Hi Peter,
On 2021-02-01 19:11, Peter Zijlstra wrote:
On Mon, Feb 01, 2021 at 01:11:04PM +0530, Sai Prakash Ranjan wrote:
Ok I suppose you mean CONFIG_SECURITY_LOCKDOWN_LSM? But I don't see how this new config has to depend on that? This can work independently whether complete lockdown is enforced or not since it applies to only hardware instruction tracing. Ideally this depends on several hardware tracing configs such as ETMs and others but we don't need them because we are already exposing PERF_PMU_CAP_ITRACE check in the events core.
If you don't have lockdown, root pretty much owns the kernel, or am I missing something?
You are right in saying that without lockdown root would own kernel but this config(EXCLUDE_KERNEL) will independently make sure that kernel level pmu tracing is not allowed(we return -EACCES) even if LOCKDOWN config is disabled. So I'm saying that we don't need to depend on LOCKDOWN config, its good to have LOCKDOWN config enabled but perf subsystem doesn't have to care about that.
be used for some speculative execution based attacks. Which other kernel level PMUs can be used to get a full branch trace that is not locked down? If there is one, then this should probably be applied to it as well.
Just the regular counters. The information isn't as accurate, but given enough goes you can infer plenty.
Just like all the SMT size-channel attacks.
Sure, PT and friends make it even easier, but I don't see a fundamental distinction.
Right, we should then exclude all kernel level pmu tracing, is it fine?
if (IS_ENABLED(CONFIG_EXCLUDE_KERNEL_HW_ITRACE) && !attr.exclude_kernel)) return -EACCES;
Thanks, Sai