Re: [patch] let CONFIG_SECCOMP default to n

From: Ingo Molnar
Date: Wed Jul 12 2006 - 18:52:59 EST

Next message: Michal Piotrowski: "Re: [PATCH 00/10] Kernel memory leak detector 0.8"
Previous message: Alan Cox: "Re: [PATCH] Use uname not sysctl to get the kernel revision"
In reply to: Andi Kleen: "Re: [patch] let CONFIG_SECCOMP default to n"
Next in thread: Andrea Arcangeli: "Re: [patch] let CONFIG_SECCOMP default to n"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Andi Kleen <ak@xxxxxxx> wrote:

>
> > > I can put in a patch into my tree for the next merge to disable the
> > > TSC disable code on i386 too like I did earlier for x86-64.
> >
> > please do.
>
> Hmm, with the new thread test as it was pointed out it can be indeed
> made zero cost for the common case. Perhaps that's not needed then.

putting aside the fundamental fallacy of disabling TSC based timing
attacks while not even considering network-based timing attacks (which
are still very much possible), Chuck's approach of pushing the seccomp
TSC cr4 twiddling into the context-switch slowpath is the right
solution, given the circumstances. Will Chuck's patch be in 2.6.18? If
not then my months-old patch below should be applied.

Ingo

----

remove TSC-disabling logic from the context-switch hotpath. It has
marginal security relevance. Truly paranoid users can boot with the
TSC disabled anyway.

Signed-off-by: Ingo Molnar <mingo@xxxxxxx>
----

arch/i386/kernel/process.c | 29 -----------------------------
1 files changed, 29 deletions(-)

Index: linux/arch/i386/kernel/process.c
===================================================================
--- linux.orig/arch/i386/kernel/process.c
+++ linux/arch/i386/kernel/process.c
@@ -589,33 +589,6 @@ handle_io_bitmap(struct thread_struct *n
}

/*
- * This function selects if the context switch from prev to next
- * has to tweak the TSC disable bit in the cr4.
- */
-static inline void disable_tsc(struct task_struct *prev_p,
- struct task_struct *next_p)
-{
- struct thread_info *prev, *next;
-
- /*
- * gcc should eliminate the ->thread_info dereference if
- * has_secure_computing returns 0 at compile time (SECCOMP=n).
- */
- prev = prev_p->thread_info;
- next = next_p->thread_info;
-
- if (has_secure_computing(prev) || has_secure_computing(next)) {
- /* slow path here */
- if (has_secure_computing(prev) &&
- !has_secure_computing(next)) {
- write_cr4(read_cr4() & ~X86_CR4_TSD);
- } else if (!has_secure_computing(prev) &&
- has_secure_computing(next))
- write_cr4(read_cr4() | X86_CR4_TSD);
- }
-}
-
-/*
* switch_to(x,yn) should switch tasks from x to y.
*
* We fsave/fwait so that an exception goes off at the right time
@@ -709,8 +682,6 @@ struct task_struct fastcall * __switch_t
if (unlikely(prev->io_bitmap_ptr || next->io_bitmap_ptr))
handle_io_bitmap(next, tss);

- disable_tsc(prev_p, next_p);
-
return prev_p;
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michal Piotrowski: "Re: [PATCH 00/10] Kernel memory leak detector 0.8"
Previous message: Alan Cox: "Re: [PATCH] Use uname not sysctl to get the kernel revision"
In reply to: Andi Kleen: "Re: [patch] let CONFIG_SECCOMP default to n"
Next in thread: Andrea Arcangeli: "Re: [patch] let CONFIG_SECCOMP default to n"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]