Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751607AbeAGGj6 (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Sun, 7 Jan 2018 01:39:58 -0500
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:38652 "EHLO 1wt.eu"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751223AbeAGGj5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 7 Jan 2018 01:39:57 -0500
Date: Sun, 7 Jan 2018 07:39:55 +0100
From: Willy Tarreau <w@1wt.eu>
To: Kiernan Hager <kah.listaddress@gmail.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Fwd: Avoid speculative indirect calls in kernel
Message-ID: <20180107063955.GB9425@1wt.eu>
References: <CA+55aFzCocoK+4kxAUEhaxxba4RTv3ewBmhiZ8Osc9iDkBtCEQ@mail.gmail.com>
 <e64025e6-9c4f-703d-cb69-29eeb9cc16bd@redhat.com>
 <20180104015920.1ad7b9d3@alans-desktop>
 <e3a0fa73-1328-aa42-13ea-c670c8d4ac87@redhat.com>
 <1515054014.12987.75.camel@amazon.co.uk>
 <403e65be-cfd1-fd08-0401-2e26470b63d4@redhat.com>
 <4dde456c-fd15-e768-8876-5844c8b7c455@redhat.com>
 <alpine.DEB.2.20.1801050153290.2127@nanos>
 <CAL9bgJ8XNJgCtxR6+M+Vm9eDBVZ4Dyi_-Lt-Q1ei9N=TE2c6cg@mail.gmail.com>
 <CAL9bgJ942ekzyCrposr-xPeTNyh==d2JMO5LvvwuSOKQ38BgBw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL9bgJ942ekzyCrposr-xPeTNyh==d2JMO5LvvwuSOKQ38BgBw@mail.gmail.com>
User-Agent: Mutt/1.6.1 (2016-04-27)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Sat, Jan 06, 2018 at 10:04:26PM -0700, Kiernan Hager wrote:
> On Thu, Jan 4, 2018 at 5:54 PM, Thomas Gleixner <tglx@linutronix.de> wrote:
> > On Thu, 4 Jan 2018, Jon Masters wrote:
> >> P.S. I've an internal document where I've been tracking "nice to haves"
> >> for later, and one of them is whether it makes sense to tag binaries as
> >> "trusted" (e.g. extended attribute, label, whatever). It was something I
> >> wanted to bring up at some point as potentially worth considering.
> >
> > Scratch that. There is no such thing as a trusted binary.
> >
> 
> I disagree. When there are patches that slow execution down up to 30%,
> I want to be able to mark a binary as "trusted" so that I can run it
> without those patches if it is important. This is a boon to
> configurability and helps lessen the significant performance impact of
> these patches. Besides, anything run as root can already not only
> read, but also write kernel memory and other processes' memory, so
> it's not like this particular ability for processes trusted by the
> user is anything new. This flag should probably only be settable by
> root though, for obvious reasons.

I think everyone agrees on this, but most developers are still very
busy trying to get all issues addressed first. We should simply start
to work in parallel on what could consistute the next steps without
polluting them.

BTW the performance loss can be even worse, I have a packet generator
here whose performance was divided by 4 in a VM :-) No tests yet on
bare metal (it's easier to reboot a VM).

Willy