Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755053AbeAIWDj (ORCPT + 1 other); Tue, 9 Jan 2018 17:03:39 -0500 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:39241 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754052AbeAIWDi (ORCPT ); Tue, 9 Jan 2018 17:03:38 -0500 Date: Tue, 9 Jan 2018 23:03:00 +0100 From: Willy Tarreau To: Kees Cook Cc: Andy Lutomirski , Borislav Petkov , LKML , X86 ML , Brian Gerst , Dave Hansen , Ingo Molnar , Linus Torvalds , Peter Zijlstra , Thomas Gleixner , Josh Poimboeuf , "H. Peter Anvin" Subject: Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI Message-ID: <20180109220300.GD13282@1wt.eu> References: <1515502580-12261-1-git-send-email-w@1wt.eu> <1515502580-12261-3-git-send-email-w@1wt.eu> <20180109141713.ngqrf6weyiy2q3in@pd.tnic> <20180109143653.GA12976@1wt.eu> <20180109145157.5ltqbz4o5sqkcggb@pd.tnic> <20180109145422.GD12976@1wt.eu> <20180109214151.GB13282@1wt.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Tue, Jan 09, 2018 at 01:50:10PM -0800, Kees Cook wrote: > On Tue, Jan 9, 2018 at 1:41 PM, Willy Tarreau wrote: > > On Tue, Jan 09, 2018 at 01:26:57PM -0800, Andy Lutomirski wrote: > >> So I > >> think we should require CAP_SYS_RAWIO *and* that the system is booted > >> with pti=allow_optout or something like that. > > > > I'm really not fan of this. 1) it would require to reboot during the > > peak hour to try to fix the problem. 2) the flag will end up being > > deployed everywhere by default in environments flirting with performance > > "just in case" so it will be rendered useless. > > > > I'm fine with Boris' requirement that the kernel should be build with > > the appropriate option to support this. If you're doing your own builds, > > you can well take care of having the appropriate options (PTI+the right > > to turn it off) and deploy such kernels where relevant. > > IMO, run-time selection is always better than build-time selection. > e.g. a distro would build it in just in case anyone needs it, but the > vast majority of system this would be dangerous on. Therefore, make it > part of the kernel, but require it be enabled at boot. For all the rest we use sysctls then. suid_dumpable is a sysctl, mmap_min_addr is a sysctl. That would be quite better. Having to reboot all your LBs at the traffic peak just to pass an option you had never heard of and you don't even know if it will work nor what the impact is is really what will make our users loudly call us names about our design choices :-/ Another benefit of the sysctl is that if it doesn't work you can turn it off. The user who already had to reboot to set the option will definitely not boot again to disable it if it didn't solve his problem! Willy