Hi Peter,
On 2021-01-30 01:00, Peter Zijlstra wrote:
On Sat, Jan 30, 2021 at 12:35:10AM +0530, Sai Prakash Ranjan wrote:
Here the idea is to protect such important information from all users including root users since root privileges does not have to mean full control over the kernel [1] and root compromise does not have to be the end of the world.
And yet, your thing lacks:
I guess you mean this lacks an explanation as to why this only applies to ITRACE and not others? See below.
+config EXCLUDE_KERNEL_HW_ITRACE
- bool "Exclude kernel mode hardware assisted instruction tracing"
- depends on PERF_EVENTS
depends on SECURITY_LOCKDOWN
or whatever the appropriate symbol is.
Ok I suppose you mean CONFIG_SECURITY_LOCKDOWN_LSM? But I don't see how this new config has to depend on that? This can work independently whether complete lockdown is enforced or not since it applies to only hardware instruction tracing. Ideally this depends on several hardware tracing configs such as ETMs and others but we don't need them because we are already exposing PERF_PMU_CAP_ITRACE check in the events core.
- help
Exclude kernel mode instruction tracing by hardware tracingfamily such as ARM Coresight ETM, Intel PT and so on.This option allows to disable kernel mode instruction tracingoffered by hardware assisted tracing for all users(including root)especially for production systems where only userspace tracingmight
be preferred for security reasons.Also, colour me unconvinced, pretty much all kernel level PMU usage can be employed to side-channel / infer crypto keys, why focus on ITRACE over others?
Here ITRACE is not just instruction trace, it is meant for hardware assisted instruction trace such as Intel PT, Intel BTS, ARM coresight etc. These provide much more capabilities than normal instruction tracing whether its kernel level or userspace. More specifically, these provide more accurate branch trace like Intel PT LBR (Last Branch Record), Intel BTS(Branch Trace Store) which can be used to decode the program flow more accurately with timestamps in real time than other PMUs. Also there is cycle accurate tracing which can theoretically be used for some speculative execution based attacks. Which other kernel level PMUs can be used to get a full branch trace that is not locked down? If there is one, then this should probably be applied to it as well.
Thanks, Sai