Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp972987imm;
        Fri, 28 Sep 2018 09:43:30 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60rrMXSI1Y6uABiCRUk97oZ8D4t4dNeUrQHrxUy/3DI5qY6kUMfDcivmhfjJqaAQ9u3Jr0k
X-Received: by 2002:a63:d502:: with SMTP id c2-v6mr15938435pgg.324.1538153010281;
        Fri, 28 Sep 2018 09:43:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538153010; cv=none;
        d=google.com; s=arc-20160816;
        b=Iwv380fZdd7tGe+vt3HsXd5UpNDKq2nuMyOL6Jk/JN0O4tFud2d++gGmNIza64wffC
         ItnOMckkb6FRzIWEZgd3ZHvnLHEoppoWgwTbSi8QKgJwMtpBvyktQnH/FdOAYiuwtbQn
         /Dzi1bqTE2tspcFZ06EwLsjd4o+Vx4cxu3CpwDWzmoPTEiEdJfaKju8TljIFmtE/RZkb
         jC4npoqlPNXXPQ1eZcMsmxuotm8HYXxhUJt/SJJVUOhN5K7sWuUy9kOiUHVHwH6bmAiH
         aesRkHbuqTuNrLOy3N5FirF8PcSV44XtKc+aGVr26iQqYpkJHwOTRos0Wi74ABjohiqt
         iP9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=xEon22LlWIApZSgcgccep2vPfLIGKRlF4gRY+rV7GWo=;
        b=z/VH0ulUxiLvuqUqcxCKP+554qWCCNewf8bqeg7s+2d4ycZ6VbqJr8zR/UHvjptiSf
         RPVa8Jtj3QALwF5QDer5eE6nQSCdny0iPhTmORt9BsCkh6VltwR5iCW1mwNVBED5Ku14
         YIg75OvBPiAMtNPzXLdeS9SPEfT8jny03dXtNzcef1Zd8n6c+cdMr1t81P60P9J+maPR
         Pax5A5XSUqB28mtke0PSqJTZcgg0XGe/3seRJEevvU6jGaJ0nJnJMtdENZfA/xAecbdA
         rgrAV20ZYkILaWjs1rpFo1DEIHWfbfcsO9mebeYm/WibN/KVkA9W9Oky10eaXfUaF0mp
         QawQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l9-v6si5062791pgg.622.2018.09.28.09.43.14;
        Fri, 28 Sep 2018 09:43:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729124AbeI1XFx (ORCPT <rfc822;1990.zhangzhen@gmail.com>
        + 99 others); Fri, 28 Sep 2018 19:05:53 -0400
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:53428 "EHLO
        foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728451AbeI1XFw (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 28 Sep 2018 19:05:52 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0EFFF7A9;
        Fri, 28 Sep 2018 09:41:17 -0700 (PDT)
Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 480BA3F5BD;
        Fri, 28 Sep 2018 09:41:14 -0700 (PDT)
Date:   Fri, 28 Sep 2018 17:41:11 +0100
From:   Mark Rutland <mark.rutland@arm.com>
To:     Thomas Gleixner <tglx@linutronix.de>
Cc:     Tvrtko Ursulin <tursulin@ursulin.net>,
        LKML <linux-kernel@vger.kernel.org>,
        tvrtko.ursulin@linux.intel.com,
        Peter Zijlstra <peterz@infradead.org>, x86@kernel.org,
        "H. Peter Anvin" <hpa@zytor.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        Jiri Olsa <jolsa@redhat.com>,
        Namhyung Kim <namhyung@kernel.org>,
        Madhavan Srinivasan <maddy@linux.vnet.ibm.com>,
        Andi Kleen <ak@linux.intel.com>,
        Alexey Budankov <alexey.budankov@linux.intel.com>,
        Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>
Subject: Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting)
Message-ID: <20180928164111.i6nba2j6mnegwslw@lakrids.cambridge.arm.com>
References: <20180919122751.12439-1-tvrtko.ursulin@linux.intel.com>
 <alpine.DEB.2.21.1809281151190.2004@nanos.tec.linutronix.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.21.1809281151190.2004@nanos.tec.linutronix.de>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Sep 28, 2018 at 12:26:52PM +0200, Thomas Gleixner wrote:
> On Wed, 19 Sep 2018, Tvrtko Ursulin wrote:
> 
> It would be very helpful if you cc all involved people on the cover letter
> instead of just cc'ing your own pile of email addresses. CC'ed now.
> 
> > For situations where sysadmins might want to allow different level of
> > access control for different PMUs, we start creating per-PMU
> > perf_event_paranoid controls in sysfs.
> > 
> > These work in equivalent fashion as the existing perf_event_paranoid
> > sysctl, which now becomes the parent control for each PMU.
> > 
> > On PMU registration the global/parent value will be inherited by each PMU,
> > as it will be propagated to all registered PMUs when the sysctl is
> > updated.
> > 
> > At any later point individual PMU access controls, located in
> > <sysfs>/device/<pmu-name>/perf_event_paranoid, can be adjusted to achieve
> > fine grained access control.
> > 
> > Discussion from previous posting:
> > https://lkml.org/lkml/2018/5/21/156
> 
> This is really not helpful. The cover letter and the change logs should
> contain a summary of that discussion and a proper justification of the
> proposed change. Just saying 'sysadmins might want to allow' is not useful
> at all, it's yet another 'I want a pony' thing.
> 
> I read through the previous thread and there was a clear request to involve
> security people into this. Especially those who are deeply involved with
> hardware side channels. I don't see anyone Cc'ed on the whole series.
> 
> For the record, I'm not buying the handwavy 'more noise' argument at
> all. It wants a proper analysis and we need to come up with criteria which
> PMUs can be exposed at all.
> 
> All of this want's a proper documentation clearly explaining the risks and
> scope of these knobs per PMU. Just throwing magic knobs at sysadmins and
> then saying 'its their problem to figure it out' is not acceptable.

There's also been prior discussion on these feature in other contexts
(e.g. android expoits resulting from out-of-tree drivers). It would be
nice to see those considered.

IIRC The conclusion from prior discussions (e.g. [1]) was that we wanted
finer granularity of control such that we could limit PMU access to
specific users -- e.g. disallow arbitrary android apps from poking *any*
PMU, while allowing some more trusted apps/users to uses *some* specific
PMUs.

e.g. we could add /sys/bus/event_source/devices/${PMU}/device, protect
this via the usual fs ACLs, and pass the fd to perf_event_open()
somehow. A valid fd would act as a capability, taking precedence over
perf_event_paranoid.

Thanks,
Mark.

[1] https://patchwork.kernel.org/patch/9249919/