Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752072AbeAIVeL (ORCPT + 1 other); Tue, 9 Jan 2018 16:34:11 -0500 Received: from mail-vk0-f52.google.com ([209.85.213.52]:41076 "EHLO mail-vk0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750797AbeAIVeJ (ORCPT ); Tue, 9 Jan 2018 16:34:09 -0500 X-Google-Smtp-Source: ACJfBovDY8qik88YB2lF/TggUUvmQJYhwx6ytzdsinlrijyH76I12rg5Fs9mefME1KGK10+dr2EFoEd1FM9WaqodnAE= MIME-Version: 1.0 In-Reply-To: References: <1515502580-12261-1-git-send-email-w@1wt.eu> <1515502580-12261-3-git-send-email-w@1wt.eu> <20180109141713.ngqrf6weyiy2q3in@pd.tnic> <20180109143653.GA12976@1wt.eu> <20180109145157.5ltqbz4o5sqkcggb@pd.tnic> <20180109145422.GD12976@1wt.eu> From: Kees Cook Date: Tue, 9 Jan 2018 13:34:07 -0800 X-Google-Sender-Auth: DwXJFClkBaLPyETwWyrPa1zEAlM Message-ID: Subject: Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI To: Andy Lutomirski Cc: Willy Tarreau , Borislav Petkov , LKML , X86 ML , Brian Gerst , Dave Hansen , Ingo Molnar , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Josh Poimboeuf , "H. Peter Anvin" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Tue, Jan 9, 2018 at 1:26 PM, Andy Lutomirski wrote: > 2.Turning off PTI is, in general, a terrible idea. It totally breaks > any semblance of a security model on a Meltdown-affected CPU. So I > think we should require CAP_SYS_RAWIO *and* that the system is booted > with pti=allow_optout or something like that. Agreed, this shouldn't be default-available. Besides, your most trusted processes are the ones most likely to be targeted for attack. :( -Kees -- Kees Cook Pixel Security