Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1192592imm; Fri, 28 Sep 2018 13:47:15 -0700 (PDT) X-Google-Smtp-Source: ACcGV61RFezz3uw63k1lqDn8ttKab0GzIjtl5TnXCwPg4Hda0SVHbtKGbxMMeG0qVt06wA4Psixo X-Received: by 2002:a65:4242:: with SMTP id d2-v6mr246159pgq.265.1538167635230; Fri, 28 Sep 2018 13:47:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538167635; cv=none; d=google.com; s=arc-20160816; b=CH+ZwDnG1gEpF9HRfeb3im88dZ6vIjztpXh46G5R5KKQuOi09ZgVoH6YWax/BAQ+kF ffUGWOCItFIOzsvY0p7RrUWPDFH0jj1GhAa6zB8S04gJMuDgE18X4wjNBOlXoJ93nztx BRgM5WB+O6DNZ71vMet5F96MGgTcUkW+cwXo9Q5zRhHnn+UNKy36BsABEyIbqPYmlpz/ TTZErrSUbZNmNDsX3KfaAguK20xyHE1yIaJVB4TAGy5XQIEStXUSafnqkFsfaZ0Cyvxc Ek8+RS3U7zYc4qSnzx1pA/70ZE+GGT6Jgm4BXAtSEwvB+ActzIdzLRjgqrCY61u96ViF XAKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=0pZQKVoEQQgG0iqo2HPywBZ02pcOdqQRhcn7M+VvoLA=; b=ad4kbsIoFURKyvEk8yCM1Tb2bnlpHUS60Y7ZqWakdL4nnblpSNOpBOPj2p+yfqf1td 7hESpNDL8MBg4cVRukAUW+TxKqnMrO2xB+n6kKDCWTA7pEEoLG4mw7CbOblCnnmx9XSX TkhEFz8tNoWDKacCtaWc0b+AOzb4GdbXN1fCLahXU/eutkjTFMEM1LplYrEmFmTjWCnN NKfQ5ix2bTGdZ286RUHzxGksQm0WKT4MX6I6PheMrr5lY0ijVXBBb6oSWSViOcC49/is ZG6fdeFIu4hcqnykc6Av3z8JAOIHXirD8DbKOdXTrMGUVQgrJT/K6fRpAcxVDC3ZQd1d URyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y15-v6si5885948pfg.124.2018.09.28.13.46.59; Fri, 28 Sep 2018 13:47:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727096AbeI2DMU (ORCPT + 99 others); Fri, 28 Sep 2018 23:12:20 -0400 Received: from mga03.intel.com ([134.134.136.65]:1537 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726665AbeI2DMU (ORCPT ); Fri, 28 Sep 2018 23:12:20 -0400 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Sep 2018 13:46:52 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,316,1534834800"; d="scan'208";a="76963986" Received: from tassilo.jf.intel.com (HELO tassilo.localdomain) ([10.7.201.126]) by orsmga007.jf.intel.com with ESMTP; 28 Sep 2018 13:45:56 -0700 Received: by tassilo.localdomain (Postfix, from userid 1000) id A2AF0300B51; Fri, 28 Sep 2018 13:45:56 -0700 (PDT) Date: Fri, 28 Sep 2018 13:45:56 -0700 From: Andi Kleen To: Thomas Gleixner Cc: Alexey Budankov , Tvrtko Ursulin , Kees Cook , Jann Horn , Tvrtko Ursulin , LKML , Peter Zijlstra , x86@kernel.org, "H. Peter Anvin" , Arnaldo Carvalho de Melo , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Madhavan Srinivasan Subject: Re: [RFC 0/5] perf: Per PMU access controls (paranoid setting) Message-ID: <20180928204556.GB32651@tassilo.jf.intel.com> References: <20180919122751.12439-1-tvrtko.ursulin@linux.intel.com> <0feb9867-0040-0306-a95b-4b6df1818312@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > Right now we have a single knob, which is poorly documented and that should > be fixed first. But some googling gives you the information that allowing > unprivilegded access is a security risk. So the security focussed sysadmin Ah only if google could simply answer all our questions! > will deny access to the PMUs no matter what. It's not like there is or isn't a security risk and that you can say that it is or it isn't in a global way. Essentially these are channels of information. The channels always exist in form of timing variances for any shared resource (like shared caches or shared memory/IO/interconnect bandwidth) that can be measured. Perfmon counters make the channels generally less noisy, but they do not cause them. To really close them completely you would need to avoid sharing anything, or not allowing to measure time, neither of which is practical short of an air gap. There are reasonable assesments you can make either way and the answers will be different based on your requirements. There isn't a single answer that works for everyone. There are cases where it isn't a problem at all. If you don't have multiple users on the system your tolerance should be extremely high. For users who have multiple users there can be different tradeoffs. So there isn't a single answer, and that is why it is important that this if configurable. -Andi