Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1343253imm; Tue, 22 May 2018 02:30:25 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrJCjxjD+TZuo8iXjO2Ov5EoUnJhGOtEFWaaE2CzXJWCk1/AejBONnKfQB1IP4x6EKHZij+ X-Received: by 2002:a17:902:8f84:: with SMTP id z4-v6mr24247178plo.194.1526981425337; Tue, 22 May 2018 02:30:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526981425; cv=none; d=google.com; s=arc-20160816; b=S3iIQk4ny1BlHj2NJVssglMNHSf44A+43v0i32HWVdukm9+vn/Ouqjt78B2IqPNMOA QiPRSbFhKRCoeTo9RY6QSW1AmL4E+qdkRRl/T8Rpndr8gR1jqIlgc2JuBawrPflmfNxN VpfCLtkm6IaoqXKHBFgqMcGXzZ9CQ/9At4lhoZ9RlELpef+/BUE6uRGDMHqBgKpUFiOd 3WwYobJOn4b32BF+b2x0WWNbCI78QcxebHO8xWd3lXW8HgQAX1oVDxnugPU/ZjMTXEba EBak8JTiQVz4OWcPmE90y3RSLecvPsf4PDRs/e+q1AvVcP90IgSISKPeZwUBT53+oTis 55TQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=fH8ENijwTDJbdCjhx70OelVlMD65opBRHIFRWfN1hXg=; b=SEek/wGMmq1KuF43jedH866TmAqqW5Aml5Avdx68fzu4IIVNuHyNKayBCI9F6tge0w WJHLFTz2QInVWMbwRSiKpLfKrTw+vi/VaBce7C5T316hXb7moCg0JaAt1egXbPk7Ik1x NzrkQH9QuMxfXWkU45Q5yz1D0JbfSPOvGpKW5kTsSU547Vydyd28dur+5if+lySEnYEP TjnJb2TVAEIP0u4uPB6SmLWXqCc97ELjRAEu5wxK6u5u+ZdiJv5nODsixR052+BBqQNk JaUrrl0XdmffRxc9/x9QNJfRUy8/qlFECJOKMNoVviW5X71nBy8XICQpi5Cs/ggzJeVI eXBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ursulin-net.20150623.gappssmtp.com header.s=20150623 header.b=AdPBXfXA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c11-v6si15416576pls.76.2018.05.22.02.30.10; Tue, 22 May 2018 02:30:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ursulin-net.20150623.gappssmtp.com header.s=20150623 header.b=AdPBXfXA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751287AbeEVJ3f (ORCPT + 99 others); Tue, 22 May 2018 05:29:35 -0400 Received: from mail-wr0-f195.google.com ([209.85.128.195]:39363 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750707AbeEVJ3c (ORCPT ); Tue, 22 May 2018 05:29:32 -0400 Received: by mail-wr0-f195.google.com with SMTP id w18-v6so15102564wrn.6 for ; Tue, 22 May 2018 02:29:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ursulin-net.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=fH8ENijwTDJbdCjhx70OelVlMD65opBRHIFRWfN1hXg=; b=AdPBXfXAx92A7qeCXS9qU8oN7pHrTbD2caKgvCUhiwZKlRlep6WLb3jkuzpa1PSmn2 JvH9215QUoWjpw76R/PTtHuka7vuyVepnoyEXosBps3x0q3BeOW3APFslGSDT6KUVK3g j+HO/aQnxJBj1sfIsF7aYZKjc+3B4I5OLgYni3AP0epwcjYNXQ9ivCK2DAoTcx24JKT4 Y0Eckqwdb0BfhmeaDrXZSvaT6rjI2mCSFink4WeyqtXAVg0JoMsHveb/aJDrzOqTsEt5 SJsDktYBTrogD8rb3U5Tf0OaPxaq3OSCwBGxEAVaj1UFbbKstAD7G/HvpwQVEdgL1+3R pBmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=fH8ENijwTDJbdCjhx70OelVlMD65opBRHIFRWfN1hXg=; b=Kucs3DmvYtUGjuLk/slNQSU8xxgWzJ6M22gBsG5UfVSqzFzBBxwB+wKq3QUD3ZpUF9 Ll9kOfkEzUXIjN4YtZyqZ9Up1tHHqXzUXH3M3QMpN+YCExGd0DPlyR2SYIjEFOBO+E6C x5PrOzavR7WYw2ZYLkvfwM21mGkeOQYxoaW4cx7LJvxWqJIAhYX3K4z61FR791OlBXpu umfV8Q9uokhW72aEmOK8AU0tItrOKFajx1Ia+pxefUCWju+qxfJMQZ+hyV5C6zInVGbu ofjKi4yzRl4EEs1nMy80MnW4endcxUsAUUU45Er77VWmeFJTIHN5bm/h7x++QGkQuFv4 uT/Q== X-Gm-Message-State: ALKqPwdNk29FyiC2E1FkmiapIJ7TXbwltXv0rBGSxZv6YoMyryskS7Zx 1D90Ji1LGA7xtY4P0XVrvCmznQ== X-Received: by 2002:adf:eb52:: with SMTP id u18-v6mr872296wrn.252.1526981371136; Tue, 22 May 2018 02:29:31 -0700 (PDT) Received: from [192.168.0.197] ([95.146.151.144]) by smtp.googlemail.com with ESMTPSA id f6-v6sm9288571wrj.63.2018.05.22.02.29.