Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965995AbeAJQUO (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Wed, 10 Jan 2018 11:20:14 -0500
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:39402 "EHLO 1wt.eu"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S965842AbeAJQUN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 10 Jan 2018 11:20:13 -0500
Date: Wed, 10 Jan 2018 17:19:29 +0100
From: Willy Tarreau <w@1wt.eu>
To: Borislav Petkov <bp@alien8.de>
Cc: Andy Lutomirski <luto@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Brian Gerst <brgerst@gmail.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, Kees Cook <keescook@chromium.org>
Subject: Re: [RFC PATCH v2 2/6] x86/arch_prctl: add ARCH_GET_NOPTI and
 ARCH_SET_NOPTI to enable/disable PTI
Message-ID: <20180110161929.GA14347@1wt.eu>
References: <CALCETrU_Qt+0k4GO2qp=9D7h5czp0QkY=D9Y4AUfs9yzpNHswQ@mail.gmail.com>
 <20180109212940.ffvqb6wmehmxre4i@pd.tnic>
 <20180109213227.GA13282@1wt.eu>
 <20180109214602.k7cuxwikg6xshztu@pd.tnic>
 <20180109220605.GE13282@1wt.eu>
 <20180109222036.6h7jjyaayusn4yb5@pd.tnic>
 <20180109224009.GA13326@1wt.eu>
 <20180110144239.cm5t7j6s7akkpked@pd.tnic>
 <20180110153946.GB14178@1wt.eu>
 <20180110160922.c26iaeley5nh3xk6@pd.tnic>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180110160922.c26iaeley5nh3xk6@pd.tnic>
User-Agent: Mutt/1.6.1 (2016-04-27)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Wed, Jan 10, 2018 at 05:09:22PM +0100, Borislav Petkov wrote:
> On Wed, Jan 10, 2018 at 04:39:46PM +0100, Willy Tarreau wrote:
> > For production, disabling PTI system-wide when I'm supposed to know what
> > performance critical processes should be exempted doesn't appeal me very
> > much, especially if it can happen by accident. So in the end I think that
> > "pti=off" on the cmdline should be the only way to disable it system-wide
> > as it doesn't represent a reasonable production case. Disabling it per
> > process should be allowed via a sysctl, which would also be locked disabled
> > for safety purposes.
> 
> It still might make sense to be able to disable it system-wide without
> having to reboot. Imagine a bunch of processes showing performance
> regressions and you want to disable PTI completely to rule it out
> causing that regression. Then you toggle the master switch.

Well, indeed. It will never be 100% equivalent to pti=off however since
the alternative code will remain in place, but why not. Or maybe we have
a way to change the alternatives at run time by changing a sysctl, but
that doesn't please me a lot. I'll check this after the rest however,
as I'm not sure about the code implications in the entry code (i.e. we'd
rather not check a system wide variable, or we might need another per-CPU
one). We could also just mention that the setting only applies to future
processes, which will be much easier and probably sufficient.

Willy