Re: [RFC] perf: Allow fine-grained PMU access control

From: Andi Kleen
Date: Tue May 22 2018 - 12:25:28 EST


> IMHO, it is unsafe for CBOX pmu but could IMC, UPI pmus be an exception here?
> Because currently perf stat -I from IMC, UPI counters is only allowed when
> system wide monitoring is permitted and this prevents joint perf record and
> perf stat -I in cluster environments where users usually lack ability to
> modify paranoid. Adding Andi who may have more ideas regarding all that.

PMU isolation is about not making side channels worse. There are normally
already side channels from timing, but it has a degree of noise.

PMU isolation is just to prevent opening side channels with less noise.
But reducing noise is always a trade off, it can never be perfect
and at some point there are dimishing returns.

In general the farther you are from the origin of the noise there
is already more noise. The PMU can reduce the noise, but if it's far
enough away it may not make much difference.

So there are always trade offs with shades of grey, not a black
and white situation. Depending on your security requirements
it may be totally reasonable e.g. to allow the PMU
on the memory controller (which is already very noisy in any case),
but not on the caches.

Or allow it only on the graphics which is already fairly isolated.

So per pmu paranoid settings are a useful concept.

-Andi