lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 5 Jan 2023 11:59:24 -0800
From:   Atish Patra <atishp@...shpatra.org>
To:     linux-perf-users@...r.kernel.org
Cc:     "linux-kernel@...r.kernel.org List" <linux-kernel@...r.kernel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Mark Rutland <mark.rutland@....com>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
        Will Deacon <will@...nel.org>,
        Stephane Eranian <eranian@...gle.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Palmer Dabbelt <palmer@...belt.com>,
        Beeman Strong <beeman@...osinc.com>,
        Atish Patra <atishp@...osinc.com>,
        Kan Liang <kan.liang@...ux.intel.com>,
        Anup Patel <apatel@...tanamicro.com>
Subject: Expected rdpmc behavior during context swtich and a RISC-V conundrum

Hi All,
There was a recent uabi update[1] for RISC-V that allows the users to
read cycle and instruction count without any checks.
We tried to restrict that behavior to address security concerns
earlier but it resulted in breakage for some user space
applications[2].
Thus, previous behavior was restored where a user on RISC-V platforms
can directly read cycle or instruction count[3].

Comparison with other ISAs w.r.t user space access of counters:
ARM64
  -- Enabled/Disabled via (/proc/sys/kernel/perf_user_access)
  -- Only for task bound events configured via perf.

X86
 --- rdpmc instruction
 --- Enable/Disable via “/sys/devices/cpu/rdpmc”
-- Before v4.0
 -- any process (even without active perf event) rdpmc
After v4.0
-- Default behavior changed to support only active events in a
process’s context.
-- Configured through perf similar to ARM64
-- Continue to maintain backward compatibility for unrestricted access
by writing 2 to “/sys/devices/cpu/rdpmc”

IMO, RISC-V should only enable user space access through perf similar
to ARM64 and x86 (post v4.0).
However, we do have to support the legacy behavior to avoid
application breakage.
As per my understanding a direct user space access can lead to the
following problems:

1) There is no context switch support, so counts from other contexts are exposed
2) If a perf user is allocated one of these counters, the counter
value will be written

Looking at the x86 code as it continues to allow the above behavior,
rdpmc_always_available_key is enabled in the above case. However,
during the context switch (cr4_update_pce_mm)
only dirty counters are cleared. It only prevents leakage from perf
task to rdpmc task.

How does the context switch of counters work for users who enable
unrestricted access by writing 2 to “/sys/devices/cpu/rdpmc” ?
Otherwise, rdpmc users likely get noise from other applications. Is
that expected ?
This can be a security concern also where a rogue rdpmc user
application can monitor other critical applications to initiate side
channel attack.

Am I missing something? Please correct my understanding of the x86
implementation if it is wrong.

[1] https://lore.kernel.org/lkml/20221201135110.3855965-1-conor.dooley@microchip.com/
[2] https://groups.google.com/a/groups.riscv.org/g/sw-dev/c/REWcwYnzsKE?pli=1
[3] https://lore.kernel.org/all/YxIzgYP3MujXdqwj@aurel32.net/T/

-- 
Regards,
Atish

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