Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp635387pxb; Wed, 3 Mar 2021 11:19:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJzbggzv6fOTcTP7iJxcp3qXpsZZKp0u7Jk3SRykORe4yB+RpFJoPazLg6dMiXS1+GW6J+g7 X-Received: by 2002:a17:906:9442:: with SMTP id z2mr354811ejx.79.1614799183042; Wed, 03 Mar 2021 11:19:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614799183; cv=none; d=google.com; s=arc-20160816; b=QZrku1OG5crmqbGxkV9dAA5oR5ArotNjx+rF9qztE2PV2YNJ0/+XKXyUIsZQ6UbH9s JBYRO+jqdKjjrzBVvpo4IF2bdKZsmLL+AL3qrIM97lJ8Hn7H2L/Kh7VTDqALoKkPWh9C ahCSdiSZgcNIAH+VH91Ba0EQa9IKpQoUXfSXuWBOKxsX1qG/q2cp2ocyVXFdXlszDAYa rYmVf+433ZZzlPKeFNOp5iO3MjGYY8sPwf1KiOvBE6x0SObPHXy4Xwe3cOA+F3NSkR5j luAMv9jsGGnlsIYK3U5P8dEm5cMszRKF6yTPYP0oqjVCS3c9Z05iLHBOQGvOzYKUSZKk GqFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dmarc-filter:sender :dkim-signature; bh=TvkfVde19wsy/9yIspcvXBHomEB+eqMNq0i1mBuIphk=; b=PZh2acLtUuZy10kW4N7R7gw3fctZaKJVLlJ2s0krhkZxFvaT4MzxyR2CLu0SRKZz7G 1Ow6mw4f3UiCo+mql8P5QqQEISu+DuScmFTJx8GQkV6SJp8tikoQSN8mCfL0ERj951Md seh7ZjaBLE+xgXWamk6CGJakzH0UtudOkOIkWw9EcEm56xTtrwktaE5IH7VxsC/HkYK5 jnKvcv9lk4/fdB+GaE9BgZT1oyU2kk8cLtgkjr5oD0WFxcWg6PuF7ER+dPqGe1NwyLrT MEGUiDhgCQ+NBeiGz5XXEL43WZz/aiied4JLVgLumoYpjhp2P/86683NU0H466FM6U0d t7Yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=j5emB1NC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bf1si8816835edb.359.2021.03.03.11.18.59; Wed, 03 Mar 2021 11:19:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=j5emB1NC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240320AbhCBBSw (ORCPT + 99 others); Mon, 1 Mar 2021 20:18:52 -0500 Received: from m42-2.mailgun.net ([69.72.42.2]:27629 "EHLO m42-2.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240900AbhCATFq (ORCPT ); Mon, 1 Mar 2021 14:05:46 -0500 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1614625520; h=Content-Transfer-Encoding: MIME-Version: Message-Id: Date: Subject: Cc: To: From: Sender; bh=TvkfVde19wsy/9yIspcvXBHomEB+eqMNq0i1mBuIphk=; b=j5emB1NC2zgUZ5qJSnfu7Uk/aH+PAhrT9l0WhqbQaBWD+21hFsb1cT+cTwda7thEFrGMRlxk Lce2m5+kOFb1KwzwoHZ2e8FAIal1rbOqkYceRPcoNa6dA+eEolyKbwdPOje6ZMrm0atDt/j4 1Le2sVTQ4knZDYOAqjocH1FmTTI= X-Mailgun-Sending-Ip: 69.72.42.2 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n03.prod.us-east-1.postgun.com with SMTP id 603d3acd1defdc70ae2b9b02 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Mon, 01 Mar 2021 19:04:45 GMT Sender: saiprakash.ranjan=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 9CEDAC43469; Mon, 1 Mar 2021 19:04:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00,SPF_FAIL autolearn=no autolearn_force=no version=3.4.0 Received: from blr-ubuntu-253.qualcomm.com (blr-bdr-fw-01_GlobalNAT_AllZones-Outside.qualcomm.com [103.229.18.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: saiprakash.ranjan) by smtp.codeaurora.org (Postfix) with ESMTPSA id D9675C433C6; Mon, 1 Mar 2021 19:04:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org D9675C433C6 Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=saiprakash.ranjan@codeaurora.org From: Sai Prakash Ranjan To: Mathieu Poirier , Suzuki K Poulose , Mike Leach , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Leo Yan Cc: Jiri Olsa , Namhyung Kim , coresight@lists.linaro.org, Stephen Boyd , Denis Nikitin , Mattias Nissler , Al Grant , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Douglas Anderson , Sai Prakash Ranjan Subject: [PATCHv2 0/4] perf/core: Add support to exclude kernel mode PMU tracing Date: Tue, 2 Mar 2021 00:34:14 +0530 Message-Id: X-Mailer: git-send-email 2.29.