
Namhyung Kim <namhyung@...nel.org>,
Mark Rutland <mark.rutland@....com>,
"Rogozhkin, Dmitry V" <dmitry.v.rogozhkin@...el.com>
Subject: Re: [RFC] perf: Allow fine-grained PMU access control
Hi Tvrtko,
On 11.06.2018 11:08, Tvrtko Ursulin wrote:
>
> Hi,
>
> On 22/05/2018 18:19, Andi Kleen wrote:
>>> IMHO, it is unsafe for CBOX pmu but could IMC, UPI pmus be an exception here?
>>> Because currently perf stat -I from IMC, UPI counters is only allowed when
>>> system wide monitoring is permitted and this prevents joint perf record and
>>> perf stat -I in cluster environments where users usually lack ability to
>>> modify paranoid. Adding Andi who may have more ideas regarding all that.
>>
>> PMU isolation is about not making side channels worse. There are normally
>> already side channels from timing, but it has a degree of noise.
>>
>> PMU isolation is just to prevent opening side channels with less noise.
>> But reducing noise is always a trade off, it can never be perfect
>> and at some point there are dimishing returns.
>>
>> In general the farther you are from the origin of the noise there
>> is already more noise. The PMU can reduce the noise, but if it's far
>> enough away it may not make much difference.
>>
>> So there are always trade offs with shades of grey, not a black
>> and white situation. Depending on your security requirements
>> it may be totally reasonable e.g. to allow the PMU
>> on the memory controller (which is already very noisy in any case),
>> but not on the caches.
>>
>> Or allow it only on the graphics which is already fairly isolated.
>>
>> So per pmu paranoid settings are a useful concept.
>
> So it seems there is some positive feedback and fine-grained controls would be useful for other PMU's in cluster environments.
>
> If we have agreement on that, question is how to drive this forward? Would someone be able to review the patch I've sent, or suggest more people to look at it before it could be queued up for merge?
It makes sense to split this RFC into series of patches and resend.
The series could be shaped up something similar to this:
[PATCH v1 0/4]: perf: enable per-pmu paranoid setting for Intel GPU pmu
[PATCH v1 1/1]: perf/core: introduce pmu specific paranoid settings
- extend pmu kernel object in the headers with the new settings
- adjust code to adopt this new settings
[PATCH v1 1/2]: perf/core: enable pmu specific paranoid setting thru fs
- introduce code interfacing the setting thru fs from userspace
- may be introduce code applying some policies around
global/per-pmu relationship
[PATCH v1 1/3]: perf/core: enable i915 GPU pmu specifics features
- implement your specific task related to GPU pmu on top of
this new whole concept
[PATCH v1 1/4]: perf/docs: document Intel GPU pmu paranoid specific changes
- some may be regression testing and README or other docs
updates related to the changes
Also when sending the patches The Linux kernel security team (security@...nel.org)
needs to be in TO or CC to let the folks know of the changes and possibly
explicitly ask support from them.
Regards,
Alexey
>
> Regards,
>
> Tvrtko
>
Powered by blists - more mailing lists