Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp887093imm; Fri, 28 Sep 2018 08:24:18 -0700 (PDT) X-Google-Smtp-Source: ACcGV62TcaJiramaNPZhNjAHL+YIT/+ExJ8X+VOP4hl64ql2UC+b9Sbnepjah5yvJz6EpxVr8kkS X-Received: by 2002:a63:5d03:: with SMTP id r3-v6mr978431pgb.445.1538148258101; Fri, 28 Sep 2018 08:24:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538148258; cv=none; d=google.com; s=arc-20160816; b=CIphvQTq1ePSc+t0yNt2ypou7J2la/KJcyny2w35YbUNOV8ny8jQ7Z4l5rzbqp2K2x GvpfVU6tDtA5ut5isYHeGPJm9TDaPEiO7GrzUTySAUgRe09qpb1hABHBEUTu8Us3f1Bw S0goOD41AYbA/Lza5DWdvMmzcpWXkm4gjPIEdrZoApiIqqMRgAsbRf9XDxQiOeohPPct V+n5/vyT/DjR6svYBzb9UAfMFS4FIsMtjdkDGFfo/BubR6F/JTWesRhavqgO2kcCrfAo KIpekC6YKeOnZUUWBq8th5gt6Elw2FBc8ZcIltvBxJ5OOqKMQkdGFaPBu8BJf1ku5SKp 85mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=v3nD7aIdOJUj+Kv5ZVbbPfGng2GsbJb0BMwbbgjR5Bg=; b=F3MFcFjKrVm0WlU9InTq/d468bcTF+04U7l3Je0eIKQRIJ8Y5lgxDM/5ZM3Svhjq1S qeSMeQPl0nAeJS17/OFL5vjtrbenxbuczv0jImjuFW+yk8U98k2PNgShrhJm7+WrM1Q8 lzKGM7gUYwvjcPXcXQqEInAd/qHb3Y/U9LTKKPY9yt/P91sx8Ug+utZvhhkn60MdwZwk Cy7hy4gpxYNjsgV6I5D0fKnJJcfwZY47QHl6tEx5sNnr3f76UqYvA6MkJPD3l2Au4vk3 UOhJKwiTj3OBjPPufEr00t/C48rD8kGd1xMNzjJkY/1cANPbr/d7TbeHd4cFSotX4qzq YMIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q90-v6si5196611pfa.272.2018.09.28.08.24.01; Fri, 28 Sep 2018 08:24:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728765AbeI1VsM (ORCPT + 99 others); Fri, 28 Sep 2018 17:48:12 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:54685 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726345AbeI1VsL (ORCPT ); Fri, 28 Sep 2018 17:48:11 -0400 Received: from hsi-kbw-5-158-153-52.hsi19.kabel-badenwuerttemberg.de ([5.158.153.52] helo=nanos.tec.linutronix.de) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1g5ucT-000182-3a; Fri, 28 Sep 2018 17:23:53 +0200 Date: Fri, 28 Sep 2018 17:23:52 +0200 (CEST) From: Thomas Gleixner To: Tvrtko Ursulin cc: Tvrtko Ursulin , LKML , Peter Zijlstra , x86@kernel.org, "H. Peter Anvin" , Arnaldo Carvalho de Melo , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Madhavan Srinivasan , Andi Kleen , Alexey Budankov , Kees Cook , Jann Horn Subject: Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting) In-Reply-To: <732fdf91-0b44-e71d-f943-66ba63b5776f@linux.intel.com> Message-ID: References: <20180919122751.12439-1-tvrtko.ursulin@linux.intel.com> <732fdf91-0b44-e71d-f943-66ba63b5776f@linux.intel.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Tvrtko, On Fri, 28 Sep 2018, Tvrtko Ursulin wrote: > On 28/09/2018 15:02, Thomas Gleixner wrote: > > > Presumably you see adding fine grained control as diminishing the overall > > > security rather than raising it? Could you explain why? Because > > > incompetent > > > sysadmin will turn it off for some PMU, while without having the > > > fine-grained > > > control they wouldn't turn it off globally? > > > > I did not say at all that this might be diminishing security. And the > > argumentation with 'incompetent sysadmins' is just the wrong attitude. > > Wrong attitude what? I was trying to guess your reasoning (cues in > "presumably" and a lot of question marks) since it wasn't clear to me why is > your position what it is. Guessing my reasonings has nothing to do with you mentioning incompentent sysadmins. > > What I was asking for is proper documentation and this proper documentation > > is meant for _competent_ sysadmins. > > > > That documentation has to clearly describe what kind of information is > > accessible and what potential side effects security wise this might > > have. You cannot expect that even competent sysadmins know offhand what > > which PMU might expose. And telling them 'Use Google' is just not the right > > thing to do. > > I did not mention Google. I did not say that you mentioned google. But what is a sysadmin supposed to do when there is no documentation aside of using google? And not having documentation is basically the same thing as telling them to use google. > > If you can't explain and document it, then providing the knob is just > > fulfilling somebodys 'I want a pony' request. > > Well it's not a pony, it is mechanism to avoid having to turn off all > security. We can hopefully discuss it without ponies. If you want to make a pettifogger contest out of this discussion, then we can stop right here. I explained it technically why just adding a knob without further explanation and analysis is not acceptable. > > And the same is required for all other PMUs which can be enabled in the > > same way for unprivileged access. And we might as well come to the > > conclusion via analysis that for some PMUs unpriviledged access is just not > > a good idea and exclude them. I surely know a few which qualify for > > exclusion, so the right approach is to provide this knob only when the risk > > is analyzed and documented and the PMU has been flagged as candidate for > > unpriviledged exposure. I.e. opt in and not opt out. > > I am happy to work on the mechanics of achieving this once the security guys > and all PMU owners get involved. Even though I am not convinced the bar to > allow fine-grained control should be evaluating all possible PMUs*, but if the > security folks agree that is the case it is fine by me. Making the knob opt in per PMU does not need all PMU owners to be involved. It allows to add the opt in flag on a case by case basis. > *) The part of my reply you did not quote explains how the fine-grained > control improves security in existing deployments. The documentation I added > refers to the existing perf_event_paranoid documentation for explanation of > security concerns involved. Which is not much in itself. But essentially we > both have a PMU and a knob already. I don't see why adding the same knob > per-PMU needs much more stringent criteria to be accepted. But as said, that's > for security people to decide. The fact, that the existing knob is poorly documented does make an excuse for adding more knobs without documentation. Quite the contrary, if we notice that the existing knob lacks proper documentation, then we should fix that first. Thanks, tglx