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hardware assisted tracing families such as ARM Coresight, Intel PT provides rich tracing capabilities including instruction level tracing and accurate timestamps which are very useful for profiling and also pose a significant security risk. One such example of security risk is when kernel mode tracing is not excluded and these hardware assisted tracing can be used to analyze cryptographic code execution. In this case, even the root user must not be able to infer anything. To explain it more clearly in the words of a security team member (credits: Mattias Nissler), "Consider a system where disk contents are encrypted and the encryption key is set up by the user when mounting the file system. From that point on the encryption key resides in the kernel. It seems reasonable to expect that the disk encryption key be protected from exfiltration even if the system later suffers a root compromise (or even against insiders that have root access), at least as long as the attacker doesn't manage to compromise the kernel." Here the idea is to protect such important information from all users including root users since root privileges does not have to mean full control over the kernel [1] and root compromise does not have to be the end of the world. But "Peter said even the regular counters can be used for full branch trace, the information isn't as accurate as PT and friends and not easier but is good enough to infer plenty". This would mean that a global tunable config for all kernel mode pmu tracing is more appropriate than the one targeting the hardware assisted instruction tracing. Currently we can exclude kernel mode tracing via perf_event_paranoid sysctl but it has following limitations, * No option to restrict kernel mode instruction tracing by the root user. * Not possible to restrict kernel mode instruction tracing when the hardware assisted tracing IPs like ARM Coresight ETMs use an additional interface via sysfs for tracing in addition to perf interface. So introduce a new config CONFIG_EXCLUDE_KERNEL_PMU_TRACE to exclude kernel mode pmu tracing for all users including root which will be generic and applicable to all hardware tracing families and which can also be used with other interfaces like sysfs in case of ETMs. Patch 1 adds this new config and the support in perf core to exclude all kernel mode PMU tracing. Patch 2 adds the perf evsel warning message when the perf tool users attempt to perform a kernel mode trace with the config enabled to exclude the kernel mode tracing. Patch 3 and Patch 4 adds the support for excluding kernel mode for ARM Coresight ETM{4,3}XX sysfs mode using the newly introduced generic config. [1] https://lwn.net/Articles/796866/ Changes in v2: * Move from kernel mode instruction tracing to all kernel level PMU tracing (Peter) * Move the check and warning to the caller mode_store() (Doug) Sai Prakash Ranjan (4): perf/core: Add support to exclude kernel mode PMU tracing perf evsel: Print warning for excluding kernel mode instruction tracing coresight: etm4x: Add support to exclude kernel mode tracing coresight: etm3x: Add support to exclude kernel mode tracing drivers/hwtracing/coresight/coresight-etm3x-core.c | 3 +++ drivers/hwtracing/coresight/coresight-etm3x-sysfs.c | 6 ++++++ drivers/hwtracing/coresight/coresight-etm4x-core.c | 6 +++++- drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 6 ++++++ init/Kconfig | 11 +++++++++++ kernel/events/core.c | 3 +++ tools/perf/util/evsel.c | 3 ++- 7 files changed, 36 insertions(+), 2 deletions(-) -- QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation