Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp635387pxb;
        Wed, 3 Mar 2021 11:19:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzbggzv6fOTcTP7iJxcp3qXpsZZKp0u7Jk3SRykORe4yB+RpFJoPazLg6dMiXS1+GW6J+g7
X-Received: by 2002:a17:906:9442:: with SMTP id z2mr354811ejx.79.1614799183042;
        Wed, 03 Mar 2021 11:19:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614799183; cv=none;
        d=google.com; s=arc-20160816;
        b=QZrku1OG5crmqbGxkV9dAA5oR5ArotNjx+rF9qztE2PV2YNJ0/+XKXyUIsZQ6UbH9s
         JBYRO+jqdKjjrzBVvpo4IF2bdKZsmLL+AL3qrIM97lJ8Hn7H2L/Kh7VTDqALoKkPWh9C
         ahCSdiSZgcNIAH+VH91Ba0EQa9IKpQoUXfSXuWBOKxsX1qG/q2cp2ocyVXFdXlszDAYa
         rYmVf+433ZZzlPKeFNOp5iO3MjGYY8sPwf1KiOvBE6x0SObPHXy4Xwe3cOA+F3NSkR5j
         luAMv9jsGGnlsIYK3U5P8dEm5cMszRKF6yTPYP0oqjVCS3c9Z05iLHBOQGvOzYKUSZKk
         GqFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dmarc-filter:sender
         :dkim-signature;
        bh=TvkfVde19wsy/9yIspcvXBHomEB+eqMNq0i1mBuIphk=;
        b=PZh2acLtUuZy10kW4N7R7gw3fctZaKJVLlJ2s0krhkZxFvaT4MzxyR2CLu0SRKZz7G
         1Ow6mw4f3UiCo+mql8P5QqQEISu+DuScmFTJx8GQkV6SJp8tikoQSN8mCfL0ERj951Md
         seh7ZjaBLE+xgXWamk6CGJakzH0UtudOkOIkWw9EcEm56xTtrwktaE5IH7VxsC/HkYK5
         jnKvcv9lk4/fdB+GaE9BgZT1oyU2kk8cLtgkjr5oD0WFxcWg6PuF7ER+dPqGe1NwyLrT
         MEGUiDhgCQ+NBeiGz5XXEL43WZz/aiied4JLVgLumoYpjhp2P/86683NU0H466FM6U0d
         t7Yg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=j5emB1NC;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bf1si8816835edb.359.2021.03.03.11.18.59;
        Wed, 03 Mar 2021 11:19:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=j5emB1NC;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240320AbhCBBSw (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Mon, 1 Mar 2021 20:18:52 -0500
Received: from m42-2.mailgun.net ([69.72.42.2]:27629 "EHLO m42-2.mailgun.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S240900AbhCATFq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 1 Mar 2021 14:05:46 -0500
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt;
 s=smtp; t=1614625520; h=Content-Transfer-Encoding: MIME-Version:
 Message-Id: Date: Subject: Cc: To: From: Sender;
 bh=TvkfVde19wsy/9yIspcvXBHomEB+eqMNq0i1mBuIphk=; b=j5emB1NC2zgUZ5qJSnfu7Uk/aH+PAhrT9l0WhqbQaBWD+21hFsb1cT+cTwda7thEFrGMRlxk
 Lce2m5+kOFb1KwzwoHZ2e8FAIal1rbOqkYceRPcoNa6dA+eEolyKbwdPOje6ZMrm0atDt/j4
 1Le2sVTQ4knZDYOAqjocH1FmTTI=
X-Mailgun-Sending-Ip: 69.72.42.2
X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd
Received: from smtp.codeaurora.org
 (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by
 smtp-out-n03.prod.us-east-1.postgun.com with SMTP id
 603d3acd1defdc70ae2b9b02 (version=TLS1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Mon, 01 Mar 2021 19:04:45
 GMT
Sender: saiprakash.ranjan=codeaurora.org@mg.codeaurora.org
Received: by smtp.codeaurora.org (Postfix, from userid 1001)
        id 9CEDAC43469; Mon,  1 Mar 2021 19:04:44 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        aws-us-west-2-caf-mail-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00,SPF_FAIL
        autolearn=no autolearn_force=no version=3.4.0
Received: from blr-ubuntu-253.qualcomm.com (blr-bdr-fw-01_GlobalNAT_AllZones-Outside.qualcomm.com [103.229.18.19])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: saiprakash.ranjan)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id D9675C433C6;
        Mon,  1 Mar 2021 19:04:37 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org D9675C433C6
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=saiprakash.ranjan@codeaurora.org
From:   Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
To:     Mathieu Poirier <mathieu.poirier@linaro.org>,
        Suzuki K Poulose <suzuki.poulose@arm.com>,
        Mike Leach <mike.leach@linaro.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Mark Rutland <mark.rutland@arm.com>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        Leo Yan <leo.yan@linaro.org>
Cc:     Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
        coresight@lists.linaro.org, Stephen Boyd <swboyd@chromium.org>,
        Denis Nikitin <denik@chromium.org>,
        Mattias Nissler <mnissler@chromium.org>,
        Al Grant <al.grant@arm.com>, linux-arm-msm@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
        Douglas Anderson <dianders@chromium.org>,
        Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Subject: [PATCHv2 0/4] perf/core: Add support to exclude kernel mode PMU tracing 
Date:   Tue,  2 Mar 2021 00:34:14 +0530
Message-Id: <cover.1614624041.git.saiprakash.ranjan@codeaurora.org>
X-Mailer: git-send-email 2.29.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hardware assisted tracing families such as ARM Coresight, Intel PT
provides rich tracing capabilities including instruction level
tracing and accurate timestamps which are very useful for profiling
and also pose a significant security risk. One such example of
security risk is when kernel mode tracing is not excluded and these
hardware assisted tracing can be used to analyze cryptographic code
execution. In this case, even the root user must not be able to infer
anything.

