Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2592524pxb; Tue, 19 Jan 2021 00:42:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJxjvanW4eBTvKjItrwTyab2QM4uQTNBnzvhQhh22rTU0PL6ENRc5vKBQLMxyEse9RN8Ccm+ X-Received: by 2002:a17:906:99c5:: with SMTP id s5mr2322630ejn.236.1611045743511; Tue, 19 Jan 2021 00:42:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611045743; cv=none; d=google.com; s=arc-20160816; b=zQ+43xHyguadDy+UZ9HYX5aRxIzpBzyHPc6DCDXaX2p4buVePfXFnrr008Aa7bPC6A dM3MpE/hVh277GaaSn60lIuO2xadCBaG5ztuRfsYY5OVBebtIwJlDde9nWKwQnUuIXD/ lXnYMtXFEmdQN98S5BtFaEMDfTbiV67qqBPAn4fsVz4yLydrqmwnHYUF80Ltyos7SV9I 07TujPdIQNsbBibDvtsT8SlH0mxnH/gG3qvTZLDUOESqoJ7fZvqCDbge66ldm0Y5zqD1 Si9+wIq7aqNkjUgbyeJK9QUpRkBeFWLmfvWMybjg29gpXGe6Iv6s6G5XHgPE19VTbGKW WsLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:message-id:references:in-reply-to :subject:cc:to:from:date:content-transfer-encoding:mime-version :sender:dkim-signature; bh=owAz9SChLf2AQ/0SsPcDtcQ+DGoWx6RjBqzLaNzFg1M=; b=UDWe3rvY6XALZuJYuVAApV9eVy6XJYzmhPcICVk8MwcswiGgcVVGbE0qlRvB0POZl3 tLQQcT7TzL5HLh2RXXZdlzPHGug7p6hF6BHT5o2cHIsDuSl+ntQIMT8gwjZJbGm9AkP4 pqaOl5fqFbqHQM9YVGZRf4yHAT+pPJ5T6oeVwSAPdZtisZD7GM5TQG4cw0aTYDOv15Fg JwzIOza916m6hf66G0e+jxjA/8PeNr53LIlsPAQQAPNO4f03SsmpZGUd1FQTQjtY/ap8 +Ah8yedjVJT/mkMeWA/PfdOoEXvsE9tTvs0Q5YK3P6/yLOTIB5AGYr2XfxggQ+GuieAU GrQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b="iBa/+hXo"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l20si2299382eds.502.2021.01.19.00.41.59; Tue, 19 Jan 2021 00:42:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b="iBa/+hXo"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729993AbhASIkc (ORCPT + 99 others); Tue, 19 Jan 2021 03:40:32 -0500 Received: from a1.mail.mailgun.net ([198.61.254.60]:34877 "EHLO a1.mail.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732835AbhASFWR (ORCPT ); Tue, 19 Jan 2021 00:22:17 -0500 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1611033702; h=Message-ID: References: In-Reply-To: Subject: Cc: To: From: Date: Content-Transfer-Encoding: Content-Type: MIME-Version: Sender; bh=owAz9SChLf2AQ/0SsPcDtcQ+DGoWx6RjBqzLaNzFg1M=; b=iBa/+hXoa7E94qtbbKDHYPBUsEiamcJTgP7XEh0e3zbs+L6C7uWJkod2s4y9MP/50/0AhHIW JmBBvwjd615BOcfhAEJgj5Ubg+WgINCj+NQh18tNI2eB6KY06WsPpSNgShwmlJ7cGnTBg+aL LbeU4hilQ8EvrT0TLgDVeap0doE= X-Mailgun-Sending-Ip: 198.61.254.60 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n01.prod.us-east-1.postgun.com with SMTP id 60066c49ba7f868506ea07ba (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Tue, 19 Jan 2021 05:21:13 GMT Sender: saiprakash.ranjan=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 602E9C43463; Tue, 19 Jan 2021 05:21:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.codeaurora.org (localhost.localdomain [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: saiprakash.ranjan) by smtp.codeaurora.org (Postfix) with ESMTPSA id C3A71C433ED; Tue, 19 Jan 2021 05:21:11 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 19 Jan 2021 10:51:11 +0530 From: Sai Prakash Ranjan To: Mathieu Poirier Cc: Suzuki K Poulose , Mike Leach , coresight@lists.linaro.org, Stephen Boyd , Denis Nikitin , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Al Grant , leo.yan@linaro.org, mnissler@google.com Subject: Re: [PATCH] coresight: etm4x: Add config to exclude kernel mode tracing In-Reply-To: <20210118202354.GC464579@xps15> References: <20201015124522.1876-1-saiprakash.ranjan@codeaurora.org> <20201015160257.GA1450102@xps15> <20210118202354.GC464579@xps15> Message-ID: <32216e9fa5c9ffb9df1123792d40eafb@codeaurora.org> X-Sender: saiprakash.ranjan@codeaurora.org User-Agent: Roundcube Webmail/1.3.9 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mathieu, On 2021-01-19 01:53, Mathieu Poirier wrote: > On Fri, Jan 15, 2021 at 11:16:24AM +0530, Sai Prakash Ranjan wrote: >> Hello Mathieu, Suzuki >> >> On 2020-10-15 21:32, Mathieu Poirier wrote: >> > On Thu, Oct 15, 2020 at 06:15:22PM +0530, Sai Prakash Ranjan wrote: >> > > On production systems with ETMs enabled, it is preferred to >> > > exclude kernel mode(NS EL1) tracing for security concerns and >> > > support only userspace(NS EL0) tracing. So provide an option >> > > via kconfig to exclude kernel mode tracing if it is required. >> > > This config is disabled by default and would not affect the >> > > current configuration which has both kernel and userspace >> > > tracing enabled by default. >> > > >> > >> > One requires root access (or be part of a special trace group) to be >> > able to use >> > the cs_etm PMU. With this kind of elevated access restricting tracing >> > at EL1 >> > provides little in terms of security. >> > >> >> Apart from the VM usecase discussed, I am told there are other >> security concerns here regarding need to exclude kernel mode tracing >> even for the privileged users/root. One such case being the ability >> to analyze cryptographic code execution since ETMs can record all >> branch instructions including timestamps in the kernel and there may >> be other cases as well which I may not be aware of and hence have >> added Denis and Mattias. Please let us know if you have any questions >> further regarding this not being a security concern. > > Even if we were to apply this patch there are many ways to compromise a > system > or get the kernel to reveal important information using the perf > subsystem. I > would perfer to tackle the problem at that level rather than > concentrating on > coresight. > Sorry but I did not understand your point. We are talking about the capabilities of coresight etm tracing which has the instruction level tracing and a lot more. Perf subsystem is just the framework used for it. In other words, its not the perf subsystem which does instruction level tracing, its the coresight etm. Why the perf subsystem should be modified to lockdown kernel mode? If we were to let perf handle all the trace filtering for different exception levels, then why do we need the register settings in coresight etm driver to filter out NS EL* tracing? And more importantly, how do you suppose we handle sysfs mode of coresight tracing with perf subsystem? Thanks, Sai -- QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation