Received: by 10.223.176.46 with SMTP id f43csp122801wra;
        Thu, 18 Jan 2018 14:51:27 -0800 (PST)
X-Google-Smtp-Source: ACJfBotc/bcmZOMmruUe1FdHpAgGc9QXpPvx8WTRY3dYfbQZNIBpvklc7IE7fsug2yUZt/UDQuQk
X-Received: by 2002:a17:902:ac1:: with SMTP id 59-v6mr517036plp.254.1516315887043;
        Thu, 18 Jan 2018 14:51:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516315887; cv=none;
        d=google.com; s=arc-20160816;
        b=Ji6djk96UGOhVIJZANlMWbkKefmFgk6M0aGJRepC3j2nblZHQJ5ngEOATMrUh5pUYe
         lDvIIc7p6pvCngJIgbovLsu9W3m+UXgyYVhGGVT5LqyRMkdlc68PtP91DTCOyPPO3z1r
         B5D5QVRpRbewFiLqTGyTurtzHEp+iRclj91fLHXQPCBEfprR5we2PFxcrEZtQ9HLt7j8
         8qSo7+w0G8EUjGU7pYUOx4sZU6qoVhG2wsOt5K1XrsrmZuHbnq0YH4WORJQUA/uai19a
         npLS8sqs904wIv1fuXzTmN264Yky978hbs/ZZWV1MLshAvvuPn477SHOF2dDKy5wFX+9
         mmsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=WGrCsUdZUs7mOu6cunvuLZ4Glrb++i8nEXbAeYAr8kE=;
        b=M4DP10ZVEwkwgpQVIEfgYlPpt2+CvqqPdJ7//98mE6svT09pDD9RVIfi8ldxoMQQ+8
         eh009q1B9exCkigNQ1ncSGBT/deaH6LwoJwGeHcg4g79MzaJfAHY17NmXba1iomFnMsr
         xZ0f8KslK5NWFqiksmI/7o2rUUeKUPuYH71a8nftZ5TFlgYMi6Q6/iLOXFbnPN68d0RI
         zyVGj0saNZWtf5tcP4M7Lo0XsTEC81kqt9Fg8gaDBZpovFMAGXXyvBX5jy7jgAgeaehO
         F+U7zanpJNyw/XDB+lC/sNfjdFcFLcYg7TyJnwX3XPVypAH9aJc2iho3CNucjPusaFqx
         FDpQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h128si6917506pgc.574.2018.01.18.14.51.12;
        Thu, 18 Jan 2018 14:51:26 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932523AbeARWtd (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Thu, 18 Jan 2018 17:49:33 -0500
Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:38651 "EHLO
        atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932131AbeARWt0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Jan 2018 17:49:26 -0500
Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512)
        id 06EB280186; Thu, 18 Jan 2018 23:49:24 +0100 (CET)
Date:   Thu, 18 Jan 2018 23:49:24 +0100
From:   Pavel Machek <pavel@ucw.cz>
To:     Avi Kivity <avi@scylladb.com>
Cc:     "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation
 costs
Message-ID: <20180118224924.GF17196@amd>
References: <a5398c4e-be02-0de6-5c76-c37320011eef@scylladb.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="m1UC1K4AOz1Ywdkx"
Content-Disposition: inline
In-Reply-To: <a5398c4e-be02-0de6-5c76-c37320011eef@scylladb.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--m1UC1K4AOz1Ywdkx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat 2018-01-06 21:33:28, Avi Kivity wrote:
> Meltdown and Spectre mitigations focus on protecting the kernel from a
> hostile userspace. However, it's not a given that the kernel is the most
> important target in the system. It is common in server workloads that a
> single userspace application contains the valuable data on a system, and =
if
> it were hostile, the game would already be over, without the need to
> compromise the kernel.
>=20
>=20
> In these workloads, a single application performs most system calls, and =
so
> it pays the cost of protection, without benefiting from it directly (since
> it is the target, rather than the kernel).
>=20
>=20
> I propose to create a new capability, CAP_PAYLOAD, that allows the system
> administrator to designate an application as the main workload in that
> system. Other processes (like sshd or monitoring daemons) exist to support
> it, and so it makes sense to protect the rest of the system from their be=
ing
> compromised.

prctl(I_AM_PAYLOAD) may do the trick. CAP_PAYLOAD is bad idea.

prctl() should require some pretty heavy capabilities, similar to
iopl() / ioperm() syscalls on x86, maybe CAP_SYS_RAWIO. Maybe it can
depend on some other capability.

But merely having the capability should definitely not change system
behaviour.

									Pavel
--=20
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo=
g.html

--m1UC1K4AOz1Ywdkx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlphJHQACgkQMOfwapXb+vKFjACghBiwRI5ZSJsaI7NSiRIE4g+A
BoYAn1R1JpEWGwcjFJxbQVVWhTfJnyZN
=HhHH
-----END PGP SIGNATURE-----

--m1UC1K4AOz1Ywdkx--