[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180928204556.GB32651@tassilo.jf.intel.com>
Date: Fri, 28 Sep 2018 13:45:56 -0700
From: Andi Kleen <ak@...ux.intel.com>
To: Thomas Gleixner <tglx@...utronix.de>
Cc: Alexey Budankov <alexey.budankov@...ux.intel.com>,
Tvrtko Ursulin <tvrtko.ursulin@...ux.intel.com>,
Kees Cook <keescook@...omium.org>,
Jann Horn <jannh@...gle.com>,
Tvrtko Ursulin <tursulin@...ulin.net>,
LKML <linux-kernel@...r.kernel.org>,
Peter Zijlstra <peterz@...radead.org>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...hat.com>,
Namhyung Kim <namhyung@...nel.org>,
Madhavan Srinivasan <maddy@...ux.vnet.ibm.com>
Subject: Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting)
> Right now we have a single knob, which is poorly documented and that should
> be fixed first. But some googling gives you the information that allowing
> unprivilegded access is a security risk. So the security focussed sysadmin
Ah only if google could simply answer all our questions!
> will deny access to the PMUs no matter what.
It's not like there is or isn't a security risk and that you
can say that it is or it isn't in a global way.
Essentially these are channels of information. The channels always exist
in form of timing variances for any shared resource (like shared caches
or shared memory/IO/interconnect bandwidth) that can be measured.
Perfmon counters make the channels generally less noisy, but they do not cause
them.
To really close them completely you would need to avoid sharing
anything, or not allowing to measure time, neither of which is practical
short of an air gap.
There are reasonable assesments you can make either way and the answers
will be different based on your requirements. There isn't a single
answer that works for everyone.
There are cases where it isn't a problem at all.
If you don't have multiple users on the system your tolerance
should be extremely high.
For users who have multiple users there can be different tradeoffs.
So there isn't a single answer, and that is why it is important
that this if configurable.
-Andi
Powered by blists - more mailing lists