Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5040453ybi;
        Tue, 28 May 2019 06:38:38 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwKpyyGxqvVNwPhoyZXdVafaPZ9S+A6cB5id+vTHFstKVALGeurmtuN2MUZvoBxBZz9pYaj
X-Received: by 2002:a17:90a:238d:: with SMTP id g13mr6388788pje.0.1559050717910;
        Tue, 28 May 2019 06:38:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559050717; cv=none;
        d=google.com; s=arc-20160816;
        b=mtWQJ0HU4Nkr+EXYS6RI03sUkZUo0m5cIoWVoyRNeh+9PhmUwh1e+ochQgQ+zb5N0U
         BR4q/7Ih61NDs5fGa9uiUoh0gNBIlU3ymQ8nD5oi8e6HMLJ7nuA6g+Qwkc2jljAKnhTw
         UDYpV4sn3HWedGeCrxfMdiYqZ5njDhbeprVil687i1uSj1MUWcAgDBQGG25MMOx0z5NM
         35zi5vsQDZm/b4PImu1WmWTIJQvh0/f7VSbz5U8uP8N/Y1CDLYS9Iz6p7AdiFtArJXry
         7yV9gCIRD9iatIxcA5mClOR7+/V5CWvSf7OSDxMhx9KkjheEjjO5ujVwA3hTZ8bWbmv7
         QYQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date;
        bh=A/lNwIoTFgv1YfTqhLDyq7Wydj2GOPy4bjS266ljLHs=;
        b=bLHFwd0bdbx9bvwUHzWkRbwX4MCTgE7giN52dKToOIF3XHUHCJZKIyhr6ll1tZpleX
         McxICTcVQwysAOUI6VpRL96W7nimK447cHrJb5TbGCGMA3DUtFNDF/vzBrWnknWL/yoW
         Tf1T37H37sBSIdAbl5TWi9B/m2E47g2mtUCanMU9YLswSjSaFND8YJhHZY30RE23sPSt
         55xQrtKtBJmCrTHeCdme2NQwdSvSkA/3FGViOrCpCBmvBRk23GVAo0Jqy4K2wSsiX1gD
         k0p3+68QuujHTv+oYAAHu898xP6Pmkc5x/HDcG6aOLxUL071jRuTjrzH8kYzxO/uqQNB
         diGw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z127si14958241pgb.71.2019.05.28.06.38.21;
        Tue, 28 May 2019 06:38:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727228AbfE1Nfi (ORCPT <rfc822;yingkeliu@gmail.com> + 99 others);
        Tue, 28 May 2019 09:35:38 -0400
Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:53752 "EHLO
        outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1726924AbfE1Nfh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 May 2019 09:35:37 -0400
Received: from callcc.thunk.org ([66.31.38.53])
        (authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
        by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x4SDXlm5010515
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Tue, 28 May 2019 09:33:48 -0400
Received: by callcc.thunk.org (Postfix, from userid 15806)
        id 794F7420481; Tue, 28 May 2019 09:33:47 -0400 (EDT)
Date:   Tue, 28 May 2019 09:33:47 -0400
From:   "Theodore Ts'o" <tytso@mit.edu>
To:     "Reshetova, Elena" <elena.reshetova@intel.com>
Cc:     Kees Cook <keescook@chromium.org>, Ingo Molnar <mingo@kernel.org>,
        Andy Lutomirski <luto@kernel.org>,
        David Laight <David.Laight@aculab.com>,
        Eric Biggers <ebiggers3@gmail.com>,
        "ebiggers@google.com" <ebiggers@google.com>,
        "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
        Peter Zijlstra <peterz@infradead.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "jpoimboe@redhat.com" <jpoimboe@redhat.com>,
        "jannh@google.com" <jannh@google.com>,
        "Perla, Enrico" <enrico.perla@intel.com>,
        "mingo@redhat.com" <mingo@redhat.com>,
        "bp@alien8.de" <bp@alien8.de>,
        "tglx@linutronix.de" <tglx@linutronix.de>,
        "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [PATCH] x86/entry/64: randomize kernel stack offset upon syscall
Message-ID: <20190528133347.GD19149@mit.edu>
Mail-Followup-To: Theodore Ts'o <tytso@mit.edu>,
        "Reshetova, Elena" <elena.reshetova@intel.com>,
        Kees Cook <keescook@chromium.org>, Ingo Molnar <mingo@kernel.org>,
        Andy Lutomirski <luto@kernel.org>,
        David Laight <David.Laight@aculab.com>,
        Eric Biggers <ebiggers3@gmail.com>,
        "ebiggers@google.com" <ebiggers@google.com>,
        "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
        Peter Zijlstra <peterz@infradead.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "jpoimboe@redhat.com" <jpoimboe@redhat.com>,
        "jannh@google.com" <jannh@google.com>,
        "Perla, Enrico" <enrico.perla@intel.com>,
        "mingo@redhat.com" <mingo@redhat.com>,
        "bp@alien8.de" <bp@alien8.de>,
        "tglx@linutronix.de" <tglx@linutronix.de>,
        "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <a.p.zijlstra@chello.nl>
References: <20190508113239.GA33324@gmail.com>
 <2236FBA76BA1254E88B949DDB74E612BA4C762F7@IRSMSX102.ger.corp.intel.com>
 <20190509055915.GA58462@gmail.com>
 <2236FBA76BA1254E88B949DDB74E612BA4C7741F@IRSMSX102.ger.corp.intel.com>
 <20190509084352.GA96236@gmail.com>
 <CALCETrV1067Es=KEjkz=CtdoT79a2EJg4dJDae6oGDiTaubL1A@mail.gmail.com>
 <201905111703.5998DF5F@keescook>
 <20190512080245.GA7827@gmail.com>
 <201905120705.4F27DF3244@keescook>
 <2236FBA76BA1254E88B949DDB74E612BA4CA8DBF@IRSMSX102.ger.corp.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2236FBA76BA1254E88B949DDB74E612BA4CA8DBF@IRSMSX102.ger.corp.intel.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

I confess I've kind of lost the plot on the performance requirements
at this point.  Instead of measuring and evaluating potential
solutions, can we try to approach this from the opposite direction and
ask what the requirements are?

What's the maximum number of CPU cycles that we are allowed to burn
such that we can meet the 1-2% overhead?

And how many bits of uncertainty are we trying to present to the
attacker?  What's the minimum beyond we shouldn't bother?  (Perhaps
because rdtsc will give us that many bits?)  And does that change if
we vary the reseed window in terms of the number of system calls
between reseeding?

And what are the ideal parameters after which point we're just gilding
the lily?

					- Ted