To explain it more clearly in the words of a security team member
(credits: Mattias Nissler),

"Consider a system where disk contents are encrypted and the encryption
key is set up by the user when mounting the file system. From that point
on the encryption key resides in the kernel. It seems reasonable to
expect that the disk encryption key be protected from exfiltration even
if the system later suffers a root compromise (or even against insiders
that have root access), at least as long as the attacker doesn't
manage to compromise the kernel."

Here the idea is to protect such important information from all users
including root users since root privileges does not have to mean full
control over the kernel [1] and root compromise does not have to be
the end of the world.

But "Peter said even the regular counters can be used for full branch trace,
the information isn't as accurate as PT and friends and not easier but
is good enough to infer plenty". This would mean that a global tunable
config for all kernel mode pmu tracing is more appropriate than the one
targeting the hardware assisted instruction tracing.

Currently we can exclude kernel mode tracing via perf_event_paranoid
sysctl but it has following limitations,

 * No option to restrict kernel mode instruction tracing by the
   root user.
 * Not possible to restrict kernel mode instruction tracing when the
   hardware assisted tracing IPs like ARM Coresight ETMs use an
   additional interface via sysfs for tracing in addition to perf
   interface.

So introduce a new config CONFIG_EXCLUDE_KERNEL_PMU_TRACE to exclude
kernel mode pmu tracing for all users including root which will be
generic and applicable to all hardware tracing families and which
can also be used with other interfaces like sysfs in case of ETMs.

Patch 1 adds this new config and the support in perf core to exclude
all kernel mode PMU tracing.

Patch 2 adds the perf evsel warning message when the perf tool users
attempt to perform a kernel mode trace with the config enabled to
exclude the kernel mode tracing.

Patch 3 and Patch 4 adds the support for excluding kernel mode for
ARM Coresight ETM{4,3}XX sysfs mode using the newly introduced generic
config.

[1] https://lwn.net/Articles/796866/

Changes in v2:
 * Move from kernel mode instruction tracing to all kernel level PMU tracing (Peter)
 * Move the check and warning to the caller mode_store() (Doug)

Sai Prakash Ranjan (4):
  perf/core: Add support to exclude kernel mode PMU tracing
  perf evsel: Print warning for excluding kernel mode instruction
    tracing
  coresight: etm4x: Add support to exclude kernel mode tracing
  coresight: etm3x: Add support to exclude kernel mode tracing

 drivers/hwtracing/coresight/coresight-etm3x-core.c  |  3 +++
 drivers/hwtracing/coresight/coresight-etm3x-sysfs.c |  6 ++++++
 drivers/hwtracing/coresight/coresight-etm4x-core.c  |  6 +++++-
 drivers/hwtracing/coresight/coresight-etm4x-sysfs.c |  6 ++++++
 init/Kconfig                                        | 11 +++++++++++
 kernel/events/core.c                                |  3 +++
 tools/perf/util/evsel.c                             |  3 ++-
 7 files changed, 36 insertions(+), 2 deletions(-)

-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member
of Code Aurora Forum, hosted by The Linux Foundation