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 May 2018 02:29:30 -0700 (PDT) Subject: Re: [RFC] perf: Allow fine-grained PMU access control To: Peter Zijlstra Cc: linux-kernel@vger.kernel.org, Tvrtko Ursulin , Ingo Molnar , Arnaldo Carvalho de Melo , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Mark Rutland , Tvrtko Ursulin References: <20180521092549.5349-1-tvrtko.ursulin@linux.intel.com> <20180522090527.GP12198@hirez.programming.kicks-ass.net> From: Tvrtko Ursulin Message-ID: <017c4a20-b597-9c0e-4cf3-c0fd1d7bf3d7@ursulin.net> Date: Tue, 22 May 2018 10:29:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180522090527.GP12198@hirez.programming.kicks-ass.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22/05/18 10:05, Peter Zijlstra wrote: > On Mon, May 21, 2018 at 10:25:49AM +0100, Tvrtko Ursulin wrote: >> From: Tvrtko Ursulin >> >> For situations where sysadmins might want to allow different level of >> of access control for different PMUs, we start creating per-PMU >> perf_event_paranoid controls in sysfs. > > Could you explain how exactly this makes sense? > > For example, how does it make sense for one PMU to reveal kernel data > while another PMU is not allowed. > > Once you allow one PMU to do so, the secret is out. > > So please explain, in excruciating detail, how you want to use this and > how exactly that makes sense from a security pov. Not sure it will be excruciating but will try to explain once again. There are two things: 1. i915 PMU which exports data such as different engine busyness levels. (Perhaps you remember, you helped us implement this from the perf API angle.) 2. Customers who want to look at those stats in production. They want to use it to answer questions such as: a) How loaded is my server and can it take one more of X type of job? b) What is the least utilised video engine to submit the next packet of work to? c) What is the least utilised server to schedule the next transcoding job on? Current option for them is to turn off the global paranoid setting which then enables unprivileged access to _all_ PMU providers. To me it sounded quite logical that it would be better for the paranoid knob to be more fine-grained, so that they can configure their servers so only access to needed data is possible. I am not sure what do you mean by "Once you allow one PMU to do so, the secret is out."? What secret? Are you implying that enabling unprivileged access to i915 engine busyness data opens up access to CPU PMU's as well via some side channel? Regards, Tvrtko >> These work in equivalent fashion as the existing perf_event_paranoid >> sysctl, which now becomes the parent control for each PMU. >> >> On PMU registration the global/parent value will be inherited by each PMU, >> as it will be propagated to all registered PMUs when the sysctl is >> updated. >> >> At any later point individual PMU access controls, located in >> /device//perf_event_paranoid, can be adjusted to achieve >> fine grained access control. >> >