Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754605AbeAIVuN (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Tue, 9 Jan 2018 16:50:13 -0500
Received: from mail-vk0-f68.google.com ([209.85.213.68]:44041 "EHLO
        mail-vk0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754431AbeAIVuL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Jan 2018 16:50:11 -0500
X-Google-Smtp-Source: ACJfBouWMDOh98HNID2fdSfAyB4aGuMxOQfm52FihfcrXRc1FcmIdR1bdTTpsLYAFvakuJk+AI3GZtGMS+WpQLAdSzQ=
MIME-Version: 1.0
In-Reply-To: <20180109214151.GB13282@1wt.eu>
References: <1515502580-12261-1-git-send-email-w@1wt.eu> <1515502580-12261-3-git-send-email-w@1wt.eu>
 <20180109141713.ngqrf6weyiy2q3in@pd.tnic> <20180109143653.GA12976@1wt.eu>
 <20180109145157.5ltqbz4o5sqkcggb@pd.tnic> <20180109145422.GD12976@1wt.eu>
 <CALCETrU_Qt+0k4GO2qp=9D7h5czp0QkY=D9Y4AUfs9yzpNHswQ@mail.gmail.com> <20180109214151.GB13282@1wt.eu>
From: Kees Cook <keescook@chromium.org>
Date: Tue, 9 Jan 2018 13:50:10 -0800
X-Google-Sender-Auth: PMHWDt4lBz-eARm7MqL3S4GCJI0
Message-ID: <CAGXu5jKu4ohTmZ=W6gLF2U+hAguTbGYkY9jryyJiV2eNZqak0w@mail.gmail.com>
Subject: Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and
 ARCH_SET_NOPTI to enable/disable PTI
To: Willy Tarreau <w@1wt.eu>
Cc: Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@alien8.de>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Brian Gerst <brgerst@gmail.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Tue, Jan 9, 2018 at 1:41 PM, Willy Tarreau <w@1wt.eu> wrote:
> On Tue, Jan 09, 2018 at 01:26:57PM -0800, Andy Lutomirski wrote:
>> So I
>> think we should require CAP_SYS_RAWIO *and* that the system is booted
>> with pti=allow_optout or something like that.
>
> I'm really not fan of this. 1) it would require to reboot during the
> peak hour to try to fix the problem. 2) the flag will end up being
> deployed everywhere by default in environments flirting with performance
> "just in case" so it will be rendered useless.
>
> I'm fine with Boris' requirement that the kernel should be build with
> the appropriate option to support this. If you're doing your own builds,
> you can well take care of having the appropriate options (PTI+the right
> to turn it off) and deploy such kernels where relevant.

IMO, run-time selection is always better than build-time selection.
e.g. a distro would build it in just in case anyone needs it, but the
vast majority of system this would be dangerous on. Therefore, make it
part of the kernel, but require it be enabled at boot.

-Kees

-- 
Kees Cook
Pixel Security