Re: [PATCH 1/4] perf/core: Add support to exclude kernel mode instruction tracing

[Sai Prakash Ranjan]

Hi Peter,

On 2021-02-01 19:11, Peter Zijlstra wrote:
> On Mon, Feb 01, 2021 at 01:11:04PM +0530, Sai Prakash Ranjan wrote:
>
> > Ok I suppose you mean CONFIG_SECURITY_LOCKDOWN_LSM? But I don't see
> > how this new config has to depend on that? This can work independently
> > whether complete lockdown is enforced or not since it applies to only
> > hardware instruction tracing. Ideally this depends on several hardware
> > tracing configs such as ETMs and others but we don't need them because
> > we are already exposing PERF_PMU_CAP_ITRACE check in the events core.
>
> If you don't have lockdown, root pretty much owns the kernel, or am I
> missing something?

You are right in saying that without lockdown root would own kernel but
this config(EXCLUDE_KERNEL) will independently make sure that kernel
level pmu tracing is not allowed(we return -EACCES) even if LOCKDOWN
config is disabled. So I'm saying that we don't need to depend on
LOCKDOWN config, its good to have LOCKDOWN config enabled but perf
subsystem doesn't have to care about that.

> > be used for some speculative execution based attacks. Which other
> > kernel level PMUs can be used to get a full branch trace that is not
> > locked down? If there is one, then this should probably be applied to
> > it as well.
>
> Just the regular counters. The information isn't as accurate, but given
> enough goes you can infer plenty.
>
> Just like all the SMT size-channel attacks.
>
> Sure, PT and friends make it even easier, but I don't see a fundamental
> distinction.

Right, we should then exclude all kernel level pmu tracing, is it fine?

if (IS_ENABLED(CONFIG_EXCLUDE_KERNEL_HW_ITRACE) && 
!attr.exclude_kernel))
    return -EACCES;

Thanks,
Sai

--
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a 
member
of Code Aurora Forum, hosted by The Linux Foundation