Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2526957pxb; Mon, 18 Jan 2021 22:18:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJxwdlyE3bgJPtJvJfocdw8fdY7EDGB9NkndLPcM1+YCdzkPlOMMORPbcCOETt7uLLTqHH3h X-Received: by 2002:a05:6402:4d6:: with SMTP id n22mr2223097edw.27.1611037081083; Mon, 18 Jan 2021 22:18:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611037081; cv=none; d=google.com; s=arc-20160816; b=fJPp7F7d5Ynj3MNzNBC8DzU7vuVPIVFAgWY9+TgoHktZwj/nxJdUE40l4QxWVjlWR1 NdOFRaywz9fDjI8F9NivoK7PWxy8nUPq8/sFpWfFGp/mSs6QNc249ylze+WETmbMBqtD Yen6hqUyhWBpJvKSHD3SUEwPuJtGRhOtvY2jwOYU6MQBP3FN/j6sIRm41gqdWz4G4LX5 uGuzh3jr/+k39vHNaIqAkLJVc1sjmYNzlwygrgLitB7cWqQw5+lQ2B3OuYX9ifat9DxK 8Z59iM8fycS9reh8oXLViwQP70jef6VWWOVJN1UGn53KFuPnYKNsMXPl5K1ONenzNT0c qK3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:message-id:references:in-reply-to :subject:cc:to:from:date:content-transfer-encoding:mime-version :sender:dkim-signature; bh=TsmWni2lFqo/KCTp9v2otaejvUeB6CXmbavuS8alcYo=; b=rm3yKZysLON/rQxejroEiWSgT052Rqf2DGYbB+ZmdsKzWFJGUhfc88TqIG9O4sHFZJ +gTxEhFKhzbkhqxuEfe83lLzAJBYRtx4nDLormi/XKIscPB0bijlA68j0uPxGxYfp2bq jkizUMWkhOrMTZU6bI1usXgXD7+ugxl+vTeheFwBy2+kmCBYfOLLUwQyyH3JtceAUws6 SX0Uw4Ss6RzaxW2mMwdmUf2He/05u3R+gtAckosR3FCdyJyGZmp5iRbOfGhBBHoW8rue JEXIaa35MdU6oZl1wA7yPcGezcxe78Q53tvjNJw8yOEasadujMuRE/HocbP0utHRIbV4 MDpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=aJd8YwPQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x26si8333949edv.178.2021.01.18.22.17.30; Mon, 18 Jan 2021 22:18:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=aJd8YwPQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728756AbhASF4O (ORCPT + 99 others); Tue, 19 Jan 2021 00:56:14 -0500 Received: from m42-8.mailgun.net ([69.72.42.8]:43442 "EHLO m42-8.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388458AbhASFUI (ORCPT ); Tue, 19 Jan 2021 00:20:08 -0500 X-Greylist: delayed 351 seconds by postgrey-1.27 at vger.kernel.org; Tue, 19 Jan 2021 00:19:53 EST DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1611033562; h=Message-ID: References: In-Reply-To: Subject: Cc: To: From: Date: Content-Transfer-Encoding: Content-Type: MIME-Version: Sender; bh=TsmWni2lFqo/KCTp9v2otaejvUeB6CXmbavuS8alcYo=; b=aJd8YwPQ07dp5pXrPp+peV4sduXBFqrTskVPVyOVfRlcn2g6anOE9MWIHV5VGHb6UdZvTkRN 2MTHzB5t4caxSaNR+lVwpQmvkftJThCUoX9vtlyZcBb4bvjRrG4dS6GPn4U4OJStbfLEIUB1 BT65b82c5qwRLU/837n2eACmegw= X-Mailgun-Sending-Ip: 69.72.42.8 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n01.prod.us-east-1.postgun.com with SMTP id 60066a51ba7f868506e7285d (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Tue, 19 Jan 2021 05:12:49 GMT Sender: saiprakash.ranjan=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 82D11C43463; Tue, 19 Jan 2021 05:12:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.codeaurora.org (localhost.localdomain [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: saiprakash.ranjan) by smtp.codeaurora.org (Postfix) with ESMTPSA id 84544C433C6; Tue, 19 Jan 2021 05:12:47 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 19 Jan 2021 10:42:47 +0530 From: Sai Prakash Ranjan To: Mattias Nissler Cc: Mathieu Poirier , Suzuki K Poulose , Mike Leach , coresight@lists.linaro.org, Stephen Boyd , Denis Nikitin , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Al Grant , leo.yan@linaro.org Subject: Re: [PATCH] coresight: etm4x: Add config to exclude kernel mode tracing In-Reply-To: References: <20201015124522.1876-1-saiprakash.ranjan@codeaurora.org> <20201015160257.GA1450102@xps15> Message-ID: <6a3a876e9877322cb46c246a86312fbe@codeaurora.org> X-Sender: saiprakash.ranjan@codeaurora.org User-Agent: Roundcube Webmail/1.3.9 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-01-18 20:17, Mattias Nissler wrote: > On Fri, Jan 15, 2021 at 6:46 AM Sai Prakash Ranjan > wrote: >> >> Hello Mathieu, Suzuki >> >> On 2020-10-15 21:32, Mathieu Poirier wrote: >> > On Thu, Oct 15, 2020 at 06:15:22PM +0530, Sai Prakash Ranjan wrote: >> >> On production systems with ETMs enabled, it is preferred to >> >> exclude kernel mode(NS EL1) tracing for security concerns and >> >> support only userspace(NS EL0) tracing. So provide an option >> >> via kconfig to exclude kernel mode tracing if it is required. >> >> This config is disabled by default and would not affect the >> >> current configuration which has both kernel and userspace >> >> tracing enabled by default. >> >> >> > >> > One requires root access (or be part of a special trace group) to be >> > able to use >> > the cs_etm PMU. With this kind of elevated access restricting tracing >> > at EL1 >> > provides little in terms of security. >> > >> >> Apart from the VM usecase discussed, I am told there are other >> security concerns here regarding need to exclude kernel mode tracing >> even for the privileged users/root. One such case being the ability >> to analyze cryptographic code execution since ETMs can record all >> branch instructions including timestamps in the kernel and there may >> be other cases as well which I may not be aware of and hence have >> added Denis and Mattias. Please let us know if you have any questions >> further regarding this not being a security concern. > > Well, the idea that root privileges != full control over the kernel > isn't new and at the very least since lockdown became part of mainline > [1] no longer an esoteric edge case. Regarding the use case Sai hints > at (namely protection of secrets in the kernel), Matthew Garret > actually has some more thoughts about confidentiality mode for > lockdown for secret protection [2]. And thus, unless someone can make > a compelling case that instruction-level tracing will not leak secrets > held by the kernel, I think an option for the kernel to prevent itself > from being traced (even by root) is valuable. > > Finally, to sketch a practical use case scenario: Consider a system > where disk contents are encrypted and the encryption key is set up by > the user when mounting the file system. From that point on the > encryption key resides in the kernel. It seems reasonable to expect > that the disk encryption key be protected from exfiltration even if > the system later suffers a root compromise (or even against insiders > that have root access), at least as long as the attacker doesn't > manage to compromise the kernel. > > [1] https://lwn.net/Articles/796866/ > [2] https://mjg59.dreamwidth.org/55105.html > Thanks for the detailed description, it is way better put than my crude explanation. Thanks, Sai -- QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation