Received: by 10.223.176.46 with SMTP id f43csp122801wra; Thu, 18 Jan 2018 14:51:27 -0800 (PST) X-Google-Smtp-Source: ACJfBotc/bcmZOMmruUe1FdHpAgGc9QXpPvx8WTRY3dYfbQZNIBpvklc7IE7fsug2yUZt/UDQuQk X-Received: by 2002:a17:902:ac1:: with SMTP id 59-v6mr517036plp.254.1516315887043; Thu, 18 Jan 2018 14:51:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516315887; cv=none; d=google.com; s=arc-20160816; b=Ji6djk96UGOhVIJZANlMWbkKefmFgk6M0aGJRepC3j2nblZHQJ5ngEOATMrUh5pUYe lDvIIc7p6pvCngJIgbovLsu9W3m+UXgyYVhGGVT5LqyRMkdlc68PtP91DTCOyPPO3z1r B5D5QVRpRbewFiLqTGyTurtzHEp+iRclj91fLHXQPCBEfprR5we2PFxcrEZtQ9HLt7j8 8qSo7+w0G8EUjGU7pYUOx4sZU6qoVhG2wsOt5K1XrsrmZuHbnq0YH4WORJQUA/uai19a npLS8sqs904wIv1fuXzTmN264Yky978hbs/ZZWV1MLshAvvuPn477SHOF2dDKy5wFX+9 mmsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=WGrCsUdZUs7mOu6cunvuLZ4Glrb++i8nEXbAeYAr8kE=; b=M4DP10ZVEwkwgpQVIEfgYlPpt2+CvqqPdJ7//98mE6svT09pDD9RVIfi8ldxoMQQ+8 eh009q1B9exCkigNQ1ncSGBT/deaH6LwoJwGeHcg4g79MzaJfAHY17NmXba1iomFnMsr xZ0f8KslK5NWFqiksmI/7o2rUUeKUPuYH71a8nftZ5TFlgYMi6Q6/iLOXFbnPN68d0RI zyVGj0saNZWtf5tcP4M7Lo0XsTEC81kqt9Fg8gaDBZpovFMAGXXyvBX5jy7jgAgeaehO F+U7zanpJNyw/XDB+lC/sNfjdFcFLcYg7TyJnwX3XPVypAH9aJc2iho3CNucjPusaFqx FDpQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h128si6917506pgc.574.2018.01.18.14.51.12; Thu, 18 Jan 2018 14:51:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932523AbeARWtd (ORCPT + 99 others); Thu, 18 Jan 2018 17:49:33 -0500 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:38651 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932131AbeARWt0 (ORCPT ); Thu, 18 Jan 2018 17:49:26 -0500 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id 06EB280186; Thu, 18 Jan 2018 23:49:24 +0100 (CET) Date: Thu, 18 Jan 2018 23:49:24 +0100 From: Pavel Machek To: Avi Kivity Cc: "linux-kernel@vger.kernel.org" Subject: Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs Message-ID: <20180118224924.GF17196@amd> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="m1UC1K4AOz1Ywdkx" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --m1UC1K4AOz1Ywdkx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat 2018-01-06 21:33:28, Avi Kivity wrote: > Meltdown and Spectre mitigations focus on protecting the kernel from a > hostile userspace. However, it's not a given that the kernel is the most > important target in the system. It is common in server workloads that a > single userspace application contains the valuable data on a system, and = if > it were hostile, the game would already be over, without the need to > compromise the kernel. >=20 >=20 > In these workloads, a single application performs most system calls, and = so > it pays the cost of protection, without benefiting from it directly (since > it is the target, rather than the kernel). >=20 >=20 > I propose to create a new capability, CAP_PAYLOAD, that allows the system > administrator to designate an application as the main workload in that > system. Other processes (like sshd or monitoring daemons) exist to support > it, and so it makes sense to protect the rest of the system from their be= ing > compromised. prctl(I_AM_PAYLOAD) may do the trick. CAP_PAYLOAD is bad idea. prctl() should require some pretty heavy capabilities, similar to iopl() / ioperm() syscalls on x86, maybe CAP_SYS_RAWIO. Maybe it can depend on some other capability. But merely having the capability should definitely not change system behaviour. Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --m1UC1K4AOz1Ywdkx Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlphJHQACgkQMOfwapXb+vKFjACghBiwRI5ZSJsaI7NSiRIE4g+A BoYAn1R1JpEWGwcjFJxbQVVWhTfJnyZN =HhHH -----END PGP SIGNATURE----- --m1UC1K4AOz1Ywdkx--